Digital transformation has propelled a wave of new technological advancement that has arguably enriched people's lives. By the same token, the proliferation of machines—physical, virtual and in the cloud—has posed many security challenges and threats across industries, banking being the most noteworthy. As this "rise of machines" expands the threat vector, most banks and financial institutions are faced with increased pressure to protect their customer data and brand.
In this blog, I’ll share findings from a survey we did of the top 100 financial services firms. In the process, I'll explore some of the key trends impacting machine identity management in the financial sector. Here are the top concerns that financial institutions face in managing security risk in today's machine identity threat landscape.
Managing security risk is the top concern
The biggest area that most of our financial customers are concerned about is managing security risk. According to Verizon Data Breach Report there were 2013 major data breaches last year. Out of these breaches 10% or 207 of all major data breaches in 2018 were targeted at financial services firms. Breaches often have a huge financial impact associated with them. Banks are constantly getting attacked by both internal and external threat actors, often motivated by financial gain.
According to the Identity Theft Resource Center financial services get hit a whopping 300 times more frequently than businesses in other industries. As a result, many of our customer in the banking sector are extremely concerned about managing security risk. And what we found when we spoke with some of these big banking customers is that the most successful are those that have a solid framework in place for minimizing security risk. And a best practice for a lot of our customers is frequently monitoring the machine identities to ensure compliance with central security team policies and regularly remediating those machine identities that are out of compliance. And that’s really the key to success here is really getting a good handle on machine identities.
Certificate outages is a close second
The second biggest concern of our banking customers is outages on critical network infrastructure such as network devices, applications and mission-critical servers. Machine identities are pivotal to network communications. And an outage is often caused by a failure to renew expiring machine identities. This can be extremely disruptive for a bank or other financial services firm. Before coming to Venafi, many of the banks that we talked to were actually using spreadsheets or some sort of homegrown solution and this left a lot of room for human error. And when there’s human error, that leads to outages or other security risks. These banking customers can greatly reduce the risk of outages by automating processes around renewals.
Top priorities for machine identity management
As we talked to a number of the very largest banks that are using Venafi, we also asked them about their top priorities for machine identity management. Here’s what we learned, in order or priority.
1. Centralized visibility
Before deploying Venafi, a lot of banking customers hundreds of thousands of certificates and keys but they really didn’t know where they were being used and what they were being used for. Basically what Venafi has done is help customers get visibility into all the keys and certificates they have out there. Using discovery capabilities, financial services customers can build a centralized inventory of all their machine identities across their environment. It’s also pivotal that they understand when certificates are scheduled to expire so that they can have a process in place to ensure those certificates that should be renewed actually are. With centralized visibility, financial services customers can also leverage Venafi for finding vulnerabilities, such as weak or self-signed certificates, which may pose a security risk or are out of compliance with centralized policies.
2. Policy enforcement and compliance
Managing regulatory compliance has been an enormous challenge for banks as the volume of regulations has increased dramatically over the last few years. Venafi helps these companies by developing an overarching policy for the machine identities that all users within a bank have to comply with. Venafi also helps with compliance audits by providing a good paper trail for who has accessed which systems and when.
3. Self-service certificates
Many central security teams that we talk to in some of our largest banks are resource challenged. At the same time, many of these banks have literally hundreds of thousands of machine identities deployed across the enterprise. This makes it nearly impossible for a central security teams to manage all the machine identities themselves. As a result, many banks deploy self-service portals so that internal stakeholders who require certificates and keys can order them themselves. At the same time, central security teams want to put in place policies and controls for what sort of certificates are ordered and how they are deployed. With Venafi, central security teams can create an overarching policy that must be used by all users. Within this framework there is some flexibility for users or teams to create sub policies. And the central security teams then can enable varying permissions for things like simple read-only access for audit purposes or being able to run reports or create or delete certificates. Having a self-service portal for users enables central security teams to empower their stakeholders to order and deploy their own certificates and keys. By following this process, the central security team is comforted by the fact that they know they are being deployed according to policies.
Outages is a main concern for many of our customers and automating processes around renewals can really minimize outages. Banks love the fact that they can remove the risk of human error with automation. One of the benefits of Venafi is the fact that we have the widest ecosystem of partners with 1000 plus out of the box integration with third parties. So if a customer needs to automate certificate authority renewals with mobile devices, network devices, applications, cloud or DevOps, we can help them with a wide array of integrations with third parties to automate all of these different processes, which is a huge benefit.
5. Cloud and DevOps
A lot of our customers are concerned because typically many cloud and DevOps teams want to run fast and nimbly. And what often ends up happening when you are running too fast is that people can implement certificates and keys that are out of compliance with centralized security policies. Like issuing self-signed certificates in a DevOps environment. And that’s really one of the things that we have been helping customer do is keep the central security team in control of which certificates are compliant or non-compliant.
The bottom line
is that it’s really important for financial services firms to begin to focus on gaining the visibility, intelligence and automation that will help them drive machine identity management across their business. To do this, it’s important that they get a platform or solution in place that’s going to handle all this now. But they’ll also need to be prepared as things becomes increasingly more complicated as the speed increases and as the scale starts expanding beyond what we can imagine today. Machine identity management is a new space but it’s critical for protecting the keys and certificates within financial services.