Risk & Fraud

Zero Trust: A Model for Multi-layered Cybersecurity

By: Gene Fredriksen, Security Strategy Consultant

I’m sure you have moved to a new town or started a new job at one time or another. At first, you might not have trusted everyone with open arms. Maybe you had to develop trust with people, stores or restaurants in the area, and eventually, you built relationships based on that trust.

The same goes for business. We trust our partner connections, as long as they continue to earn it by exemplifying reliability and security with every connection. Taking a continuous approach to inspecting your connections to ensure they are maintaining trust, regardless of the vendor, is the foundation of the Zero Trust information security model.

How Does Zero Trust Benefit Credit Union Security?

Government agencies and regulators are now weaving the Zero Trust information security model into their requirements. So, how does this model support credit union information security efforts? Zero Trust combines security and system management strategy. The premise is that with threats existing both inside and outside network walls, the Zero Trust model does not allow implicit trust in any one connection. Instead, it requires continuous verification in real time.

Historically, credit unions have focused on preserving security within their business perimeter until a hacker alert occurs. Zero Trust is the opposite mentality. It assumes that a security breach is inevitable unless every connection is consistently monitored and scrutinized. No partner gets a pass, and every connection is considered suspect. Using this model, systems must limit access to only what is necessary and consistently monitor for hacker activity.

Zero Trust embeds security monitoring, risk-based access controls and system security defense all in one process to protect critical assets (data) in real time. This strategy allows the ability to provide least privileged access to every access decision – allowing or denying access to resources based on risk.

Systems designed using Zero Trust technologies are better positioned to address existing threats. However, transitioning into using such a system requires careful planning to avoid weakening the security posture along the way. Zero Trust principles and concepts must apply to all of the network and operations’ critical aspects to be truly effective.

In recent years, threat actors ranging from cybercriminals to nation-state actors have become more persistent, stealthy and subtle. Unfortunately, these threat actors and insiders continue to succeed in inflicting harm on the financial services sector. Even the most skilled cybersecurity professionals experience challenges in defending their organizations from sophisticated cyberthreats – emphasizing the need for better ways to ensure member data is secure.

A Multi-layered Approach to Protect Against Cyberthreats

Embracing a Zero Trust security model and re-engineering your existing information system based on this security model is a strategic effort that will take time to achieve. It is not a simple, tactical mitigation. Several recent, highly-publicized system breaches have exposed widespread vulnerabilities in systems. These incidents have shown that current strategies based on detection then response are often insufficient – similar to the adage of closing the barn door after the horses have escaped. A mature Zero Trust environment affords cyber defenders greater opportunity to detect threats and have more response options that are quickly deployed to resolve them.

Focused, tactical responses will likely still be necessary to combat threats, even in a Zero Trust environment. However, with the appropriate security model, mindset and response tools, we can begin to react more proactively and effectively to protect member data from increasingly sophisticated threats.

Gene Fredriksen is a co-founder and current executive director of the National Credit Union ISAO and the principal cybersecurity consultant with PureIT CUSO. He has previously held the positions of CISO for PSCU, Global CISO for Tyco International, principal consultant for security and risk management strategies for Burton Group, vice president of technology risk management and chief security officer for Raymond James Financial, and information security manager for American Family Insurance.

Fredriksen served as the chair of the security and risk assessment steering committee for BITS, and also served on the R&D committee for the financial services sector steering committee of the Department of Homeland Security. He also served as an advisor on various cybersecurity steering committees for the administrations of George W. Bush, Bill Clinton and Donald Trump, assisting in the preparation of the president’s Cybersecurity Position Paper.