Authors: Dan Choi, Chief Technology Officer
Dr. K. T. Upadhyaya, Project Manager
Security and Open Corporate Banking Advancements in technology enable the automation of areas in the financial services value chain. While digital customer experiences are common in the retail banking sector, a significant number of corporate banks have yet to reap the benefits of adopting an Open Banking approach.
Open Banking is the use of Application Programming Interfaces (APIs) by banks seeking to provide data and services via digital channels to customers and fintechs. Open corporate banking enables business heads to drive growth and meet the demand for real-time connectivity. As the number of open banking APIs increases, so does access to sensitive data. This growth is making API security a top concern.
API adoption has sky rocketed in the past few years, fuelled by digital transformation and the central role APIs play in both mobile apps and IoT. As per Business Wire, RapidAPI is adding 1000 new APIs per month, offering APIs from providers that include Microsoft, Twilio, SendGrid, Nexmo, Skyscanner, Crunchbase, and more.
Security is only as strong as its weakest link. This applies particularly to Open Banking due to the features that provide direct financial service access. With so many interconnected entities, it is vital to develop and maintain a comprehensive security framework and approach. At Starfish Digital we ask our clients to consider the following approaches:
Security Strategy
Open banking has inherent risks of open access ports to customer data and financial transactions. Security concerns have transcended beyond the traditional focus on perimeter security and basic access authentication. Threats come from access breaches, across the perimeter, platform weaknesses, third-party providers (TPPs), code security holes, internal bad actors, inadequate education and training errors, to name a few. Banks must adopt a security strategy that addresses every single component in the socio-technical system such as infrastructure, network, partner, component, service, access, detection, response and proactive threats to security layers protecting the vault of information.
As open banking extends globally either through regulatory or market driven growth, any security strategy should incorporate industry best practices like NIST https://www.nist.gov/cyberframework recommendations, regular security scenario testing, and design a security roadmap to achieve compliance with the most rigorous open banking security regulations such as Payments Service Directive 2 (PSD2).
Infrastructure and perimeter security
Forward thinking banks have developed a robust perimeter security approach to protect customer assets. It is becoming increasingly critical to secure internal points, heighten perimeter security and extend security requirements to TPPs as they represent an extension of open banking services. Segmentation of services with appropriate access authorisation must be incorporated across both internal, perimeter and TPPs. It is vital that regular internal, perimeter and partner security testing with 24x7 third-party cybersecurity monitoring and response services are built into all infrastructure security plans.
API security
In How to Build an Effective API Security Strategy report, Gartner predicts that “by 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.” To protect yourself against API attacks, Gartner recommends adopting “a continuous approach to API security across the API development and delivery cycle, designing security [directly] into APIs.”
APIs provide the open banking services that customers rely on to access their information digitally. Starfish Digital supports a comprehensive API lifecycle approach. The overall API strategy, API lifecycle management, API orchestration approach, non-functional standards, and end-point security are all key ingredients to API security.
Establishing appropriate secure development and deployment processes with security standards built into the build process are a critical first step. A zero-trust approach should be at the heart of API security design. Trust through authorisation and validation only – nothing is assumed safe without the proper credentials. Automation of security code requirements, security policy enforcement combined with a fully automated CI/CD pipeline will reduce the potential of unsecured APIs. Regular development process and code security review should also be conducted periodically to identify weaknesses in the process and code security process.
Authentication
Each API should require secure authentication to proceed to the next checkpoint in the process establishing a multi-layer security threshold for bad actors to gain full access to data. While most of the focus of open banking has been on developing the consumer and SME marketplace for financial services through banks and fintechs, the authentication security focus has been on application access authentication like 2FA and biometrics.
Airport security checks are implemented for every single actor, be it airport employees, airline employees, even the employees in the shopping areas – No one is trusted without authentication, not even the pilots. In a similar manner, Banks and open banking providers should really extend the zero-trust approach with required authentication at every level of the API product set providing a multi-step access protection layer.
Detection and Response
Having a comprehensive and tested detection and response capability is critical.
Open banking is “open” by design, customers must believe that it is safe. Any significant security breach could quickly damage reputation and potentially customer usage and growth. Having a comprehensive monitoring, detection and response capability is critical.
A key risk point is through TPPs like fintechs where many do not have the resources, funding or knowledge to build a robust security approach and rather focus on the minimum required component base approach. The ability to know all potential ingress points, establish monitoring and detection capabilities and building a structure response playbook is critical.
Proactive Security
A proactive security program includes staying current on the threat landscape, security patching of technology to address potential risks, education and training of employees on good cyber hygiene, planning and scenario testing for potential risk and threats.
At Starfish Digital we take financial security as seriously as our clients. Open Banking requires a comprehensive security approach that is balanced between absolute security and service optimisation. A good security strategy and implementation is central to the growth and adoption of open banking by enabling acceptable customer experience while safeguarding against security threats.