Short on time? Read the key takeaways:
- Open banking can increase opportunities for banks to increase customer offerings. But there is risk related to that increased capability.
- Banks need to approach security differently to protect systems, data and customers.
- To combat the systemic risk of open banking, security professionals need a new approach and solution.
- By leveraging identity-driven access, advanced technologies and dynamic isolation, banks and financial institutions can leverage a Zero Trust security model to counter the systemic risks that open banking introduces.
Banks need to approach security differently to protect systems, data and customers. Open banking can help. It opens the door to products, services, features and benefits that banks and financial services firms might otherwise have yet to offer to their customers.
With those opportunities, however, comes increased risk. Addressing that risk is essential if institutions embrace open banking with confidence.
Open banking increases risk by multiplying the interconnectivity between banks, providers, partners, vendors and customers. This interconnectivity introduces systemic risk. For instance, a security incident at one financial institution is more likely to propagate to other businesses if they are connected via open APIs. Interconnectivity also enables bad actors to access a bank’s core systems and databases via a connection with a third party.
Banks need to approach security differently to protect systems, data and customers. Perimeter defenses are insufficient to respond to this new type of systemic risk. The perimeter is porous — if it exists at all. This does not come as a surprise: the IT perimeter has been getting increasingly porous for years as business has surged across virtual connections and into the cloud. Open banking is simply punching more holes into a perimeter that looks like Swiss cheese.
To combat the systemic risk of open banking, security professionals need a new approach and solution. That comes in the form of a Zero Trust security model.
Understanding Zero Trust
Zero Trust is a hot topic today. Like many new terms, it can mean different things to different companies. At Unisys, we understand Zero Trust in this way: it is a security approach that treats everyone as an insider.
A Zero Trust approach is necessary with open banking because interconnectivity with partners, vendors, and customers means that every person could theoretically gain access to sensitive data. Not that such access is purposefully granted, but the connections exist that make access possible. There is no perimeter to keep people out.
Zero Trust also recognizes that, in addition to internal or external malicious actors, perfectly well-meaning employees can accidentally do bad things from time to time, whether that is clicking on a link in a phishing email or inadvertently exposing information. With no ill intention, such accidents can result in data breaches, regulatory audits and fines, fraud and reputational brand damage.
Three components of Zero Trust security
A Zero Trust security model has several components: identity-drive access, use of advanced technologies, and dynamic isolation. Let’s break those down.
The first is identity-driven access. Verified identity — not a device or role — is the key that unlocks access to information. A user must authenticate their identity via security protocols such as biometrics to access the data appropriate for their role. For example, once verified, a bank customer would be granted access to his account, whereas a bank employee would be granted access to the various systems that pertain to her job.
Use of advanced technologies
Zero Trust security requires machine intelligence, behavioral analytics, network analytics and other advanced technologies to detect and respond to anomalous activity more quickly than possible for people. People can easily miss seeing a problem, particularly in its early stages. That same problem can be instantly identified in its nascent form through tools such as artificial intelligence, dramatically reducing the mean time to detect. In like manner, the mean time to respond — which may be hours, days, or even weeks when reliant upon people — can be near real-time when the system can automatically respond to address a breach, attack, or other questionable activity.
Finally, a Zero Trust approach requires dynamic isolation. That is, once a problem is identified, it needs to be stopped in its tracks before it spreads. For example, if a piece of malware is pinpointed, the system needs to be able to quarantine the affected area before the malware explodes to take down the entire company. Or again, if a user suddenly starts engaging in unusual activities — such as accessing large amounts of personally identifiable information — the system needs to be able to shut the user out instantly. Dynamic isolation must occur in real-time, instead of waiting for a security professional to see and respond to the issue. The slightest delay can have devastating ramifications given the speed at which attacks occur or problems expand.
By leveraging identity-driven access, advanced technologies and dynamic isolation, banks and financial institutions can leverage a Zero Trust security model to counter the systemic risks that open banking introduces. Connections with strategic vendors and partners can then be made with confidence, and the full benefits of open banking can be realized.