This is the second installment in a three-part series which investigates the top five threats to the data held by banks and financial institutions, and offers a fresh perspective on how the industry can make a fundamental shift away from failed perimeter
protection.
____________
Banks rely on financial and physical supply chains, information systems, partners, and new ventures to ensure efficiency, process transactions, provide products and services, and manage risk. On the operational side, suppliers and vendors are vital to a
healthy enterprise, as are data analytics, compliance, procurement and legal oversight.
Finding trustworthy partners is key to building and maintaining competitive advantage, yet without proper tools to secure data, even trusted partners may see more than they should. Without the proper controls, unintended exposure of private or regulated
data is more likely than not.
Take, for instance, the risk posed by third-party application developers. Often, in an effort to use realistic datasets to build and maintain applications, developers end up accessing private data. This puts the development partner and the bank itself at
increased risk. Improper exposure and potential mishandling of the assets that belong to customers and other data subjects is common.
Earlier this year, a massive data breach involving 24 million mortgage documents was
discovered. The source was traced to a database which was leaked by Ascension, a Texas-based data and analytics company, which later blamed one of its vendors, a document management startup, for mishandling the data.
In another
incident, TCM Bank, a firm that helps challenger banks provide credit cards to their customers, exposed the personal information and Social Security numbers of thousands of customers. The vulnerable data came from information that card applicants uploaded
to a misconfigured website managed by a third-party vendor.
Threat 2. Private Data Exposure
Unfortunately, the most common current method for protecting private data is controlling access at the application level. IT departments at banks typically focus on who has access to what, and use access-management tools to do so. For example, IT makes sure
the finance department has access to payroll applications and marketing has access to a content management system. This creates gaps in data governance that can leave sensitive data exposed.
What these solutions fail to do is focus on what it is that needs protection, which is the data itself. In essence, these controls are about the relationships between users and applications, not about the relationships between users and data. Newer developments
use data classification groupings, such as GDPR data or HIPAA data, to enable data-centric controls by the banking institution or its partners. By associating these data classifications with user groupings, an organization can protect against data exposure.
Data classifications give IT professionals more control over data flow and protect against data exfiltration.
The distributed ledger technology behind blockchains allows organizations to understand the relationships between user groups and data classifications. This enables the enforcement of locks that provide format-preserving dynamic masking of data when it is
accessed by unauthorized groups. For instance, a Social Security number (000-34-9876) might be replaced by “XXX-XX-XXXX” as it flows out of the database for users who should not have access to it. By understanding who is accessing what data, and enforcing
rules concerning who should have access, banks are better able to secure private data before it is exposed without having to re-engineer applications.
Threat 3. Theft Using Privileged Database Access
Insider threats are growing across every industry.
According to a report from last year, privileged administrators pose severe security risks to organizations, with more than half of respondents identifying this pool as high-risk. Those with privileged database access, such as database administrators (DBAs)
or IT leadership, have access to database servers, encryption keys, and tokenization maps.
These ‘privileged’ users are able to easily bypass governance. Unlike excessive privileges given to regular employees, or bank vendors and service providers, privileged database access refers to legitimate abuse, where users access private data for unauthorized
purposes. In this case, users with deep credentials may access confidential lending information, privileged account information, or other sensitive personal information, and intentional malfeasance can vary from bribery to insider trading, to identity theft
and fraud. It is important to note that privileged credentials are also subject to theft.
Inego Merino, former head of cybersecurity at Deutsche Bank’s cybersecurity,
commented
that, “Industries at the forefront of security understand that insiders present a very clear threat because they have legitimate access to company information, and because it is difficult to ascertain their intentions at any point in time.”
How do most banks attempt to ensure the security of data at rest? They encrypt it. Encryption uses an algorithm to transform data, obfuscating it, and incorporates a key value that can be used to transform data back to its original form for use. Unfortunately,
once someone has the key, they are able to decrypt data. Even the strongest encryption methods, such as the bcrypt algorithm, still use a key to decrypt stored data.
In addition, organizations are attempting to implement better access controls for internal users. Whether by intentional malicious acts, the theft of privileged credentials, or the elevation of low-access privileges to high-access privileges, theft using
privileged database access is an unmitigated threat to the integrity of the data held by banks.
New technologies are overcoming the limitations of these riskier encryption methods. Developing targeted access credential groups gives banking and financial services providers more control over who can access sensitive data, and when. Key to this is identifying
which groups need access to which information, and which data is the most at-risk for exposure. It is essential to clearly identify, monitor, and manage high-risk data first. Once it is known who has access to high-risk data, and how much they are accessing
it, it is much easier to secure
By doing this, dynamic masking to protect private information, like PHI and PII, can be optimized. Responding to the threats of privileged database access, cybersecurity experts have developed fragmentation technology that uses a secure private blockchain
to obfuscate data-at-rest.
In this scenario, instead of encrypting and storing the data in a “secure” database with keys nearby, fragmentation technology can replace sensitive data at the column level with a reference hash, then fragments the data and stores it across a high-performance
private blockchain. The reference hash points to the first fragment, which contains a reference to the second fragment, and so on. No key or tokenization map exists to make data easy to steal, and data is reassembled rapidly whenever needed.
Ultimately, this creates a keyless vault for data, ensuring that it continues to operate fully to achieve banking objectives, yet remains impenetrable to attackers, even if they come from privileged administrators within the organization.
____________
The next and final article in this series discusses how banks, which largely remain without the structures or tools in place to solve for security gaps in their data infrastructure, can limit the impact of misconfigurations and create modified database
access logs.