Financial Services Branches of the Future: Converging Security and Network Access

The financial services industry is transitioning to a digital business model to enhance customer experience and maintain a competitive advantage. And since most financial services organizations utilize a distributed enterprise branch model, this transition is having a significant impact on their networks.

Their users, both remote and local, require direct access to the internet for cloud and Security-as-a-Service (SaaS) applications. This, in turn, has made the WAN and access edge more complicated than ever. In addition, Internet-of-Things (IoT) devices entering the branch network introduce new vulnerabilities for attackers to exploit. As a result, it is becoming increasingly critical to deploy next-generation security strategies to support this shift.

Expanding Attack Surface at Branch Locations

Financial services organizations with one or more remote locations are adopting software-defined wide-area networks (SD-WANs) to simplify the management and operation of the WAN. However, SD-WAN alone does not address fundamental challenges of securing multiple edges, nor does it address the visibility and complexity challenges common at branch locations, which makes it more challenging to address the resulting expanded attack surface.

Here are three of the most critical security challenges facing financial institutions that use SD-WAN to connect their remote branch offices.

Multiple Edges to Secure: The evolution of the WAN edge, with its many edges to protect, has created additional vulnerabilities and risks that must be secured. The influx of Software-as-a-Service (SaaS) applications, cloud-based tools, voice over IP (VoIP), and video services has caused the amount of network traffic to grow exponentially. These, in turn, have caused the edge of the wide area network (WAN) in the branch network to become more difficult to secure. This is further complicated by the proliferation of wireless access points and the increasing number and types of devices accessing them.

Lack of Visibility: Branch networks also must support many more endpoint devices (both wired and wireless) that may not even be visible to the network and security operations teams. These include the various devices used by employees, partners, and customers, as well as the growing number and diversity of IoT devices, such as office appliances. Many of these devices are personally owned, and may not be fully patched or have updated system software. And in the case of IoT devices, many were not built with security in mind, so many do not have any built-in security capabilities and must instead be protected using external controls.

Management Complexity: Many companies have tried to address the new network functions and security gaps found in today’s branch office by deploying point security solutions. Over time, the accumulation of these point solutions – that often can't be integrated, creates an extremely complex environment to manage from both a cost and a time perspective. In addition, most branch offices lack onsite IT and security staff, making the management and troubleshooting of these solutions even more challenging.

Securing Next Generation Branches with SD-Branch

An effective branch deployment should seamlessly integrate networking and security capabilities across the entire environment. SD-Branch aims to extend the features of Secure SD-WAN into the enterprise branch’s local LAN network, including the WAN edge, access layer, and endpoints.

WAN Edge: Digital transformation and the use of cloud-based technologies, such as SaaS applications, and the resulting increase in bandwidth and traffic requirements, has made traditional WAN architectures using multiprotocol label switching (MPLS) too rigid and expensive. SD-WAN addresses this challenge by providing cost savings and network performance improvements for branch offices. And a Secure SD-WAN solution can provide both network performance and security without having to buy separate security appliances. It can optimize network bandwidth, inspect encrypted traffic without causing network performance bottlenecks, and be deployed with minimal effort by the corporate IT staff.

Access Layer: To reduce complexity in the branch infrastructure, network teams should look at consolidating multiple, purpose-built appliances used for network functions (e.g., routers and load balancers) as well as specific security capabilities (e.g., intrusion prevention/detection). With the convergence of both wired and wireless networking capabilities in many of today's next-generation firewalls (NGFW), the capabilities of a Secure SD-WAN solution can be extended to the branch access layer by adding NGFW security, switches, extenders, and APs – all combined into one interoperable solution. This integrated strategy further increases agility through a single-pane-of-glass interface, thereby simplifying branch management of security, network access, and SD-WAN. In addition, it reduces the risks associated with having multiple vendors, solutions, interfaces, and operating systems that can overburden IT and security teams.

Endpoint Security: If you can’t see it, you can’t protect it. An effective security platform needs to provide the transparent identification, categorization, and protection of all connected endpoints – especially devices that may have been deployed without the knowledge of the security and IT teams. Since the point of compromise in attacks is often the endpoint, it is imperative that any SD-Branch solution also includes automated access controls (e.g., to quarantine vulnerable or suspicious devices) combined with anomaly detection and incident response capabilities for fast remediation. And SD-Branch centralized management capabilities should dynamically manage network access and enforce policy-based controls to ensure consistent security across all users, applications, and endpoints—including vulnerable IoT devices.

The continuing evolution of branch networks makes them a target-rich environment for adversaries and a security challenge for security and IT teams. However, due to the sensitive nature of financial transactions and workflows, financial institutions cannot afford for these remote locations to become an Achilles heel when it comes to IT management and security. Instead, they need their own defenses that conform to the unique risks they present, and that can also be seamlessly integrated into the broader security architecture of the organization.

SD-Branch solutions provide security-driven networking capabilities that consolidate the network access layer within a secure platform, providing visibility and security to the network and all devices that connect to it. For financial services organizations looking to protect their expanding network edges, SD-Branch converges branch services – from the WAN edge to access points and endpoint devices – to deliver security, agility, and optimized network performance in a single, integrated platform approach.

About the author: 

Renee Tarun is deputy CISO at Fortinet. She is focused on enterprise security, compliance and governance, and product security. She is also a contributor to the book, The Digital Big Bang.

Renee joined Fortinet as the vice president, information security in early 2017. Immediately prior to joining Fortinet, she served as Special Assistant to the Director, National Security Agency (NSA), for Cyber and Director of NSA’s Cyber Task Force, in which she advanced NSA’s execution of its cybersecurity and cyber-related missions by acquiring, investing, and overseeing resources; defining and integrating mission capabilities; and shaping agency strategy and national level policy.