Accessing financial services online has been the norm for years now, with an overwhelming majority of the population using digital channels for most banking transactions. The infrastructure that makes this possible, routinely processes massive amounts of data, constantly evolving to ensure it all remains secure.
To gain a better understanding of how banks protect themselves and their customers, I spoke with Ali Farouk Shaikh, a Unified Communications Solutions Architect at Cisco Systems Inc. who works with major international financial institutions. Ali is a specialist in Software Defined Networking (SDN), with a focus on routing, encryption, and security for large financial services, retail, and manufacturing enterprises.
Where we were – How Banks are Working to Keep Your Data Safe
How was customer and banking data handled by banks in the past?
In the classic model, all software applications and data for a bank would reside on a central data centre. Branches communicated with this centre through physical infrastructure separate from (and unconnected to) what is used at home accessing the internet.
Because of this, security parameters were well-defined. Data and locations were well-defined. It was cumbersome for external threats to access a bank’s network; conversely, it was difficult for users within the network to access the internet.
What prompted a change from that model?
What really started to drive transformative change was a combination of mobile devices and the cloud. The first iPhone pretty much broke the old model. Users could now access data from anywhere, along with demand for additional services to be delivered in a mobile-friendly way.
Simultaneously, modern applications were increasingly based in the cloud, leveraging external services such as Google, Microsoft and Amazon. This changing model meant that bank data was now moving in ways that it hadn’t before, and needed new modes of security and building modern infrastructure. In the industry, this is called the digitization of services—essentially moving from classic networks to networks for digitization.
So, the way customers wanted to access banking changed how banks operated?
Pretty much. The end-user experience has changed. Customers can’t be expected to come to the branch for banking anymore—both customers and bank employees use remote devices to access and provide service (whether this is smartphones or mobile devices on the customer side, or employees with iPads and a VPN on the bank’s side).
As a result, the applications (e.g. mobile banking apps) that provide this changed end-user experience had to move away from the traditional model. Banks were slow to introduce their own apps, but this was always the direction they had to head in. However, they also had to account for privacy and security concerns while meeting strict regulations—more importantly, they had to adapt and meet the requirements of a new digital world.
Now, these applications don’t reside with banks, they reside on the cloud and have to interact with various services that external companies like Google, Amazon, Salesforce, etc. provide. They rely on them for analytics, telemetry, auditing data, marketing data, etc. Because of this, the centers of data were no longer data centres. What I mean is, data now lived everywhere, from mobile devices to cloud services like Amazon Web Services (AWS). This new model required stronger safeguards, security, and encryption, because data now had to be transmitted over the internet.
Where we are – How Banks are Working to Keep Your Data Safe
In light of this new model, how do banks ensure their data and their customers’ data is protected?
As I mentioned before, banks and financial institutions already had privacy, security, and regulatory compliance in mind when modernizing their operations. Now, there are three principles that are fundamental to maintaining a secure banking environment that satisfies both pre-existing and new regulations imposed by the government: confidentiality, integrity, and application security.
Could you elaborate on those principles? What does satisfying the “confidentiality” principle entail?
In this context, “confidentiality” just means making sure no one except you and your bank can see your data. Naturally, when using your banking application, you want to be assured that no one can access your data. Banks go to great lengths to make certain that their systems use the highest encryption standards to protect their data. This means that when using a properly developed banking app, no one will be able to see anything you’re doing on the app. Confidentiality is achieved using the latest encryption—Transport Layer Security (TLS) with Advanced Encryption Standard 256 (AES256).
Side note:if you’re wondering how secure AES256 encryption is—it would reportedly take 77,000,000,000,000,000,000,000,000 years and the dedication of the entirety of earth’s population to crack one encryption key. Not to mention, all of those people would need 10 computers each, capable of processing 1 billion key combinations per second. So, it’s safe to assume it’s pretty secure!
What about the “integrity” principle?
Integrity means ensuring data isn’t tampered with in any shape or form. The desire for this is pretty self-explanatory: you’d naturally want your data to be safeguarded from being tampered with. This is achieved in a number of ways. There are mechanisms to enforce data-integrity checks at the machine-level. This makes sure data isn’t corrupted or altered in any way while in transit or when stored.
The “security” principle seems straightforward enough, but what exactly goes into achieving that?
So, “security” is the aspect that actually protects users from malicious threats from both “state” and “non-state” actors. From a security standpoint, “state” actors are individuals or groups sponsored by foreign governments that carry out malicious attacks. Banks are critical pieces of a country’s infrastructure and are thus natural targets. “Non-state” actors operate in a similar manner, but without the support or direction of a foreign government.
Financial institutions safeguard against these threats by using firewalls to ensure only authorized applications can access data. This is where Intrusion Prevention Systems are applied, both to only grant access to authorized users and to protect against malware. Also, measures taken to prevent Denial of Service (DoS) attacks so that a customer’s access to banking services isn’t interrupted.
Security is taken very seriously, to say the least.
Where we’re headed – How Banks are Working to Keep Your Data Safe
What do you think the future holds for the banking industry? Does that future come with its own set of challenges?
There’s an increasing evolution of machine-learning, the data it provides, as well the services that can be built on it. Not to mention the 5G revolution that will further accelerate the digitization of the world. We’ll begin to see new banking experiences including packages tailored for individuals, as well as new modes of banking. This is all predicated on next-gen technology that has started to enter the marketplace.
The protection of individual data is of paramount importance. Things will have to be secure, untampered with and protected from malicious entities.
Innovation is always a challenge, but the industry will adapt. It always does!