In the FinTech industry, customer trust comes down to one thing—how well you secure customers’ financial data. Customers won’t touch your product if they hear so much as a whisper that your technology isn’t secure or that their data won’t be safe. According to the Pew Research Center, 70% of Americans believe their personal data is less secure now than it was five years ago, and Tableau reports that 48% of consumers have stopped buying from a company over privacy concerns. With data breaches on the rise—and a new attack happening every 39 seconds—these statistics should give you pause and raise the vital question:
Is your customers’ financial data actually safe from a cyber-attack?
Unfortunately, despite your best efforts, your customers’ data probably isn’t as secure as you think it is. As security technology evolves and new strategies are implemented, hackers are keeping pace, finding new ways to break through to the data. Even with advancements in cryptography, recent cyber-attacks like the 2019 Capital One and 2020 Zoom data breaches have proven that not all cryptographic solutions are equal. In fact, very often the use of cryptography alone is not enough to keep your customers’ data safe.
Why your customers’ data isn’t safe
In today’s environment, firewalls and disk encryption are no longer enough to constitute a security strategy. These tactics are only effective at securing a perimeter around your customers’ personal and financial data—they do little for protecting the data itself. But even in instances where the data itself is encrypted, that doesn’t mean it’s safe from exploitation, as was evidenced by the Capital One breach.
Though there are a number of reasons why encryption fails—including the improper use of encryption algorithms—most data breaches are a result of attackers getting access to the encryption key that allows them to decrypt the data. And this is actually much easier than you’d think.
Encryption keys are often housed on the same storage medium as the data itself. Once a user authenticates, any application run on the user’s device can access the decrypted data. This leaves a huge attack surface because a hacker can access any application on a user’s machine, or any third-party application associated with the drive to access the encryption key and associated encrypted data. A simple download of the decrypted data, or the encrypted data and key, puts you in midst of a PR nightmare.
They only way to fully protect your customers’ data from an attack is to limit the number of people and applications that have access to the encryption key through the principle of least privilege.
How the principle of least privilege can save your reputation
The principle of least privilege is vital to building an effective cybersecurity strategy. It essentially states that a user or application should only have access to data or the encryption key if it is needed in order for them to complete their role. Basically, data should be accessible only on a “need-to-know” basis.
Encrypting data at rest on a storage medium (e.g. disk) is far too general as it has to allow all applications equal access to the data. Following the principle of least privilege application access to sensitive data should be segmented, for example critical operating system components such as anti-virus solutions or firewall services should not have access to encrypted data or cryptographic keys. The best way to truly protect your customers’ information and follow the principle of least privilege is to encrypt data on the application layer.
Application-layer security is the only answer
FinTech companies need to start securing their customer data at the application layer of their technology stack. This enables embedding security into the development cycle itself and not relying on security assumptions made at the storage layer. Your organization needs to adopt a “security-as-code” culture and bring security teams into the development process much earlier to secure sensitive data at the application layer.
It’s important to note that encryption algorithms are fragile. One tiny flaw and your entire security system falls apart. Developers aren’t security experts—nor should they be—and it’s remarkably easy for them to get encryption wrong by either using a big name but dated algorithm or using a fully functioning algorithm for the wrong purpose. By bringing your security team into the development process at an earlier stage, they can ensure your applications are being secured with the right encryption algorithms from the get-go.
But before selecting and approving encryption algorithms, your security team and developers should identify where the data is being generated, consumed and stored, which apps are using that data and how. Every access point should be identified to better understand which applications truly need access to the data in order to perform their job. From there, you’ll likely find that only the application using the data requires access to the encryption key.
By encrypting data within the application, the data and associated encryption key can no longer be accessed by any other application or user. It clearly defines the trust zone and enhances your security by more clearly defining and significantly limiting your organization’s attack surface, making it much more difficult for an attacker to break in.
With application-layer security, things like weak passwords, breakable firewalls and incorrect algorithms are no longer a threat. The safety of your customers’ data is much easier to manage, and you can rest assured trust won’t be an issue with your customer base.