Over the past decade, we’ve seen the branch-based banking system replaced by a swathe of access from anywhere, anytime solutions designed to allow customers to interact with financial institutions wherever and whenever they please.
These solutions include personal banking apps, tap and go technology and loan application systems which enable businesses to upload financial records stored in the cloud when applying for finance.
And evidence suggests our major financial institutions are just getting started.
NAB is midway through a three-year, $1.5 billion digital transformation program which commenced in September 2017. In early 2019, fellow big four bank CBA announced plans to spend $5 billion over the next five years rebuilding consumer trust and improving its digital capabilities.
Redefining machine identities in the age of digital
Digitisation hasn’t just changed the way businesses and consumers interact with their banks. It’s created a new security challenge for the ICT and security professionals charged with implementing the infrastructure and practices that have made the transformation possible.
Cloud, smart device technology and the DevOps methodology which is becoming the preferred modus operandi for software development teams across Australia have collectively caused the numbers of machines on enterprise networks to skyrocket.
That’s because the definition of a machine has changed significantly and, in the process, created a security risk for financial institutions which don’t put measures in place to address it.
In addition to servers, laptops and routers, the “machine category” has expanded to include virtual machines, mobile applications, algorithms, containers and application programming interfaces (APIs).
All these traditional and new fashioned “machines” need to be able to meet stringent compliance, reliability and availability requirements and interact with each other securely.
That can be a challenge for organisations which don’t have robust processes in place to manage and secure the keys and certificates which act as unique “machine identities”.
We believe a significant number of financial institutions in Australia may fall into this category, due to the fact that machine identities in this brave new digital era are often poorly understood and even more poorly defended.
Often, responsibility for them is split between the IT and security functions; a status quo which can result in the risks associated with not tracking and managing them rigorously being overlooked.
When uptime trumps security
Why is this so? The rise of electronic and now digital banking has led to a relentless focus on uptime, across the financial services sector, in Australia and globally. The chief remit of the internal IT department within every Australian bank, building society and credit union is maintaining ultra-reliable infrastructure and systems. Outages of even a couple of hours can cripple business customers temporarily, inconvenience individuals mightily and result in bad news stories banks would prefer not to star in.
As a result, when IT administrators think about machine identities, their focus is on preventing them from expiring unexpectedly and triggering an outage. If one does occur, renewing the certificate in question becomes the imperative. Consideration of the role machine identities play in safeguarding corporate and consumer data is secondary.
By contrast, security teams are responsible for ensuring the fluid array of “machines” on their institutions’ enterprise networks remains secure. They’re tasked with making sure machine identities comply with corporate policies, are deployed and configured correctly and are renewed before they expire. The expedient approach to renewal often adopted by IT departments in the quest to maintain uptime can confound their efforts. Exponentially so, if security professionals are relying on legacy software and spreadsheets to help them track and enforce machine identities.
Today’s tools to address today’s challenges
These tools may have sufficed a decade ago, when the average enterprise network hosted a few hundred physical servers but they don’t cut the mustard in an era when organisations have hundreds of thousands of active machine identities.
Across the financial services sector, customer confidence is founded on the rigour and trustworthiness organisations are able to demonstrate. The compromise of core systems and the theft or loss of data represent worst case scenarios for companies operating in this space.
Automated solutions to manage and protect machine identities are security teams’ best option for managing this expanding challenge and attaining the visibility and control that are necessary to reduce risk.
Steven Satchwell, director at Venafi
Eliot Hastie is a journalist on the wealth titles at Momentum Media.
Eliot joined the team in 2018 having previously written on Real Estate Business with Momentum Media as well.
Eliot graduated from the University of Westminster, UK with a Bachelor of Arts (Journalism).