Zero Trust: Redefining Security in Banking & Financial Services

Traditional cybersecurity models are based on the notion of creating a secure perimeter around an organization's network or resources, and trusting users and devices within that perimeter. However, this approach proved insufficient in the face of modern cyber threats, as it became increasingly difficult to define the perimeter and protect against attacks that originated from within the trusted network. For example, once there is a data breach and an attacker gains access to a device or user account within the trusted network, the attacker can often move laterally within the network, accessing sensitive resources without detection.

Unfortunately, these traditional cybersecurity models simply aren’t enough, especially in the financial services industry. Banks are looking to a new standard in network security known as Zero Trust. Zero Trust is an important new movement for protecting against cyber criminals and insider threats across customer, workforce, and business-to-business (B2B) use cases.

Zero Trust security plays a pivotal role in helping financial service providers protect customer trust, achieving regulatory compliance, while maintaining a sustainable total cost of ownership (TCO) across the wider cybersecurity infrastructure. At a helicopter level, Zero Trust security in the financial services industry is informed by the following principles:

1. Use of explicit verification requiring the authentication and authorization of a user, their devices, and their sessions in real-time.
2. Enforcement of the principle of least privilege across all workforce and B2B access touchpoints constraining user access to the necessary resources for a limited time.
3. Gearing security policies to the assumption that the ecosystem has been breached, and implementing strict access controls, end-to-end encryption, and continuous monitoring to combat this.

Zero Trust is particularly critical across workforce and B2B access use cases because it offers granular, dynamic authentication and fine-grained authorization governing access to sensitive data and mission-critical infrastructure. The financial implications of improved workforce security, for example, cannot be overstated, with the average cost of incidents caused by insider threats reaching an astounding $16.2 million.

To mitigate these threats, financial service providers continue to increase their investments in converged workforce identity and B2B identity and access management (IAM) capabilities across authentication, authorization, threat detection/response, and identity verification use cases. These providers are also turning to IAM vendors to modernize their identity governance and administration (IGA) capabilities across the end-to-end workforce and B2B user cycle in a bid to strengthen and future-proof their Zero Trust security programs.

Why Traditional Security Measures Are No Longer Enough

The increasing digitization of both the first- and third-party ecosystem across financial services, together with the growing ubiquity of digital-first customer experiences continue to present complex access challenges for most providers in the industry. Security leaders are now having to secure access journeys across a mobile workforce, an ever-growing array of partners, as well as third-party providers (TPPs) operating within the wider digital supply chain. At the same time, malicious actors continue to target access blind spots across these very journeys to gain unauthorized access to customer data and mission-critical infrastructure.

While a zero-trust approach offers many benefits, implementation can seem intimidating from the outside looking in. Financial service providers are often stuck between a rock and a hard place: caught between the ever-changing digital demands of distributed teams, customer expectations, and both regulatory and internal compliance requirements.

This context places increasing challenges and pressures on industry security leaders, including CISOs, CIOs, CTOs, and increasingly CEOs, to streamline, optimize, and strengthen their Zero Trust infrastructure, processes, and capabilities to meet these goals and help to drive sustained benefit from investment therein.

Benefits of Zero Trust in Financial Services

Zero Trust in financial services offers robust protection against cyber threats by ensuring that every user and device is continuously authenticated and authorized. Especially when it comes to sensitive financial data, it's critical to ensure that both the workforce and TPPs  are who they claim to be, and are granted the appropriate level of access to resources, data, and applications.

Financial service providers that have implemented Zero Trust benefit from:

• Strengthened Security: A Zero Trust framework enhances security by continuously monitoring and assessing all employees, contractors, and TPPs for potential risks, ensuring that no network connection is automatically trusted. As a Cisco study explains, organizations that fail to “complete all Zero Trust pillars” are twice as likely to experience security incidents as others.
• Govern the Identity Lifecycle: Zero Trust enables organizations to better govern their end-to-end identity lifecycle for improved monitoring, visibility, and oversight, thus helping lay the groundwork for enhanced security and workforce and B2B productivity.
• User Journeys: According to Forrester “Zero Trust, security teams design protection from an outside-in perspective, balancing security requirements against hindering UX.” This in turn, enables the orchestration of secure end-to-end user journeys with improved end-user experiences for better security and policy compliance.

