The success story of how we helped a leading financial US institution with our encryption assessment

Company Overview 

We successfully conducted our encryption assessment for one of our clients, a Fortune 500 organization in the finance sector. The organization’s portfolio consisted of several banks and ATMs spread across the nation, and they had a specialization in credit cards, auto loans, banking, and saving accounts. The US-based bank was founded decades ago and has multiple locations all across the country. While the institution grew rapidly over the span of a few decades, opening new locations in the states, the rapid growth was met with growing security risk factors that continued to open new security gaps.

With their goal to accelerate their growth in the coming years, they were seeking an assessment that gave them a complete overview of their current security architecture, identify vulnerabilities, get a tailored strategy and framework built to keep their expansion plans in mind, and meet all the necessary compliance regulations while protecting them from external threats.

Challenges

For banks dealing with financial transactions and records and protecting sensitive data like PII and PCI, security is of utmost priority. The organization was facing several issues in its cryptographic framework that lacked a structured and strategic approach.

They were exposed to cybersecurity attacks like Man in the Middle due to the lack of encryption of their sensitive data across storage, file, database, or internal data communication between different IT components, such as applications connecting to databases or services communicating internally within a system. It exposed their sensitive data to unauthorized parties that could read or alter it.

There was no proper key management practice established, including centralized key management practices, as native key management capabilities were utilized by different vendor-specific storage and backup appliances that have limited key rotation and generation practices.

Passwords were used in place of more secure key-based SSH authentication. Cryptographic private keys were stored without enforcing the least privileged access controls. Additionally, the absence of a defined key rotation policy for the SSH keys exposed the system to risks associated with the extended use of outdated or compromised keys.

Inconsistent encryption practices were in place for various cloud-based platforms, including encryption keys generated and managed by the respective service providers (AWS KMS and Azure Key Vaults). As a result, the Bring Your Own Key (BYOK) capability was not utilized, reducing the organization’s control over encryption keys. These inconsistencies left sensitive data inadequately protected in cloud storage.

Solution

Our approach was focused on solving all the identified challenges by creating a structured encryption assessment that evaluated their entire cryptographic framework, including certificate and key lifecycle management practices for on-premises and multi-cloud environments. We started our process by building a deep, comprehensive understanding of the cryptographic standards and analyzed the organization’s security environment’s challenges.

This was followed by an exhaustive review of existing cryptographic policies, processes, and standards, as well as in-depth workshops to understand all their encryption capabilities. We established specific use cases, such as encrypting databases and big data platforms like Hadoop and Cassandra, enabling TLS 1.2 and above protocols for data in transit. We also identified gaps in all the areas of their applied cryptographic practices that needed improvement.

Our assessment was conducted to meet the organization’s core security goals, including centralizing and automating their certificate and key lifecycle management processes to resolve their functionality issues, which in turn reduced their operational inefficiencies, ensuring timely renewals while minimizing the risk of outages.  

We standardized their data encryption at technology layers, including but not limited to application, database, file, and folder.  We also ensured the consistent use of TLS 1.2 or above protocols to secure data-in-transit and transit and ensured the use of the least privileged access principles. 

We also ensured adherence to all the required compliance and regulatory standards, such as FIPS 140-2/3, NIST 2,0, NIS-2, DORA, and more., by reviewing, evaluating, and updating the cryptographic controls and standards and implementing them within the organization’s cryptographic framework.

Impact

Over the course of the project, we built a strong channel of communication with the client to get to the root of all their security issues and bridge the gap between their current environment and their security goals. We customized their strategy to close all the security loopholes in their cryptographic framework and build a remediation plan that not only helps to mitigate all their immediate challenges but also puts them on the path to meet their long-term security and compliance requirements. Our strategy was focused on strengthening access control, enhancing risk management, and embedding best practices in their day-to-day operations.

These are some of the many benefits they experienced that ultimately led to them achieving their goal of a secure, efficient, and scalable security architecture. They benefitted from reduced unauthorized access through the use of Identity and Access Management (IAM) and Role Based Access Control (RBAC).  We considerably reduced human error factors from the security equation by centralizing and automating all their certificate and key management processes.

We thoroughly reviewed and updated all their cryptographic policies and standards, which helped to build a better understanding and set them on the path to better align with advanced cryptographic controls that met all the necessary compliance and regulatory standards. By putting all the necessary security measures in their organization’s cryptographic framework, we were able to help them build the capability to become more crypto-agile and incorporate quantum-safe algorithms into their architecture so they could navigate future shifts. 

We ensured that a scalable cryptographic framework was put in place that supported both their on-premises and multi-cloud environments (e.g., AWS, Azure, etc.). We also supported the organization in enhancing its ability to manage and standardize cryptographic controls like utilizing TLS 1.2 or above protocols to secure data-in-transit for multiple applications and platforms, enabling them to be in a much better position to adapt to scale with its growing operational demands while keeping the increasingly sophisticated threats at bay

Conclusion

For financial institutions, trust is at the very core of everything they do. Our Encryption Assessment was successful in meeting the institution’s goal to transform encryption from a safety net to a strategic asset, including strengthening key management practices, advancing encryption technologies, and ensuring that digital certificate and key lifecycle management practices are aligned with industry best practices. We assisted the organization in transforming its cryptographic framework into a secure, scalable, and future-ready foundation, setting it on a path to a more secure tomorrow.