Originally published on July 27, 2023 via the Finextra Blog.
Tackling fraud in the modern era takes more than just a secure login process.
Accelerated by the global pandemic in 2020, organizations around the globe have shifted their business models to be more digitally oriented. Employees can work remotely from the comfort of their homes, while clients have greater access to a company’s platform, products, and services from anywhere in the world.
Yet, as business and financial technology become more advanced, cybercrime is evolving alongside it.
The Federal Trade Commission (FTC) reports that consumers lost nearly $8.8 billion to fraud in 2022, up 30% from the year prior. Imposter fraud stood out as one of the top culprits, with a reported $2.6 billion lost to imposter fraud in 2022, emphasizing the need for stronger user authentication measures.
Whether an organization is protecting its private data from external bad actors or monitoring internal operations to ensure due diligence, it’s clear a more advanced approach to cybersecurity is needed — and that is exactly what the zero trust approach aims to achieve.
In this month’s Tech Talk, FundGuard CTO, Yaniv Zecharya, and VP of Cloud Ops, Elad Dotan, explain the concept of Zero Trust and how it differs from the more traditional use of VPN Client.
VPN vs. Zero Trust: 3 Key Differences
A VPN client is an approach to cybersecurity that leverages software to establish a secure connection between authorized users and an organization’s internal systems. Although VPN clients have been the long-time standard for internal cybersecurity, their limitations are becoming more apparent in the wake of cybercrime spikes within the financial industry.
To address these limitations, technology experts have started to advocate for the zero trust approach, a VPN-less cybersecurity strategy that hones in on the complexity of user authentication in the digital era.
While most companies today still rely on VPN clients for their cybersecurity needs, it is becoming increasingly clear that a zero trust approach is the best practice for both safeguarding business systems against bad actors — and, thereby, keeping both internal and external data secure.
When closely examining the differences between VPN clients and the zero trust approach, we can identify three key differences that set zero trust frameworks apart:
1. Authentication Processes
The VPN client process involves the installation of a VPN client on company computers and personal devices. To access the VPN client after installation, users must enter a username and password provided by the business itself. This is the main user authentication process used in VPN clients, meaning that the bulk of cybersecurity protection occurs within the login portal.
By comparison, a zero trust framework does not rely on a VPN client but instead questions the identity of users at multiple points in the system. Along with entering the correct login credentials to access a system, users must also clear a variety of other authentication measures, such as device authentication.
For example, let’s say an employee works remotely from a home office and one day switches to a laptop for work instead. The zero trust framework would flag that laptop as an unknown device and ask for further authentication from the user.
A zero trust approach also uses ongoing monitoring procedures that can access user activities for suspicious behaviors after initial authentication has been completed.
2. Central Management
With a VPN client, access to different networks requires several different installations depending on the application being used. For instance, if an organization works with two separate vendors, separate VPN client installations are necessary to connect these vendors to internal systems.
The zero trust process works quite differently.
In a zero trust framework, an organization uses central management capabilities that involve the use of a proxy acting as a middleman in the process. Even if a user is arriving to a remote destination via a VPN client, the zero trust process requires that the user first goes through the proxy and verifies their identity.
This not only simplifies the process of authenticating users coming from multiple different locations and applications but it also ensures that company administrators can maintain a comprehensive, centralized overview of every user accessing internal systems.
3. Access & Monitoring Parameters
The primary cybersecurity parameter in a VPN client is the entry of login credentials to verify a user. Beyond this, any additional user authentication and monitoring must typically be carried out by other tools and software, creating a fragmented and vulnerable system.
Meanwhile, zero trust addresses many different cybersecurity factors beyond initial user authentication.
We’ve already discussed how zero trust enables organizations to monitor and flag access attempts from unknown devices. In addition to these device monitoring capabilities, the zero trust framework also necessitates ongoing monitoring of data activities, applications, and all other system components.
Ultimately, a zero trust approach ensures the right checks and balances are in place to verify with utmost certainty that a user is who they say they are. It provides companies with the ability to set specific monitoring and flagging parameters that identify suspicious behavior and users at all points in the system.
The Relationship Between Zero Trust & SOC 2 Compliance
Many industry IT and compliance experts are of course already familiar with the benefits of a zero trust approach to cybersecurity, but in the wake of stricter compliance expectations from regulators, increasing familiarity with advanced cybersecurity frameworks like the Zero Trust approach is also vital for fund managers and fund boards who now also have cybersecurity oversight responsibilities.
For example, SOC 2 certification aims to address some of the more complex aspects of managing sensitive customer and internal data using software solutions. Although a zero trust framework is not a requirement of SOC 2 compliance, the two frameworks are cohesive with each other.
SOC 2’s technical requirements help to establish a digital business environment that can easily embrace the zero trust approach, focusing on five key principles:
- Privacy: SOC 2 requires organizations to have the proper access controls in place that safeguard data from unauthorized users, including those who may have gained access via stolen credentials or other fraudulent means. This practically necessitates the internal practice of verifying every single user accessing a system, withholding trust until that user has been adequately authenticated. The zero trust approach also emphasizes the need for this same practice, encouraging the mindset of no trust until proven trustworthy.
- Security: The zero trust framework asserts that all users must be thoroughly authenticated before being given access to business systems — and SOC 2 compliance requires this. Both approaches to cybersecurity recognize that though a business may trust its employees, plenty of talented criminals exist who can pose as trusted users in incredibly convincing ways. As a result, key processes like multi-factor authentication and anomaly detection are crucial for maintaining a high level of security and limited access to sensitive data.
- Processing Integrity: SOC 2 requires organizations to take a long, hard look at how their systems and users process data. To meet SOC 2 compliance, organizations must implement the right mix of process monitoring controls to verify data processes, including everything from data storage and delivery to data modification. In the zero trust approach, a crucial component of the framework is establishing ongoing monitoring processes that verify user identity and monitor user behaviors — including data management — at all points in the business system.
- Availability: The processing integrity discussed above goes hand-in-hand with the principle of availability — aka, the need to provide a system from which customers and employees alike can access various services and functions at all times. With the ongoing and in-depth monitoring involved in both the zero trust framework and SOC 2 compliance, organizations can keep their systems up and running while maintaining clear oversight of security threats and user activity.
- Confidentiality: Keeping confidential data secure is paramount in the age of digital business and heightening cybercrime. SOC 2 imposes strict requirements for maintaining access controls that protect confidential data from bad actors, even if those bad actors manage to bypass initial user authentication processes. The zero trust approach helps address this by implementing specific parameters that define who can access data when and how, all while maintaining an ongoing monitoring process that can flag suspicious behavior or access attempts.
FundGuard Secures Client Data with a Zero Trust Approach
At FundGuard, we employ an array of security mechanisms to achieve a comprehensive zero trust approach to cybersecurity. The FundGuard platform is fortified against bad actors with the utmost layer of security, ensuring all internal and external users of our system are properly verified and monitored.
Through our due diligence and zero trust approach, FundGuard maintains a well-protected system that you can trust to follow the best cybersecurity practices.
Join FundGuard in our mission to build safer and more secure investment operations — contact us today to learn more.