With the average data breach in 2024 costing organizations $4.88 million, transitioning to a Zero Trust security posture is not just a question of achieving compliance, and protecting reputation, but also fundamentally about saving costs associated with security compromises.

Zero Trust is quickly becoming essential for financial institutions as they navigate an increasingly complex regulatory landscape. With the constant evolution of cybersecurity threats, regulatory bodies and government initiatives are placing greater emphasis on the need for a comprehensive approach to securing financial systems.

Regulatory Landscape in the United States

In the United States, regulations provide a detailed framework for implementing Zero Trust, emphasizing continuous monitoring, dynamic risk assessment, and real-time threat detection.

Key requirements include the use of granular access controls, multi-factor authentication (MFA), and strong encryption protocols to protect sensitive data and applications. These practices are designed to minimize the attack surface and limit lateral movement within networks.

They also ensure that no entity is trusted by default, regardless of its location within or outside the network. This stringent approach helps fortify the network and reduces the risk of potential breaches.

Regulation:

NIST Special Publication 800-207.

Regulatory Landscape in the European Union

In the European Union, Zero Trust security for financial services institutions is shaped by a range of regulations. These frameworks emphasize the need for robust cybersecurity measures, continuous monitoring, and incident response capabilities to safeguard critical financial systems.

These regulations align with Zero Trust principles, focusing on minimizing risk by enforcing strict access controls and real-time threat detection. This combined approach prizes security and reduces potential vulnerabilities in key financial systems.

DORA, in particular, mandates resilience in the face of cyber threats, while NIS2 strengthens cybersecurity requirements across the broader financial sector. PSR1 and PSD3 are expected to enhance security in open banking, promoting stricter identity verification, multi-factor authentication (MFA), and encryption to protect sensitive financial data.

Regulations:

• Digital Operational Resilience Act (DORA)

• Network and Information Security Directive 2 (NIS2)

• Payment Services Regulation 1 (PSR1) and Payment Services Directive 3 (PSD3)

Regulations in Australia and New Zealand

Australia and New Zealand prioritize a proactive, risk-based approach to cybersecurity, echoing key Zero Trust concepts like the continuous validation of access and minimizing implicit trust within networks. This security model takes into account the innate uncertainty in defenses and demands constant vigilance and validation.

Australia’s Prudential Standard CPS 234 mandates strict cybersecurity measures, requiring financial institutions to ensure the resilience of their information assets. It also encourages the enforcement of robust security controls, including continuous monitoring and incident response.

In alignment with Zero Trust principles, institutions must adopt stringent access controls, multi-factor authentication (MFA), and encryption to safeguard sensitive data. In New Zealand, the Privacy Act emphasizes protecting personal data, reinforcing the need for strong identity verification and secure data management.

Regulations:

• Australia’s Prudential Standard CPS 234

• New Zealand's Privacy Act 2020

Regulations in the Asia-Pacific Region

In the ASEAN region, financial services institutions are increasingly adopting Zero Trust security models to comply with evolving cybersecurity regulations. These frameworks emphasize the need for robust risk management, continuous monitoring, and the protection of critical financial systems against cyber threats.

Zero Trust principles are reflected in the requirements for strong authentication methods like multi-factor authentication (MFA), encryption, and granular access controls to protect sensitive data. These methodologies form the basis of stringent determinants for data and resource access, reducing potential vulnerabilities.

Best practices also include regular risk assessments, incident response planning, and the adoption of secure APIs for open banking. As cybersecurity threats grow, these regulations align with Zero Trust by promoting a proactive, risk-based approach to network security and access management across the region. Efforts like these are critical in ensuring the secure operation of critical financial infrastructure in the face of growing global cyber threats.

