Best practices for NextGen banking security
Massive breaches in the finance industry have moved banks to wake up—albeit slowly—and view security in a different light. Meanwhile, the financial sector’s pace of innovation will surely accelerate: The resulting technology storm will sweep away fickle players who fail to fathom the ramifications for operations and security. This creates a see-saw dichotomy: As branch banking follows the footsteps of dinosaurs, mobile payment systems will continue their omnipresence and disrupt legacy distribution models. Yet service convenience in this case is riddled with fraud potential. Financial institutions must carefully examine their development and operations—and embed strong security into them.
With security technologies as enablers in the payment industry, future banking paradigms will rely heavily on these tools. Expect sophisticated customer profiles and highly personalized services as a result, as NextGen banking displays the following attributes:
- New norms: Strong authentication, authorization and accounting with a shared responsibility model
The provider of services typically controls the security multiverse. But when it comes to remote banking, all parties must participate in mutual authentication. The bank needs to know it is talking to a legitimate customer—and conversely the customer must possess confidence in the server-side connection’s authenticity. Mobile banking, for the most part, will dominate the landscape; as such the dependency rests on smart devices to provide and enforce tools such as biometric authentication and safe browsing.
- Mandatory measure: Ubiquitous encryption
The encryption tsunami is coming. The widespread use of cryptocurrency has established the efficacy of cryptography. In 2017, no one speaks of breaking the encryption algorithm anymore; the problem always pertains to where data appears vulnerable, subject to theft by nefarious actors. Many credit card data thefts relied on the simple logic of attacking these weakest network spots. While the web part of the client/server model uses the Secure Shell (SSH) and Socket Layer (SSL) protocols, the data at rest will rely on other cryptography algorithms such as AES, RSA or Twofish. Secure key management overlays the entire encryption approach, whereby the chain of key custody is clear and well-protected.
- A hearty, hardened data center takes center stage
Without a reliable, hardened backend (hardened means able to withstand natural or man-made disasters and acts of terrorism) all attempts at security will fail. In today’s modern datacenter, applications and workflows may reside on premises or in the cloud—public, private or hybrid. A hardened data center adapts well to these concepts and can respond to the dynamic, elastic needs of modern banking. The NextGen data center relies on secure hardware, firmware and software, and provides a means of workflow protection through supervised I/O cycles.
Hardware platforms deployed in these data centers must make effective use of trusted computing toolkits such as TPM chips. More than a decade ago, Microsoft provided the first dynamic-link library (DLL) for the TPM chips; however most adoptions have been in niche deployments such as military use cases. Micro segmentation coupled with virtualization represents another approach taking shape in the modern data center. It provides tighter control and isolation silos to prevent a potential breach from spilling over—thus potential remediation becomes much smoother. By combining segmentation and virtualization, banks can also maintain strict separation between the data and control planes.
- Cheap insurance initiated: Vulnerability-free websites and servers
Vulnerability assessment (VA) is a proactive measure, which based on current statistics prevents hostile deployments by 99 percent. An effective VA policy reduces the need for reactive, real-time protection tools such as antivirus and provides a comprehensive asset inventory that uses novel approaches such as blind-spot detection. These address actions of shadow IT or end-users, since most organizations possess assets they are not aware of. Full discovery of IT assets must include both physical and virtual assets, including containers. Fortunately, most leading VA vendors have committed to supporting cloud instances and container scanning.
- The essential of established application integrity
Application and workflow white-listing models enumerate permitted resources or applications; all other actions are blocked from execution. White-listed applications may only run inside a designated container. A well-designed system protects against inadvertent behavior of the software outside its intended operation—regardless of whether the triggers are programmatic or human-made.
Data centers that use cloud-based instances should deploy proxies to prevent potential exploits from reaching critical digital assets. It is imperative that banks only white-list applications that have a clean Product Development Lifecycle (PDLC) record. A clean record mandates the use of static code analysis (whitebox testing) during the application coding process, augmented by targeted fuzzing (blackbox testing) right before the product release. Both methods identify unknown vulnerabilities that hackers can later exploit.
- Dialing in deep forensics: The right tool for the inevitable
If all proactive measures fail and security is compromised, the NextGen data center must employ the right contingency plan to rapidly restore the systems to a safe state—and learn how to prevent similar breaches by implementing specific policy controls. Effective forensics are improbable without relevant data collection in real time and the ability to retrace specific workflows down to micro-segments and micro-services.
As banks deal with many disruptive approaches, adoption of the right security tools will prevent irrelevancy. It is difficult to control customer behavior: Therefore, most of the focus must shift to the banks’ data centers. A NextGen data center needs to protect itself—and customers—from potential compromises. Fine-grained security in financial services has found an impetus behind its universal vertical and horizontal deployment. Relentless hackers and unforeseen dangers have multiplied; this is beyond dispute. But NextGen banking can counter bad actors and bad luck with good practices and best blueprints.
Want more Banking Strategies? Sign up for our free newsletter!
Hamid Karimi is the Vice President of Business Development at Beyond Security, a provider for automated security testing solutions including vulnerability management, based out of Cupertino, California.