Blog

How banks increase their security with deviceTRUST

As an important part of the financial system and the economy of any country, security has always played an essential role for banks. External regulations require banks to implement specific measures to minimize the impact of IT risks on IT systems. In the following, you will learn how “Contextual Security” from deviceTRUST helps to achieve this goal through technical measures.

External Requirements

On January 17, 2025, the “Digital Operational Resilience Act” (DORA) will come into force as an EU regulation. It requires financial organizations to “establish and maintain resilient ICT systems and tools to keep pace with the rapidly evolving cyber threat landscape”. 1https://www.bankinghub.eu/finance-risk/dora-digital-operational-resilience-act

The requirements contained in DORA are diverse. The “ICT risk management” discussed in Chapter 2 plays a particularly important role in the following analysis. Article 9 section 4c concerning “protection and prevention”, for example, requires that financial entities „implement policies that limit the physical or logical access to information assets and ICT assets to what is required for legitimate and approved functions and activities only, and establish to that end a set of policies, procedures and controls that address access rights and ensure a sound administration thereof”. 2https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554

DORA “does not particularize any specific guidelines” as to how implementation should look in detail; „Instead, the requirements are based on relevant international, national and industry-specific standards, guidelines and recommendations.” 3https://www.bankinghub.eu/finance-risk/dora-digital-operational-resilience-act

If you look at such “standards, guidelines and recommendations” in Germany, you will find the so-called “Banking Supervisory Requirements for IT (BAIT)”, among others. As administrative guidelines in the form of circulars, the BAIT “interpret […] the legal requirements of paragraph 25a section 1 sentence 3 no. 4 and 5 of the German Banking Act (KWG). In it, the supervisory authority explains what it understands by appropriate technical and organizational equipment of the IT systems, taking particular account of the requirements for information security and an appropriate emergency concept. As institutions are increasingly procuring IT services from third parties, including in the context of outsourcing, paragraph 25b KWG is also included in this interpretation.”4https://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Meldung/2017/meldung_171106_BAIT.html

Technical measures with deviceTRUST

It is obvious that technical measures are more effective than organizational measures when it comes to security, see also Protection Against “Layer 8” – How deviceTRUST Increases Security With Technical Measures.

You will find out below which technical measures explicitly contribute to increasing security by BAIT requirements.

Context-based access controls

Concerning the access rights mentioned above, the authorization concepts discussed in Chapter 6.2 of the BAIT are of particular importance. These „define the scope and conditions of use of the authorizations for the IT systems (access to IT systems and access to data) […] for all provided authorizations. […]. Depending on the type, authorizations may be available for personalized and non-personalized users (including technical users). […] Access and access authorizations on the IT systems can exist on all levels of an IT system (e.g. operating system, database, application).” 5https://www.bafin.de/SharedDocs/Downloads/DE/Rundschreiben/dl_rs_1710_ba_BAIT.html

deviceTRUST helps here: by continuously checking the context, it is technically ensured that digital workplaces and provided applications can only be used if all security and compliance requirements are met – ALWAYS and without user interaction. For example, certain business-critical applications or databases can only be used if staff are in certain Wi-Fi networks or at certain (geo) locations. A good insight into the topic of “Conditional Application Access” is provided by the following Tech Talk: Conditional Application Access.

To ensure that the authorization concepts meet the security requirements, the BAIT demand in chapter 6.8: „to prevent circumvention of the requirements of the authorization concepts with the help of accompanying technical and organizational measures.” 6https://www.bafin.de/SharedDocs/Downloads/DE/Rundschreiben/dl_rs_1710_ba_BAIT.html

The following points, for example, are mentioned as technical and organizational measures in this context (the options with deviceTRUST can be found below in each case):

Selection of appropriate authentication procedures (including strong authentication in the case of remote access)

With deviceTRUST, you can use your devices as an additional security factor and thus create very strong authentication. More information on the topic of “Device as a 3rd factor” can be found in the following two blog posts:

Automatic password-protected screen lock

Configuring a password-protected screen lock on a managed company device is usually not a problem. However, how can it be ensured that the screen lock starts automatically after a certain time and that centrally provided applications and data are thus protected when accessed from a non-managed device, i.e. from a BYOD of an external partner or an employee’s private device?

deviceTRUST makes it easy to identify end devices: by using granular domain membership information or serial numbers, you can obtain precise information about whether the device is self-managed or externally managed. If access comes from a third-party device, the remote session can be protected with deviceTRUST after a certain time using a password-protected screen lock, even in BYOD scenarios.

Tamper-proof implementation of logging

deviceTRUST also offers a solution for logging. For a comprehensive overview, all actions can be logged and delivered to external systems. This makes it possible to track at any time whether accesses have been made following security and compliance requirements.

Operational security measures and processes

To realize the requirements of information security management and ensure operational information security, “[t]he institution […] must implement appropriate, state-of-the-art operational information security measures and processes.” 7https://www.bafin.de/SharedDocs/Downloads/DE/Rundschreiben/dl_rs_1710_ba_BAIT.html

Among other things, BAFIN is concerned with the “segmentation and control of the network (including policy compliance of end devices) or the “multi-level protection of IT systems according to protection requirements (e.g. against data loss, manipulation or availability attacks or unauthorized access).” 8https://www.bafin.de/SharedDocs/Downloads/DE/Rundschreiben/dl_rs_1710_ba_BAIT.html

deviceTRUST also helps here: With context-based Windows firewall configuration, deviceTRUST can help with network (micro) segmentation. Based on contextual information, deviceTRUST can set and cancel local firewall rules to control network communication for each user individually. This enables granular network control on each client and for each user.

Support for “multi-hop scenarios” also ensures that applications and resources that can in principle only be accessed via “jump servers” can only actually be used if the accessing end device meets the security and compliance requirements at all times. This means that unauthorized access to digital workstations and applications can be easily and conveniently prevented.

Other countries have similar customs

The above examples relate to the German market and its requirements in this regard. Other countries have similar requirements, which also involve controlling access to environments and resources.

It would go beyond the scope of this article to go into each country in detail, which is why we will only take a brief look at Switzerland here. For example, the Swiss Financial Market Supervisory Authority FINMA requires the following concerning the information and communication technology used:

“Critical data must be adequately protected from access and use by unauthorized persons during operation, the development, modification, and migration of ICT. […] The components of ICT that store or process critical data must be specially protected. Access to this data must be systematically regulated and continuously monitored.” 9http://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf

Here, too, deviceTRUST provides (technical) assistance – for example, by ensuring that certain “critical” applications can only be used if the employee is actually in the country. If he or she crosses the border, access to the application can be revoked immediately with deviceTRUST.

Banks put their trust in deviceTRUST

Banks are subject to external regulations that they must implement. It should be emphasized that with DORA, „the management body will have a stronger personal obligation to coordinate and take responsibility for ICT risk management.” 10https://www.bankinghub.eu/finance-risk/dora-digital-operational-resilience-act

deviceTRUST is a proven solution for banks that, as an “invisible security layer”, provides uncomplicated assistance in implementing the technical requirements and thus raising the security to a higher level.

If you have any questions about how we can help you in detail, please do not hesitate to contact us.

 

Sources:

About the Author:

Marc Stieber

Sales Manager EMEA

Sales Manager EMEA with many years of experience in the IT industry. His passion for marketing and yoga inspires him to find innovative solutions in his work to support and delight customers.