Regulations:

• Singapore’s Cybersecurity Act

• Malaysia’s Risk Management in Technology (RMiT) guidelines

• Thailand’s Cybersecurity Act

Regulations in the Middle East Region

In the Middle East, financial services institutions are increasingly implementing Zero Trust security measures in response to regulatory frameworks. These regulations emphasize stringent data protection, continuous monitoring, and proactive threat detection to safeguard critical financial infrastructure.

Zero Trust principles are reflected in the requirements for multi-factor authentication (MFA), strong encryption, and strict access controls to mitigate unauthorized access to sensitive data. These measures help ensure that only validated entities can access specific resources, thus reducing the risk of potential breaches.

Best practices also involve regular security assessments, real-time threat detection, and incident response capabilities to ensure resilience against cyberattacks. These frameworks align with Zero Trust by promoting a “never trust, always verify” approach to access management and data protection in the region’s financial sector. This stance underscores the need for continuous validation and minimal implicit trust within networks.

Regulations:

• Bahrain’s Data Protection Law

• Saudi Arabian Monetary Authority’s (SAMA) Cybersecurity Framework

• UAE’s Information Assurance Standards

Simply put, you can’t trust who you don’t know. When Network Access Control can no longer be a guiding security paradigm and you need authentication and authorization services to get the level of security needed for your organization, identity is what you’re left with. Identity is the key to implementing effective new security standards and technologies.

To meet the high bar set by Zero Trust, organizations are pushed to implement the latest security standards and technologies. In recent years, concepts like continuous authorization have become increasingly important. Organizations are also using robust access control capabilities like attribute-based access control and Policy-based Access Management (PBAM), enabling fine-grained and context-driven authorization.

As Gilman and Barth say in their book Zero Trust Networks, authorization is often the missing piece of many financial organizations' Zero Trust solutions¹. Authenticating users when requesting access to a network or specific application is an important and necessary part of security, but your organization needs to authorize each access request to truly align with Zero Trust best practices.

Digital identity is the only way to verify users, authenticate every access request, and authorize post-authentication requests to ensure only the right people are accessing the right resources. Identification and authentication are just the first steps of the user journey: authorization dictates every access request after that.

Zero Trust principles demand that you continuously authorize users appropriately when employees, TPPs, and customers try to access sensitive resources. Continuous authorization allows for the evaluation of risk signals in real time after the point of authentication and across the full user session.

Continuous authorization means that when real-time context changes, you can change the authorization, requiring a challenge or removing access when necessary, even if it may have previously been granted. This enables better decisioning around access requests, regardless of when they arise in a user’s journey.

Without modern authorization capabilities, however segmented or modern your firewall is, it won’t give your team the tools to apply friction where appropriate in user journeys and deny access altogether when necessary. Leading Zero Trust initiatives with identity lets you rigorously check that users are both authenticated appropriately and authorized to access requested resources and perform requested actions.

1. Gilman, Evan, and Doug Barth Zero Trust Networks: Building Secure Systems In Untrusted Networks. O'Reilly Media, 2017.

1. Identity Accelerates Digital Transformation

In the last few years, financial services providers have had to update policies for workers, TPPs, and customers to meet all parties’ needs, including remote work, increased regulatory scrutiny, and evolving customer experience demands. Your organization has likely had to transform procedures and digital assets to meet some of these challenges.

By automating access reviews and enforcing compliance policies, IGA supports the secure handling of digital assets amid increased regulatory scrutiny and the shift to remote work. Additionally, IGA enables organizations to adapt quickly to evolving customer experience demands by streamlining user access across various platforms and services.

