Menu
Originally published on July 27, 2023 via the Finextra Blog.
Tackling fraud in the modern era takes more than just a secure login process.
Accelerated by the global pandemic in 2020, organizations around the globe have shifted their business models to be more digitally oriented. Employees can work remotely from the comfort of their homes, while clients have greater access to a company’s platform, products, and services from anywhere in the world.
Yet, as business and financial technology become more advanced, cybercrime is evolving alongside it.
The Federal Trade Commission (FTC) reports that consumers lost nearly $8.8 billion to fraud in 2022, up 30% from the year prior. Imposter fraud stood out as one of the top culprits, with a reported $2.6 billion lost to imposter fraud in 2022, emphasizing the need for stronger user authentication measures.
Whether an organization is protecting its private data from external bad actors or monitoring internal operations to ensure due diligence, it’s clear a more advanced approach to cybersecurity is needed — and that is exactly what the zero trust approach aims to achieve.
In this month’s Tech Talk, FundGuard CTO, Yaniv Zecharya, and VP of Cloud Ops, Elad Dotan, explain the concept of Zero Trust and how it differs from the more traditional use of VPN Client.
A VPN client is an approach to cybersecurity that leverages software to establish a secure connection between authorized users and an organization’s internal systems. Although VPN clients have been the long-time standard for internal cybersecurity, their limitations are becoming more apparent in the wake of cybercrime spikes within the financial industry.
To address these limitations, technology experts have started to advocate for the zero trust approach, a VPN-less cybersecurity strategy that hones in on the complexity of user authentication in the digital era.
While most companies today still rely on VPN clients for their cybersecurity needs, it is becoming increasingly clear that a zero trust approach is the best practice for both safeguarding business systems against bad actors — and, thereby, keeping both internal and external data secure.
When closely examining the differences between VPN clients and the zero trust approach, we can identify three key differences that set zero trust frameworks apart:
The VPN client process involves the installation of a VPN client on company computers and personal devices. To access the VPN client after installation, users must enter a username and password provided by the business itself. This is the main user authentication process used in VPN clients, meaning that the bulk of cybersecurity protection occurs within the login portal.
By comparison, a zero trust framework does not rely on a VPN client but instead questions the identity of users at multiple points in the system. Along with entering the correct login credentials to access a system, users must also clear a variety of other authentication measures, such as device authentication.
For example, let’s say an employee works remotely from a home office and one day switches to a laptop for work instead. The zero trust framework would flag that laptop as an unknown device and ask for further authentication from the user.
A zero trust approach also uses ongoing monitoring procedures that can access user activities for suspicious behaviors after initial authentication has been completed.
With a VPN client, access to different networks requires several different installations depending on the application being used. For instance, if an organization works with two separate vendors, separate VPN client installations are necessary to connect these vendors to internal systems.
The zero trust process works quite differently.
In a zero trust framework, an organization uses central management capabilities that involve the use of a proxy acting as a middleman in the process. Even if a user is arriving to a remote destination via a VPN client, the zero trust process requires that the user first goes through the proxy and verifies their identity.
This not only simplifies the process of authenticating users coming from multiple different locations and applications but it also ensures that company administrators can maintain a comprehensive, centralized overview of every user accessing internal systems.
The primary cybersecurity parameter in a VPN client is the entry of login credentials to verify a user. Beyond this, any additional user authentication and monitoring must typically be carried out by other tools and software, creating a fragmented and vulnerable system.
Meanwhile, zero trust addresses many different cybersecurity factors beyond initial user authentication.
We’ve already discussed how zero trust enables organizations to monitor and flag access attempts from unknown devices. In addition to these device monitoring capabilities, the zero trust framework also necessitates ongoing monitoring of data activities, applications, and all other system components.
Ultimately, a zero trust approach ensures the right checks and balances are in place to verify with utmost certainty that a user is who they say they are. It provides companies with the ability to set specific monitoring and flagging parameters that identify suspicious behavior and users at all points in the system.
Many industry IT and compliance experts are of course already familiar with the benefits of a zero trust approach to cybersecurity, but in the wake of stricter compliance expectations from regulators, increasing familiarity with advanced cybersecurity frameworks like the Zero Trust approach is also vital for fund managers and fund boards who now also have cybersecurity oversight responsibilities.
For example, SOC 2 certification aims to address some of the more complex aspects of managing sensitive customer and internal data using software solutions. Although a zero trust framework is not a requirement of SOC 2 compliance, the two frameworks are cohesive with each other.
SOC 2’s technical requirements help to establish a digital business environment that can easily embrace the zero trust approach, focusing on five key principles:
At FundGuard, we employ an array of security mechanisms to achieve a comprehensive zero trust approach to cybersecurity. The FundGuard platform is fortified against bad actors with the utmost layer of security, ensuring all internal and external users of our system are properly verified and monitored.
Through our due diligence and zero trust approach, FundGuard maintains a well-protected system that you can trust to follow the best cybersecurity practices.
Join FundGuard in our mission to build safer and more secure investment operations — contact us today to learn more.
About the Author
100 Bishopsgate
18th Floor
London, EC2N 4AG, United Kingdom
Sign up for FundGuard Insights
Your use of information on this site is subject to the terms of our Legal Notice.
Please read our Privacy Policy.