Enterprise Segmentation Strategy Helps Global Financial Institution Address GDPR and MIFID II Requirements
In this case study
Creating an enterprise-wide segmentation plan
For organizations within the financial industry, there are constantly-changing compliance regulations including MiFID II, GDPR and Bank Ring Fencing. Global institutions can be fined up to 4 percent of yearly income if they are non-compliant with policies such as these.
Facing growing compliance initiatives and a need for protecting customer data, one major global financial services provider was struggling with limited resources and a scattered, aging infrastructure. Housing more than 15,000 applications with more than 150,000 users across the global enterprise, they needed a fix for immature IT governance processes and a disorganized internal environment.
Specifically, the organization sought an enterprise-wide segmentation plan and architecture that met compliance mandates and protected their flat network from lateral movements by intruders. As soon as a user entered their network, they needed to control what they had access to.
We were tasked with developing an actionable plan for the organization that fenced off critical applications and segmented their entire infrastructure.
An agile approach to consulting
As part of our security advisory services, we consulted with the organization to define a segmented architecture and processes that could be applied across the enterprise.
First, we collected application information. From there, we studied the organization's compliance requirements and discussed business and IT drivers with various stakeholders. To ensure objectives and direction were focused and stayed on track, we met monthly with the primary group of stakeholders to recap progress, review next steps and make any needed adjustments based on technical staff requirements.
Solution feasibility
During the engagement, the organization requested we perform a feasibility study, which provided important insights into the segmentation strategy. We evaluated the organization's plans for a segmentation schedule, funding and actions to confirm they had the resources and processes in place that would make the plan attainable across the entire enterprise. We then incorporated these findings into our recommendations for future steps toward segmentation.
Imparting best practices
After gathering application information and meeting with stakeholders, we provided the organization with a strategy for taking their network and breaking it up into segments, isolating data and applications within those segments and restricting access based on user permissions.
We applied best practices from working with other customers on segmentation projects from start to finish. Our segmentation expertise allowed us to account for all the organization's requirements – business, technical and non-technical – and enforce WWT-formulated best practices that are specific to the banking industry, segmentation objectives and federal or global standards.
Moving forward
After close collaboration with the organization, the highest level of leadership approved the feasibility study and segmentation plan. The organization has a clear path forward in maintaining compliance and strengthening the overall security of their network.
We are now working with the organization to explore how we can support segmentation work streams as they take their next steps toward enterprise segmentation.