By Robin Tatam, Principal Technical Marketer & Evangelist at Puppet by Perforce, discusses the steps that financial services organisations can take to ensure compliance and security, even on a massive scale.
Financial services organisations have a growing number of information and technology-related compliance and regulations to address impacting both sides of the English Channel. For instance, Europe has the GDPR, the EU Cybersecurity Strategy, the EU Cybersecurity Act, the Network and Information Systems Directive (NIS2), and the Digital Operational Resilience Act (DORA). Following the United Kingdom’s withdrawal from the EU in 2020, the UK is no longer bound by EU regulations, but a new law was already passed called the UK-GDPR which is tightly based on the EU original. There will be other equivalent UK laws being passed in future. If that were not burdensome enough, companies that operate internationally, face additional compliance requirements.
This partial list underlines that governments worldwide are focusing heavily on improving privacy and imposing expectations about security. In turn, this means that financial services organisations must look at all the software they are using, and that begins with IT operations. These are the teams responsible for maintaining and updating the IT infrastructure on which pretty much every organisation on the planet now depends. For instance, even one outlying server that is misconfigured or not updated could create a vulnerability which results in data loss or can be exploited as a cyberattack.
However, IT operations are faced with a few challenges. First, the scale and sophistication of cyberattacks continue to increase. Second, even when teams are aware of their role in mitigating risks, they are typically so overloaded that they are focused on firefighting rather than proactively remediating a potential hazard. Skills shortages continue to be a huge problem, with teams often running lean and under resourced. This can result in incoming support requests taking precedence over updating to the latest software releases and applying patches, and remedial action only being taken during an audit or as a result of a security incident.
A third challenge is that having visibility over the IT infrastructure has become more complicated, exacerbated by hybrid on-premise and cloud environments and complex supply chains involving multiple contributors. Not only is this a potential source of security risk, but it also makes presenting timely and accurate data to auditors extremely difficult.
Work smarter not harder
There are steps that financial services organisations can take to drastically improve IT infrastructure management and, in turn, compliance and security, even on a massive scale. As a starting point, work to lessen manual effort by automating as much as possible. Of course, many organisations already have infrastructure automation, but they may not be using it to its fullest potential. Advanced organisations now also use automation to assess and maintain adherence to comprehensive security baseline standards.
Adopting an agent-based approach to automation means that the infrastructure automation sits on the servers, hundreds or even thousands of them, resulting in reduced network bandwidth utilisation and greater resiliency because servers continue to be automatically and simultaneously corrected even when networks are down.
Automation not only delivers a ‘desired state’ faster and more efficiently, but it also prevents IT operations personnel’s need for site visits to apply individual updates. It can be compared to supermarket staff having to manually check every product in store to occasionally check it has the right price and shelf location versus the store’s computer system having all that information and using an in-store robot to very frequently verify and make corrections automatically. This avoids IT Operations teams spending valuable time reactively fixing vulnerabilities that the security team (hopefully!) reports.
With this level of automation in place, continuous compliance can be added, using policies that can be repeated easily and automatically tested on a vast scale. Consequently, servers are checked more often, more comprehensively, and without the high risk of human error. Instead of internal compliance audits being carried out, say, once a quarter, teams rest easier knowing that everything is within a few minutes of being verified as up to date. Considering that IT infrastructure, if left to its own devices, will inevitably drift out of compliance very quickly, this benefit cannot be over-emphasised. Implementing continuous compliance using policy-as-code ensures that teams spend more time planning and less time assessing and fixing.
Continuous compliance
The best continuous compliance strategies are based on universally accepted industry security standards and benchmarks, notably those published by the Center for Internet Security (CIS) and the Defense Information Systems Agency (DISA). Doing so ensures that policies are adopted that are designed by security experts and updated as new risks and recommendations surface, alleviating the need for IT teams to become experts themselves.
Beyond technology processes, there are also cultural aspects to turning IT infrastructure from being a potential source of risk into something that proactively contributes to better compliance, privacy and security. In particular, there needs to be widespread acceptance that enterprise security is rarely achieved—and never optimised—within a siloed environment. It’s a company-wide team effort. Operations, software development, and security teams must collaborate in order to be prepared for security risks, while also having the confidence that they can prove their systems are regulatory-compliant.
Naturally, the steps described require effort and likely won’t occur overnight. However, partnering with experienced industry experts in infrastructure and compliance automation dramatically accelerates the time to value. With regulatory burdens and security risks on the rise, plus many financial services teams struggling with a lack of skills and budget, there has never been a better time to adopt an automation mindset, optimise processes, and get improved tools in place.