In this era of virtualisation, cloud computing and smart mobile devices, the IT infrastructure landscape looks significantly different to a decade or even five years ago. Yet in many organisations, security and system management controls have failed to keep pace. Networks are far more complex, threats more prevalent and – especially in the financial sector – scrutiny more rigorous. Customers, investors, the media and regulators are all piling pressure on firms to ensure systems and data are appropriately protected from prying eyes and thieving hackers.
Large businesses have thousands of diverse networks, firewalls, routers, switches and load-balancers, all of which must be accurately configured and monitored. Every time there’s a network or application change, it requires reconfiguration of many different systems. But with ever growing demand for new services and features, on all manner of devices, the number of required changes can sometimes run into hundreds a day.
It’s hardly surprising, then, that errors regularly creep in. In a recent survey of 500 senior IT decision-makers commissioned by Tufin, a quarter reported that 60% of their firewall changes had to be redone at a later date due to previously unnoticed or unchecked errors. And there are probably many more security holes and botched system settings that remain undiscovered until they cause serious problems. The recent high-profile outages at high-street banks are a case in point.
Virtualised environments and cloud computing have only added to the complexity of today’s financial IT environments, particularly as these invariably sit alongside a raggle-taggle array of legacy systems. It’s often hard enough to understand how these disparate, segmented systems and networks all fit together, let alone succeed in securing them manually.
Quite apart from the danger of damaged reputations if firms suffer any significant breaches or downtime, those in the heavily-regulated financial services sector know they have to address this issue urgently if they are to remain compliant and avoid formal penalties. For example, the latest version of payment card security standard PCI-DSS specifies in more detail than ever how organisations must manage security and firewalls, with significant fines for those failing to comply.
Further regulation seems inevitable across the sector. In March, the UK’s Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and the Bank of England launched a review of how financial services firms manage exposure to IT risks. A few weeks later, PRA chief executive Andrew Bailey called on the industry to completely refresh outdated systems in order to prevent further outages and protect against threats from malware and hackers. An EU report in March took a similar stance, stressing finance firms “should reinforce internal controls related to IT systems, with particular attention to IT security” and telling regulators to “ensure the robustness of these controls”.
The solution, as most companies in the sector recognise, is to develop co-ordinated, company-wide security policies that can be effectively automated to mitigate the risk of error and minimise the potential for breaches and attacks. According to Tufin’s survey, 84% of financial firms believe integrated, network-wide security is now “essential”, with 70% seeing automation as imperative.
The promise of ‘software-defined’ environments (where all systems, networks and devices can be fully controlled and monitored without the need for manual intervention) is supposed to make things much easier for networking people, but the need for visibility, control and compliance is unlikely to dissolve, and automation will allow the embedding of security into the network fabric.
More proactive and forward-thinking financial services firms are already automating their security controls using security policy orchestration (SPO) solutions. These allow them to manage multi-vendor network security policies centrally, unifying the change process across the organisation and improving the accuracy of change to minimise unnecessary network exposure or risk downtime right across an organisation’s disparate networks and patchwork of systems.
The more manual work that can be offloaded to these tools, the greater the potential benefits. Tufin’s SPO suite, for example, can also automate the design and implementation of network changes, as well as improving collaboration by allowing the business to easily define customised workflows that span different teams and business units whilst baking security into the process.
Not only does increasing automation help to improve security and cut the risk of outages, but, by freeing up IT resources and speeding up changes, it also helps businesses introduce new products, services and features far more rapidly. And with competitive pressures in the sector just as acute as compliance burdens, the sooner IT departments act to automate, the sooner they’ll be able to speed up innovation and add real value for the business.
By Reuven Harrison, CTO and Co-Founder, Tufin