Financial Sector Cybersecurity Is National Security

Fix misconfigurations, excessive privileges, a lack of visibility and compliance, and an overreliance on click-ops (manual activities) that can lead to widespread data spills and exposure of personal identifiable information (PII) and financial data. Use a threefold approach:

• Build security into the deployment process by default. Small mistakes in the cloud pose big risks because cloud network, data, and access services are seamlessly integrated and automated. Use automated deployment processes to avoid human errors and misconfigurations that can jeopardize sensitive data and systems.
• Adopt and enable continuous integration/continuous delivery (CI/CD) pipelines that enforce security, end-to-end automation, and compliance from Day One for all cloud infrastructure as code (IaC) deployments. Provisioning cloud infrastructure with code leads to better documentation and auditability of configurations, improves the quality and speed of the development and testing lifecycles, and reduces the level of effort for ongoing operations and maintenance.
• Enforce least privilege, separation of duties, and role-based access controls for cloud-based person entities and non-person entities to limit the blast radius in the event of compromise. Cloud identity and access management systems are extremely granular and complex because so many services are constructed using application programming interfaces (API)—a legacy on-premises strategy for least privilege is not sufficient for secure cloud operations. 

Moving to a zero trust architecture (ZTA) can be overwhelming. Organizations often need greater perspective to assess their current cybersecurity posture—and to determine where and when to modernize the infrastructure and capabilities within their current environment to best secure their critical data. Booz Allen recommends the following four-step approach to identifying and deploying new cybersecurity solutions when moving to a ZTA:

1. Diagnose – Identify current IT capabilities and roadmaps covering the zero trust (ZT) focus areas outlined in guidance issued by the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the Department of Defense (DOD). Conduct a ZT maturity assessment to attain objective insights into your organization’s ZT strengths and improvement areas.
2. Design – Create an overarching ZT strategy, identifying solutions to close critical gaps identified during the diagnose phase. The overarching strategy spans the ZT pillars, provides a unified ZT target state and a multiyear roadmap blueprint, and prioritizes the development of strong governance policies that drive enforcement of conditional access. It’s a comprehensive strategy to enable secure anytime, anywhere access to resources that utilizes risk-based access controls while continually inspecting, monitoring, and alerting on key events. 
3. Develop – Test new configurations, integrations, and solutions. Conduct proof-of-concept trials of new technologies with a limited user set and develop migration and implementation plans.
4. Deploy – Reconfigure existing systems using validated implementation plans. Integrate new solutions to support capability gaps. Migrate users to new solutions. Provide continuous visibility by adopting a data-driven cybersecurity approach to unlock the benefits of security analytics at scale in real time and enable the use of predictive analytics to turn threat intelligence into actionable insights.

Zero trust is not a security product for sale in the marketplace. It’s a journey propelled by a change in mindset that brings people, processes, and technologies together to deliver better cybersecurity outcomes. Booz Allen is a proven developer of innovative solutions to help agencies implement zero trust, as required in Executive Order 14028.