Jim Hietala, Vice President, Business Development and Security at The Open Group
Banking and finance have grown to provide a vast range of services to people, touching every part of our lives from splitting dinner bills with friends to buying your first home. At heart, though, the value they provide might be boiled down to a very simple statement: they offer security and interoperability.
Which is to say that, when we use money, whether that is to pay for the bus or establish a pension, we need to be certain that it will reach the right destination, regardless of which systems it passes through, without being intercepted along the way. Interoperability ensures that desired actions happen; security ensures that undesired actions do not happen. Between them, these two key capabilities give us vital freedom in how we financially interact with people and businesses.
Roads and walls
That simple statement, however, is not simple to implement. The industry has long relied on open standards in order to achieve interoperability: from basic identification needs performed through standards like the International Bank Account Number system, to complex interactions like those managed through the Open Banking Standard which is currently transforming the British banking experience, fairly managed rules which everyone understands are essential to modern finance.
These standards, of course, are not static, and need to keep evolving in order to meet new needs. The same can be said of security – banks might still be associated with huge metal safes and vault doors in the popular imagination, but we all know that that’s not what keeps our money safe today. The question of security is now a digital one. From multi-factor authentication, to Transport Layer Security encryption, to automatically blocking access from unfamiliar devices and locations, the industry has been an early adopter of a wide range of technologies which manage or control access.
The need to develop and improve security approaches is still present, though. As is always the case with cybersecurity, risks need to be continually reassessed as the operating context changes – and, indeed, innovations in how people interact with banks always need to be made with security implications in mind. At the same time, new methods and strategies for cyberattacks are always developing, and there are good reasons to believe that now is the time for a fundamental shift in how we think about the topic.
The new weak link
Banking and finance, it is needless to say, are among the highest-value targets for attackers, and that means that if one route to compromising the industry becomes too difficult, they will look elsewhere for their opportunity. This is precisely what we’ve witnessed happening in some of the highest-profile breaches of recent times as organisations in other industries have dealt with the realities of supply-chain attacks.
In late 2020, for example, the security consultancy FireEye discovered that it had, alongside many other organizations, fallen victim to a sophisticated intrusion which took an obscure and convoluted path to its target. The victims were users of software offered by the company SolarWinds, which was successfully infected with a trojan. As the SolarWinds tool was an approved piece of software, FireEye and others happily brought that malicious code inside the gates (so to speak) of their own networks. This gave the attackers a route to manipulate FireEye’s own software and ultimately give them access to sensitive and otherwise highly secure environments.
What’s important to understand about this attack is that no amount of network-focused security would have prevented it: rather than trying to pass as an authorised user, the attackers worked a situation where the actual point of infiltration was carried out by genuinely authorised users.
It’s a scary situation, and a tactic that becomes more viable for attackers as our digital infrastructure becomes more complex. As businesses in the sector offer their customers richer online experiences – often in ways which, as with Open Banking, seek to enhance interoperability – they also become more dependent on a whole stack of platforms and tools. Rather than build a new back-end system from scratch, for instance, a bank might bring in a fintech platform from a vendor, who will themselves use development and operational tools from other vendors, who themselves will have further dependencies on other vendors.
This supply chain, in other words, is starting to look like a vast new attack surface which requires a new approach to secure.
The end of trust
If securing networks is no longer enough, we need to look to models which secure the data and assets which those networks are there to carry. This is what the Zero Trust model offers: rather than assuming that any device on a network must have passed a security checkpoint and is therefore trustworthy, Zero Trust assumes that every action is potentially malicious, and performs security on an ongoing, case-by-case basis.
While the principles of Zero Trust are not new, the need to put them into action has never been greater. Few industries have gone untouched by the societal changes which the pandemic triggered, never mind the economic impact, and successfully bouncing back from those economic consequences will require innovating towards a position which reflects the expectations of modern consumers. For banking and finance, that means digital tools which work from anywhere, securely and intuitively.
Which brings us back, of course, to the other half of the value which this industry offers: just as new systems for interoperability need to be designed with regards to maintaining security, new security models cannot jeopardise interoperability if they are going to successfully preserve the freedom with which people expect to deal with their finances.
That’s why the industry’s adoption of Zero Trust has to happen from a position of open standards. Just as shared understanding powers institutions’ abilities to accurately communicate their customers’ intentions to one another, it is needed to enable mutual understanding about what needs to be kept secure and how. In a challenging and rapidly evolving environment, that’s a priority for all of us.
