Entrust’s Chris Tammen: Zero Trust is a Foundation for Securing a Modern Remote Workforce

Chris Tammen is a member of the product marketing team for Entrust, a leader in identity, payments and data security. He currently focuses on solutions to help organizations secure identities and protect data. With 20 years of experience in the financial services industry, Chris has held various product, marketing, and leadership roles at Fiserv, First American, CoreLogic and several technology startups.

The financial services industry is a prime target for cyber-attacks. From large-scale data breaches to individual phishing scams, these attacks can leave organizations with significant financial losses and reputational damage. In 2022, the average cost of a data breach in the financial services sector was $5.7M – the second highest following healthcare. *

The human factor is worth noting as well. In the 2023 Verizon Data Breach Investigations Report, 74% of all breaches included a human element, with people being involved either via error, privilege misuse, use of stolen credentials, or social engineering. Internal actors were responsible for nearly 1 in 5 breaches and of those, one-third were intentional and two-thirds unintentional. **

While the pandemic pushed many in the mortgage industry to accelerate their digital transformation efforts and work-from-home arrangements, remote work has had considerable effects on the cost of a breach, especially for institutions employing a traditional perimeter-based approach to network security. When remote work was the primary contributing factor, such as credentials stolen from a remote-working employee, breach costs were approximately $1 million more, compared to breaches for which remote work was not a factor.**

How is the Biden Administration Addressing Cybersecurity Risk in 2023?

Earlier this year, the White House published a fact sheet announcing the Biden administration’s National Cybersecurity Strategy. The Congressional Research Service has a four-page summary of the National Cybersecurity Strategy here. The first pillar of the strategy document references a Zero Trust Architecture strategy. Additionally, the Federal Zero Trust Strategy (OMB Memorandum M-22-09) requires agencies to achieve specific Zero Trust security goals by the end of fiscal year 2024.

The memo instructs federal civilian executive branch agencies, such as the CFPB, FDIC, OCC, FTC, FHFA, USDA, VA and HUD, to implement multi-factor authentication, encrypt their data, gain visibility into their entire attack surface, manage authorization and access and adopt cloud security tools.

Zero Trust Defined

While concepts of a Zero Trust Architecture strategy may be familiar to those in technology roles, it can be a less recognizable term for those responsible for origination and servicing operations functions. Zero Trust is not a technology, but a change in the way an organization mitigates cyber risk. Based on the principle, “Never Trust, Always Verify,” it means organizations should not implicitly trust anything inside or outside their perimeter.

John Kindervag architected the model and created the term “Zero Trust” network architecture in 2010 as an analyst with Forrester. The strategy is designed to stop data breaches and make other cyber-attacks unsuccessful by eliminating trust from digital systems.

The framework is comprised of five pillars:

Identity

Devices

Networks

Applications and Workloads

Data

The Cybersecurity & Infrastructure Security Agency’s Zero Trust Maturity Model published in April 2023 lists seven tenets of zero trust:

-All data sources and computing services are considered resources.

-All communication is secured regardless of network location.

-Access to individual enterprise resources is granted on a per-session basis.

-Access to resources is determined by dynamic policy.

-The enterprise monitors and measures the integrity and security posture of all owned and associated assets.

-All resource authentication and authorization are dynamic and strictly enforced before access is allowed.

-The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.

So, what does that mean for the financial industry? The agencies charged with regulatory oversight of U.S. financial institutions officially have a Zero Trust strategy as part of their roadmap. The Consumer Financial Protection Bureau has already incorporated specific Zero Trust concepts into its information security program and has developed a strategy to fully transition to a Zero Trust Architecture by the end of fiscal year 2024.

Whitehouse memo M-23-18, released June 27, 2023, outlines the administration’s cybersecurity priorities for fiscal year 2025 budget submissions. Per the memo, budget submissions should demonstrate how they:

Achieve progress in Zero Trust deployments as outlined in OMB Memorandum M-22-09 above, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, and explain efforts to close any gaps in those requirements.

Meet the goals set forth in the Federal Zero Trust Strategy and make clear how agency investments support people, processes, and technology that advance agency capabilities along the Zero Trust Maturity Model.

At the state level, some agencies have also started their Zero Trust migration. The Texas Department of Banking, for example, has implemented cloud services in a zero-trust environment for all utility, file, and virtual private network services.

For many outside the financial services industry, the concept of “remote work” simply represents an additional option for employers to facilitate flexible working arrangements or leverage geographically dispersed talent pools. However, for some financial sectors, such as the mortgage industry, it represents something different. The Nationwide Mortgage Licensing System is a centralized database used by mortgage and finance regulatory agencies to maintain state licensing programs. It requires any individual employed by a licensed mortgage lender, broker, or servicer acting as a mortgage loan originator to be licensed. Some states require licensed members of their teams to operate from a licensed branch.

During the pandemic, many state regulators temporarily suspended their requirements for a mortgage loan originator to work from a licensed branch location. Several states have updated statutory language to include specific security controls. Nevada introduced (HB284) legislation in March that allows the business to be conducted from a remote location under certain circumstances, requiring encryption and multi-factor authentication, for example. Virginia recently enacted (HB2389) which requires licensees to employ risk-based monitoring in addition to ensuring the security of all devices used at remote locations. The Mortgage Bankers Association provides a centralized resource for tracking activity related to U.S. state licensing flexibility and remote work policies here.

Conclusion

The National Cybersecurity Strategy document offers a glimpse into the importance the Administration is placing on a Zero Trust strategy. Strategic Objective 1.5: Modernize Federal Defenses states the following:

Building on this momentum, the Administration will drive long-term efforts to defend the Federal enterprise and modernize Federal systems in accordance with zero trust principles that acknowledge threats must be countered both inside and outside traditional network boundaries. By making its own networks more defensible and resilient, the Federal Government will be a model for private sector emulation.

While a Zero Trust migration process requires planning, the framework provides benefits beyond securing a remote workforce. The July 3 Freddie Mac information security update and the June 6 FTC Safeguards Rule changes are two examples that include controls such as encryption, identity and access management, and cloud security. Adopting a Zero Trust security model encompasses each of these.

Remote work has become a necessity for a modern lending workforce, and a traditional perimeter-based approach is increasingly untenable in the era of digital transformation. Lenders adopting a Zero Trust strategy can be well positioned to improve resilience, preserve customer trust and prepare for the future as federal agencies progress along their own Zero Trust journeys.

*2022 IBM Cost of a Data Breach: https://www.ibm.com/downloads/cas/3R8N1DZJ

**2023 Verizon Data Breach Investigations Report: https://www.verizon.com/business/resources/reports/dbir/2023/master-guide/

(Views expressed in this article do not necessarily reflect policy of the Mortgage Bankers Association, nor do they connote an MBA endorsement of a specific company, product or service. MBA NewsLink welcomes your submissions. Inquiries can be sent to NewsLink Editor Michael Tucker at mtucker@mba.org or Editorial Manager Anneliese Mahoney at amahoney@mba.org.)