Encryption Requirements For Banks & Financial Services

As we know the financial industry is among the most regulated in the world. There are strong data security requirements for banking and financial industries due to the sensitive and private data that they deal with. While GLBA/FFIEC are specific to these industries, compliance regulations such as PCI DSS, SOX, and state privacy laws can also apply. One thing that they all have in common though, is that encryption, along with proper key management, can mean the difference between a public breach notification and having a safe harbor.

The Gramm-Leach-Bliley Act (GLBA) specifically requires that institutions doing business in the US establish appropriate standards for protecting the security and confidentiality of customers’ NPI. The objectives are to:

  • Ensure the security and confidentiality of customer records and information
  • Protect against any anticipated threats or hazards to the security or integrity of such records
  • Protect against unauthorized access to information that could result in substantial harm or inconvenience to any customer

“Financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit.”

Between FFIEC and GLBA, banks and financial institutions should encrypt:

  • Any sensitive information an individual gives you to get a financial product or service (such as name, address, income, Social Security number, or other information on an application)
  • Any information you get about an individual from a transaction involving your financial products or services (for example, the fact that an individual is your customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases)
  • Any information you get about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report)

Encryption Key Management

Encryption – A specific requirement is that encryption and decryption operations must be carried out locally. Not by remote service, because both keys and data must remain in the power of the data owner if any privacy is to be achieved (ENISA 2014). To achieve this in practice, firms are likely to consider increasing the use of pseudonymization (practice: encryption) techniques. (Slaughter and May 2016).

Encryption is only as secure as your encryption keys.

Active Cypher Solution:

Instead of believing everything behind the corporate firewall is safe, the AC Zero Trust security model assumes breach and verifies each request as though it originates from an uncontrolled network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.”

The AC Cloud Fortress software is crypto-agile in data protection. AC provides a choice of FIPS 140.2 Certified symmetric key algorithms; AES-256, or AC’s Quantum Encryption Standard (QES).

Whether the data is encrypted with AES or QES, AC protects the symmetric keys with Key-Encryption-Key (KEK) asymmetric, PKI-based distribution and protection mechanism that is tied to the X.509 RSA 2048, Permission Device Network topology.

All Key Creation, Wrapping, Distribution, and Session Life is automated and running within the Azure Tenant of the customer. Attribute Based Access Control is tied to key usage with repeated Identity and Authentication verifications performed dynamically; based on device, user identity, and the Microsoft Graph Security API, in an information exchange process that does not involve the user, or any external application.

This ensures safe storage and access to decryption keys, as the symmetric keys, are encrypted with AES-256 and wrapped in RSA-2048 PKI, X.509 Machine Certificate exchange, and can only be “unwrapped” on a unique device, for unique user identity, given acceptable threat determination from the ABAC Policy Engine.

All key access and management are governed within your Azure Tenant. No third party has access to your keys, not even us. During deployment, Active Cypher creates a secured Private Cloud. We only track the number of keys licensed to the client. Once the installation completes, we have no other access or connection to the client’s cloud. The owner of the Azure subscription is the only person to hold the keys.

Active Cypher System Requirements:

Hardware

  • Windows-based servers, workstations, and laptops.
  • Windows Active Directory-based Domain authentication.
  • Single AD Forest configuration.
  • Files stored in networked shared folders, with permissions set by Active Directory (AD).

Network Topography

  • LAN Based network, centralized file storage, AD Domain Access Control.
  • User Workstations are AD Domain joined and authenticated for access to network resources: files, folders, and printers. 

Software Requirements

Servers – Windows Server 2008 R2, 2012, 2016  

Workstations – Windows 10 Professional or Enterprise

File Servers and Workstations – Microsoft.NET Framework 4.7