Zscaler Cloud Platform

Digital Transformation for Banks using SASE and Zero Trust

A brave new world of finance

online banking

Digitalisation has become a baptism of fire for the financial industry as traditional financial institutions compete with new banks from the Fintech scene. Established IT infrastructures meet innovative business models. The SASE framework and an underlying zero trust security architecture provide a practical solution to many challenges of digital transformation.

Changing customer requirements, online hypes, direct banks—digital transformation has got financial institutions worried. Traditional banks are amongst the hardest hit. They fall in the gap between traditional and modern—the same applies to their existing infrastructure. In general, IT processes in the banking sector run on mainframe-driven on-premises networks — they ensure that conventional financial processes can function smoothly and comply with legal regulations. However, the cloud introduces a new IT world in the daily business of financial service providers which is characterised by new working methods (mobile/remote work), as well as fast reactions to customer requests, while fulfilling all other compliance requirements associated with the cloud.
 

Network, the crux of the matter

Modernising network management and security simultaneously tips the scales towards harmonising the various requirements of the finance industry. In this regard, the focus is less on a mainframe, clients, or a server, but on a newly designed IT architecture that supports an extension to the cloud to facilitate digital transformation, enables the simple implementation of business models and the realisation of "new work" initiatives in the future. In view of this, the existing architecture poses multiple challenges: it must support security measures, which are crucial to banks. More so, it must serve innovative business models and simultaneously satisfy high expectations as it pertains to user experience. The aim here is not to replace the banking world's mainframes, but to create a hybrid infrastructure that satisfies modern requirements and reconciles this need with the existing legacy infrastructure.

However, this is precisely where a typical problem arises: connections between remote employees and the bank's network infrastructure are generally based on remote access solutions such as virtual private networks (VPNs). Originally, VPNs were designed to allow a few employees in the field to access corporate data. To meet security requirements, traffic must flow through numerous appliances such as load balancers, firewalls, or DDoS checks to permit access to the required application. This results in high latencies and reduced productivity for bank employees. In addition, security gaps in the VPN technology represent a high risk of infection. This risk is further increased by the challenges presented by new working methods. High-performance collaboration tools, such as Microsoft Teams, Zoom, or Slack, for example, are taking a toll on connectivity. In times of digital transformation, a conventional access policy is unable to keep pace with the changes in a remote/mobile working world. The situation is similar with virtual desktops (VDIs), which are frequently used in the finance industry. Due to security concerns, only an image of the actual application is created on the desktop. However, virtualisation technology is plagued by latency problems that not only make it hard to administer but comparatively insecure and expensive too. It impedes innovative cloud solutions and is unable to keep up with modern working methods as it is not user-friendly.
 

Microsoft 365: A catalyst for digitalisation

Access methods used to date can hardly provide the required performance for high-level technical requirements in the digital world. In practice, Microsoft 365 frequently acts as a catalyst for rethinking existing IT architectures. The cloud suite requires relatively high bandwidths and low latencies to guarantee user satisfaction. Secure access service edge (SASE) provides a solution for these issues—Gartner's cloud architecture model that unites network, connectivity, and security-as-a-service functions. In summary, SASE allows entire financial institutions, networks, and security strategies to reinvent themselves in a holistic manner. This security framework was specifically developed for a combination of connectivity and security requirements resulting from the apps, devices, and users being outside traditional network perimeters.

SASE combines security and network functions in a unified framework, which includes all working environments, and recommends that cloud technologies link a software-defined wide area network (SD-WAN) to security functions. Besides cloud-based firewalls (FWaaS), the SASE framework includes functionalities such as secure web gateways (SWG), cloud access security broker (CASB), and, most importantly, zero trust network access (ZTNA). A cloud-centred security platform fulfills the security requirements of the finance and banking sector by providing uniform security based on guidelines that are only defined once, independent of sites, server centres, multi-cloud environments, or offices.
 

Zero trust: security from the cloud

Zero trust network access (ZTNA) stands at the centre of cloud-based security. This is a security model that does not trust any devices, users, or services, whether they are on or outside the corporate network. This kind of architecture that is based on a least-privileged access model does not trust any user until the user has been checked and validated by security policies put in place. The cloud security service acts as an intermediary, or a broker, and connects a verified user and their device to an application. ZTNA consists of extensive procedures that authenticate users and services and monitor network traffic. Unlike the VPN approach, which places users on the network, ZTNA allows for microsegmentation at the application level. To achieve microsegmentation, ZTNA creates a secure tunnel for authorised users to access the required applications without using the network.

Implementing a zero trust approach in the banking sector will reduce the risk of exposure for networks and applications, thereby excluding both external threats and any potential internal risks without compromising user experience. The tunnel principle means that applications are invisible to attackers, and therefore banks can reduce their attack surface areas or better still, vulnerability. This makes it possible for users to easily access applications from outside the bank environment without having to be a user on the network.  An additional benefit is that ZTNA makes it possible for users to avoid the problem of inadequate performance for VDI applications. Network traffic is no longer routed through a data centre to the internet, but sent directly to the cloud platform, thereby reducing latency. In addition, the zero trust architecture combined with VDI technologies provides administrators with central oversight and they can control what users can and cannot access on the network.

Last but not least, a zero trust concept can help banks to limit their expenditure on IT administration without undermining security. In this case, digital transformation is facilitated by a hybrid model where traditional processes and typical bank applications can continue to run on a trusted on-premises architecture to satisfy legal requirements such as compliance. New and innovative processes, which customers and employees urgently require as part of digitalisation, can be provided securely and conveniently via the cloud, with direct access being authorised without any detours. In conclusion, this includes the high-performance use of Microsoft 365 with all its collaboration tools, satisfied employees, and cost-efficient security measures for everything that matters in the financial environment. This means that the cloud becomes a secure bank for digital innovations.

 

Stay up to date with the latest digital transformation tips and news.

By submitting the form, you are agreeing to our privacy policy.