How Various Flavors of PKI Can Protect and Secure Financial Services Data

By Abul Salek, Director of Product Management, Sectigo

How much time and budget does your company allocate to cybersecurity to protect you and your customers’ critical data and private information? Is your organization doing enough, or is your information at risk?

In many ways, data constitutes the essential lifeblood of the financial services industry. From providing real-time account and trading information to automating risk management processes, forecasting, and fraud detection, to managing real-time transaction details, data is your business’s most important resource to protect.

According to a recent study by Deloitte, financial firms spend an average of 10% of their IT budget on cybersecurity. In addition, they reported that CISOs rank keeping up with rapid IT changes and rising complexities in tech systems as top challenges, regardless of company size or maturity level.

Despite these budget and time expenditures, most financial firms are not sufficiently protected because they lack data security.

Financial institutions leveraging emerging business models are not recognizing the significant security risk represented by connected devices. Given the insurance, banking, and brokerage sectors’ growing reliance on data and the increasing digitization of financial services, financial institutions must continually fortify their security capabilities and eliminate potential vulnerabilities to stay ahead of threats.

Threats Come from Many Directions

Any device, system, or organization that holds or transmits sensitive financial or customer information is at risk. These cyber-threats, which can originate from both internal and external sources, run the gamut from phishing attempts, large-scale data breaches, malware and credit/debit card theft, Business Email Compromise (BEC), to ransomware-based extortion.

The consequences are far-reaching, such as the Equifax data breach in 2017 that compromised the personally identifiable information (PII) of nearly 150 million consumers, exposing them to identity theft and other potentially serious consequences. According to the U.S. Government Accountability Office (GAO), Equifax had installed a tool to inspect network traffic for evidence of malicious activity, but an expired certificate prevented that tool from working correctly. As a result, cybercriminals could launch attacks and gather sensitive consumer information without being detected for 76 days. News of the breach led to federal investigations and a nationwide consumer class-action lawsuit, which the company is now reportedly paying $700 million to resolve.

So, how can the financial services sector ensure the security, privacy, and integrity of their data?

Public-Key Infrastructure (PKI), the gold standard in digital privacy, identity, and security, offers an excellent security foundation for every device, server, user, and application in the enterprise, whether on-premise or in the cloud. PKI guards data against theft or tampering and guarantees secure authentication of users and applications to protect against fraud. By leveraging digital certificates, an organization can roll out passwordless authentication which is experiencing an increasing adoption rate in the enterprises.

While nearly every financial services firm has incorporated PKI into its web and device security in some way, not all are fully or appropriately leveraging its power.

Unfortunately, organizations are often overwhelmed when it comes to managing security certificates and secret keys throughout the enterprise, as it can be challenging to issue, manage, and revoke/renew/replace certificates and keys numbering in the thousands or even tens of thousands. Think of the number of the Secure Shell (SSH) keys floating around in your enterprise that you may not even be aware of.

Many financial institutions fail to see the broad range of digital assets and use cases that PKI can protect. Outside of using Secure Sockets Layer (SSL) PKI certificates to protect public-facing websites, enterprise PKI solutions can address the large-scale requirements of SSL for internal-facing servers, private Certificate Authority (CA), S/MIME email encryption, code signing, and document signing.

There are at least five ways that PKI can be used to protect and secure financial services data:

1. Enterprise SSL, which enables administrators to easily manage certificates through a single-pane-of-glass interface, is ideal for secure online banking and transaction sites, customer information site, market analysis and forecasting sites, tax filing, insurance, securities trading, and data gathering sites.
2. Private CA, which allows financial institutions to secure users and devices, and automates the management of internal devices and applications regardless of which internal protocols an enterprise has in place, is useful for supplementing Microsoft Active Directory Certificate Services, mobile devices, IoT, DevOps, cloud/multi-cloud, web servers, SSH Key management, Private S/MIME for secure email, intranet services, Wi-Fi access, VPN access, POS systems, networking devices, and Windows Hello for Business.
3. Using Zero-touch S/MIME for email enables both the sender and recipient to use their existing S/MIME-capable email applications on multiple devices – mobile or desktop; a welcome improvement to other approaches that disrupt the user experience by requiring users to use multiple certificate credentials. Zero-touch S/MIME is suited for email signing, email encryption, mobile email encryption and signing, mobile Wi-Fi access, and mobile website authentication.
4. Code signing supports all file types, from drivers and firmware to scripts and applications. With enterprise-scale issuance, management, and renewal/revocation/replacement features, development teams have greater cryptographic flexibility and improved time to market for new financial services and products. Code signing allows your software to be trusted by users and helps with a wider adoption of it. It is optimal for application development, DevOps, mobile devices, and IoT. With the higher assurance EV code signing, your application can achieve instant reputation with many Operating Systems which helps with users trusting and using it instantly.
5. Document signing allows financial institutions to maintain compliance with the strictest electronic signature/digital signature regulations, such as U.S. FDA CFR 21 Part 11 requirements. Digital signatures leverage PKI certificates to offer the highest levels of security for regulated and sensitive document use cases such as account openings, loan applications, investment/private banking, and insurance documents and agreements. If the document signing certificate is issued from a CA that is in the Adobe Approved Trust List (AATL), the signed document can be universally exchanged with trust.

Sectigo provides a platform for financial services companies to authenticate and secure users, devices, and data.

Because of the financial, reputational, and business consequences of failing to protect data, banks, insurers, and other financial institutions should leverage the powerful capabilities of PKI to protect against increasingly sophisticated threats and avoid costly attacks.

By adopting a suite of enterprise PKI solutions, the financial sector can future-proof security, protect customer information, gain greater peace of mind, and maximize the value of data.

All About Sectigo

Sectigo is a global cybersecurity provider of digital identity solutions, including TLS / SSL certificates, DevOps, IoT, and enterprise-grade PKI management, as well as multi-layered web security. As a leading Certificate Authority with more than 700,000 customers and over 20 years of experience in online trust, Sectigo partners with organizations of all sizes to deliver automated public and private PKI solutions for securing webservers, user access, connected devices, and applications. Recognized for its award-winning innovation and best-in-class global customer support, Sectigo has the proven performance needed to secure the digital landscape of today and tomorrow. For more information, visit www.sectigo.com and follow @SectigoHQ.

About the Author

Abul Salek, MSc, PMC, is Director of Product Management at Sectigo, a leading provider of automated digital identity management and web security solutions. With 20 years of experience in software engineering and managing cybersecurity products, Abul leads innovations around PKI, quantum security, and IoT. He holds an M.S. degree in Computer Science from the University of Alberta, Canada.

Abul can be reached online at abul.salek@sectigo.com and at our company website   https://sectigo.com/