Modern financial services are composed of a digitally integrated secure ecosystem – networked together and codependent on ecosystem APIs, microservices and shared data. Complexity and ambiguity are high.
Sir Alex Younger, former head of the British Intelligence Service MI6 said recently that the job of the intelligence service is to dispel complexity and ambiguity.That would make a fine mission statement for the heads of information security in the financial sector.
Meeting a Complex Security Challenge
Most banks leverage core banking systems (CBS) from providers like Temenos, FIS and Finastra. This makes security complex. Connections are needed between the bank’s network and its CBS provider’s network. Traditionally, this necessitates nailing up VPNs. And managing permitted IP addresses in firewall ACLs, MPLS or dedicated circuit-based extranets. Also required are pre-shared certificates, shipping hardware, VDI and/or leaking routes. All of which have multiplied in complexity during digital transformation. And are about to multiply again with AI.
A different approach is secure-by-design. Rather than bolt-on the infrastructure described above, each session is strongly identified, authenticated and authorised. All before it is granted a virtual circuit on a network. This is similar to what the banks do internally with solutions for zero trust, but it is borderless. It works across their digital supply chains, including with their core banking platform and software providers.
One CBS leader, Euronet Worldwide, uses a third-party secure-by-design platform to enable their financial institution customers to connect to its core banking software. This is a great example of the supplier being proactive about their role in security. We’ll see this happen more as new legislation takes effect, the EU CRA. The Euronet example shows that it’s possible to remove some of the ambiguity from shared responsibility. Euronet’s secure-by-design system doesn’t just protect itself but makes every interaction with supply chain partners more secure.
Security designed-in for Financial Services
The same principles apply across financial services. Companies like Euronet can deploy their own zero trust supply chain connections, rather than putting the burden on their finance sector customers to figure it out. In large supply chain scenarios like CBS, this helps everyone. The reality now is that if the VPN of any one financial institution is compromised, then potentially all the banks who connect to the same CBS providers can be exploited. By removing complexity and ambiguity, Euronet is simplifying and securing the entire supply chain.
The big picture is that the WAN/SASE/firewall model is struggling in the post digital transformation, hyperconnected, soon to be AI- powered world. That model was built to secure the WAN. However, new workflows such as the financial supply chain are outside the borders of any single WAN. So, the precious SASE WAN gets connected to the internet via open firewall ports (ACLs) and vulnerable VPNs so the business can connect to supply chain partners. It’s like building a strong boat and then punching holes in it to get a better look at the water.
AI is the nail in the WAN coffin because AI multiplies and accelerates these workflows. They have at least one leg outside the WAN and it makes them less predictable and more dynamic. More complexity and ambiguity. Good luck connecting AI agents via VPNs and firewall ACLs.
Secure-by-Design Supply Chain
So, what does a secure-by-design supply chain look like and how can financial services identify viable migration paths?
The main characteristics are:
- Close all inbound “listening” ports on all network firewalls and servers to make your DMZ unreachable from the underlay networks. Eliminate the reachable firewalls and VPN servers. No more holes beneath the waterline!
- End-to-end zero trust between supply chain participants, meaning least-privileged access not just to the network or firewall, but all the way through to applications, APIs, servers and devices. Nothing can connect to anything else without strong identity, authentication and authorisation. This includes end-to end-encryption – no sharing of encryption keys with cloud security providers (which also helps ensure data sovereignty).
- Microsegmentation, the ability to define in granular detail who or what has access to which applications, and to limit lateral movement in the event of a breach. In effect, every application session becomes a private network-of-one, and it is quarantined by design.
Find out more at https://netfoundry.io/
- Cybersecurity in FinTech