The imperative for effective API security in an age of open banking and increased information sharing.
Open Banking is a powerful concept in the world of finance. The concept is simple in theory – by connecting financial data between financial services, banks, institutions, and third-party service providers utilizing APIs, innovation and competition can be fostered, resulting in improved transparency and user experience.
Open Banking can best be thought of as a “microservices” approach to banking. Instead of having a single service own the entirety of the data provisioning, processing, and protocol definition, a single open standard allows data to be portable, and functions to be called remotely as needed. This flexibility allows for porting from service to service, and allows consumers to integrate this data with other providers.
In practice, this means the industry can iterate and develop without having to own each process. A bank might want to provide its users with the ability to discover hidden subscriptions, but may view this development as too costly. An open banking standard might allow users to connect to an external service using an open data standard, providing the capability without any of the additional development and maintenance cost being incurred by the bank itself. Win-win-win!
As with any connected system, however, this interconnection creates its own set of concerns. Connected systems can be intrinsically less secure than non-connected ones, but banking introduces some very specific considerations unique to the industry.
Consumers connecting their data require systems to ensure consent and privacy. Getting this right is not only important for ethical and moral reasons – data privacy is also covered under regulatory considerations like GDPR. This coverage is only more intense and expansive in the banking arena, as privacy and consent regulations are also affected by data security requirements that are more stringent and require additional auditing to ensure adequate application.
There must also be underlying systems to ensure accuracy of data. We’re not talking about an open platform for social media posting – we’re talking about a system that handles people’s entire livelihoods, not to mention their personal data, critical banking data, and so forth. Accordingly, data integrity must be balanced with data security, an equation that can be quite complicated. The only way to get this right is to have full visibility of the service and its constituent parts.
Open banking solutions also deal with the complexity that is local restrictions and market regulations. Because of the nature of international banking, each system is slightly different – and these differences can have negative impacts on the APIs that drive them.
APIs tend towards standardization – they want to connect and work together in a standard way, but with each system different, this standardization can be hard to gain. This can have an impact on the security of those APIs – new standards must be created that take into account the variability in regulatory frameworks and market restrictions, and in doing so, create its own standardized approach to security in this section of the industry.
To handle this, you need to have a grasp of your entire API inventory, which is always step one in complying with regulatory requirements.
Incomplete adherence to regulation is non-adherence, so investment in this aspect can pay huge dividends in preventing disastrous fines and punishments.
Open banking requires a substantial provision for auditing and continuous protection, perhaps more so than any other API domain. Banking is constantly under threat, and threat actors penetrating even slightly into a security posture can be extremely dangerous and impactful. Accordingly, auditing new development and validating code deployment is of the utmost importance.
In many situations, this auditing extends to regulatory considerations, and may be required as part of the process of being approved for a specific market. Even if the market does not require auditing systems to be in place, post-breach containment and mitigation will require such systems, and when these issues can result in losses that number in the millions or billions in currency, it would be foolish not to seek the most powerful auditing system possible.
Open banking is not something you can dip a toe into – open banking is open by design, and those systems that integrate require transparent and open code bases. The good news is that there are a variety of open source frameworks, platforms, and standards that can be leveraged to be compatible, transparent, and useful. The bad news is that there are so many choices that managing these systems can often be difficult, especially for enterprise-focused teams who may not have extensive open source experience.
There are many solutions to this problem, but perhaps the most effective is choosing a solution with effective open source management and simplified deployment pipelines. By controlling your sources and being transparent about dependencies, you can join the ranks of open banking with very little headache!
Thankfully, there are some great best practices that open banking APIs and those who use them can leverage to secure their systems with minimal difficulty.
Open banking is unique, in both the dramatically increased surface area the open standards often present, as well as the attractiveness of the targets. Accordingly, being aware of common and growing security threats and vulnerabilities in both the API and banking space can help to secure API-based ecosystems while providing a platform for reaping the benefits of open banking. Provide routes for reporting issues, create bug bounties to identify new vulnerabilities, and invest heavily in continuous training and education.
Authentication and authorization mechanisms should meet or exceed regulatory standards. Utilize solutions such as OAuth 2.0, OpenID Connect, and other proven technologies to secure your APIs and their underlying resources. These systems will ensure that only properly authenticated and authorized users will be able to access sensitive data, and will boost the reputation of your organization in the space.
Data must be adequately encrypted both in transit and at rest. This encryption will ensure that data is secure – even if it is exfiltrated, proper encryption will render the data useless to attackers, at least for long enough to reset passwords, change important information, etc. This requires utilizing proven standards and systems, and is yet another place where having a trusted partner to ensure the proper levels of protection can be an effective approach.
Utilizing effective throttling and rate limiting can be extremely helpful in mitigating the risk of attacks that target the business use case rather than the underlying systems. Throttling and rate limiting are both strategies to reduce the rate at which attacks can be effectively hit against the service, and these systems can help defend against denial-of-service, attack obfuscation through noise, and other such strategies.
Effective monitoring of API functions and the logging of such interactions can pay huge dividends both in terms of securing the underlying services as well as improving the codebase which runs it. API logging in the banking space can be especially challenging due to the sheer number of pieces involved. APIs can run anywhere, and open banking solutions often present a hybrid mix of technologies including on-premises, serverless microservices, traditional monoliths, and more. Accordingly, logging accurately and completely requires some forethought and planning.
There is also the wrinkle of ensuring these logs are actually logging useful information. Basic logging doesn’t always include the right level of information that is needed for security teams to accurately build and deploy detection and response algorithms, engage in forensic review, etc. The problem is thus both ensuring complete logging as well as appropriate logging.
Even with appropriate logging, you need to make sure you’re not creating too much noise. Alert fatigue is a real thing, and getting alerts for everything can actually result in less-secure systems. A good monitoring and logging system should allow you to set custom parameters for alerting, ultimately reducing noise while still delivering benefits.
First and foremost, ensure that your API complies to regulations. Regulations in the banking space such as PSD2 and GDPR can create a very stringent set of requirements that must be adhered to for effective security in this space. Short of learning every single solution, finding a trusted solution for API security can help you achieve continuous compliance while executing against business requirements.
Open banking is incredibly powerful, but it does require a lot of forethought and planning. In order to start executing effectively, you can accelerate efforts by finding a trusted partner to help you achieve and maintain compliance. Luckily, FireTail is a wonderful solution for integrating security best practices with little friction!
FireTail’s suite of features provides a strong solution for securing your applications and systems, including:
Interested? Book a free demo with a FireTail expert today!