When you lead Zero Trust initiatives with identity, you have the foundation to make other business initiatives a priority. For example, TIAA, a leading provider of financial services in academic, research, and medical fields, uses IAM capabilities to push the boundaries of what’s possible in security to deliver better customer experiences. Identity gives TIAA the ability to secure user journeys by evaluating user risk signals during access requests to streamline and personalize customer experiences.

2. Identity Enables Dynamic Authorization

Protecting access to data is crucial for employees, partners, and customers. Authorization is the only way to get the level of granular control needed to fulfill access requests in a way that protects your organization from internal, and lateral attacks.

Identity also gives you the ability to dynamically evaluate a user’s access request. Dynamic authorization is the real-time enforcement of the fine-grained business logic around what users can see and do, in what context, and for what purpose. Dynamic authorization enables financial services organizations’ fraud teams to aggregate risk signals from across the organization to craft policies and determine user journeys for different individual trust levels.

The ability to check the level of risk associated with a user and their session context in real time allows organizations to get ahead of emerging threat trends to constantly adapt user experiences to the appropriate trust level. Externalizing and centralizing access policies along with enforcement also facilitates scalability in a rapidly changing world of privacy requirements and business drivers. Learn more about specific ways financial services architects embrace dynamic authorization to support their financial services organization.

3. Identity Unlocks More Robust Access Control

Strong access control measures rely on accurate identity verification to ensure that only authorized users can access sensitive resources. By integrating identity into access controls, organizations can enforce dynamic policies that adapt to the user's role, context, and behavior.

Authorization efforts that lead with identity unlock attribute-based access control (ABAC), which is a flexible approach to authorization decisions, using additional information (attributes) to inform policy decisions. Attributes can include properties like risk and context-based signals, user attributes, resource attributes, and environmental attributes (like access time, date, and location) to ultimately better inform access request decisioning. Using attributes to inform authorization decisioning augments course, network-based access controls and ultimately gives your security team more management control.

Identity also enables robust authorization measures with policy-based access management (PBAM). PBAM is a method of regulating access to resources based on predefined policies. These policies are written in a way that considers attributes such as the user's role, time of access, device health, location, and other contextual factors. PBAM allows for the creation of dynamic and context-sensitive policies that can be enforced throughout a session. As conditions change like a user changing networks, these policies automatically adjust authorization decisions in real time.

4. Identity Makes Integration and Alignment Easier

Zero Trust isn’t a one-vendor solution, and it’s not a single product either. Financial services providers need the ability to integrate identity solutions into their existing technology stack so they don’t have to rip and replace existing architecture, stalling other digital transformation initiatives. A standards-based identity solution gives you the integration needed to enhance and extend your existing technology stack, while also allowing you to build an identity hub, an identity foundation that ensures that your existing applications, wherever they are deployed, can communicate and accomplish what’s needed for your teams and end customers.

With a central identity platform, all your personnel, including your security, fraud, and incident response teams, can play from the same playbook. This creates organizational alignment, making problems easier to tackle and enabling you to respond to issues quickly and efficiently. Having an identity hub means that your teams are no longer separately tied to IT release schedules or working off of an incomplete view of employees, partners, and customers. Instead, they have access to a singular view of user attributes, allowing them to effectively secure resources, proactively spot threats, and quickly respond to incidents.

Financial service providers face a tough dilemma: they must meet the evolving digital demands of distributed teams and customer expectations while also accounting for compliance regulations and sophisticated cybercriminals.

Not only do Zero Trust initiatives greatly strengthen security, but they also present a clear path to realizing digital transformation initiatives. Zero Trust as a paradigm is fundamentally about embedding security into your tech stack - as opposed to just layering it on top. In doing so, you're able to properly establish trust and unlock secure experiences for your employees, partners, and customers.

Identity enables a robust Zero Trust framework that gives you and your team the ability to apply the appropriate amount of friction for all user journeys when it makes sense, all while achieving regulatory and internal compliance and meeting digital transformation goals.

To learn more about how identity can benefit your organization, check out our IAM Solutions for Financial Services page.