The breakneck pace of technological change has fundamentally affected the way industries operate and innovate, and banking is no exception. Accessing financial services online has been the norm for years now, with nearly 76% of the population using digital channels for most banking transactions. The infrastructure that makes all of this possible, routinely processes massive amounts of sensitive data and needs to constantly evolve to ensure it all remains secure.
To gain a better understanding of how banks protect themselves and their customers, I spoke with Ali Farouk Shaikh, a Technical Solutions Architect at Cisco Systems Inc. who works with major international financial institutions. Ali is a specialist in Software Defined Networking (SDN), with a focus on routing, encryption, and security for large financial services, retail, and manufacturing enterprises.
Where we were
How was customer and banking data handled by banks in the past?
In the classic model, all software applications and data for a bank would reside on a central data centre. Branches communicated with this centre through physical infrastructure entirely separate from (and unconnected to) what you’d use at home to access the internet.
Because of this, security parameters were well-defined. Data and locations were well-defined. It was cumbersome for external threats to access a bank’s network; conversely, it was difficult for users within the network to access the internet.
What prompted a change from that model?
Simply put: it wasn’t designed for how we bank in 2019. Physically separate infrastructure is very secure, but it just isn’t sufficient for today’s needs, and can’t support the business goals of financial institutions.
What really started to drive transformative change was a combination of mobile devices and the cloud. The first iPhone pretty much broke the old model. Users could now access data from anywhere, and there was a demand for additional services to be delivered in a mobile-friendly way.
Simultaneously, modern applications were increasingly based in the cloud, leveraging external services such as Google, Microsoft and Amazon. This changing model meant that bank data was now moving in ways that it hadn’t before, and needed new modes of security and building modern infrastructure. In the industry, this is called the digitization of services—essentially moving from classic networks to networks for digitization.
So, the way customers wanted to access banking changed how banks operated?
Pretty much. The end-user experience has changed. Customers can’t be expected to come to the branch for banking anymore—both customers and bank employees use remote devices to access and provide service (whether this is smartphones or mobile devices on the customer side, or employees with iPads and a VPN on the bank’s side).
As a result, the applications (e.g. mobile banking apps) that provide this changed end-user experience had to move away from the traditional model. Banks were slow to introduce their own apps, but this was always the direction they had to head in. However, they also had to account for privacy and security concerns while meeting strict regulations—more importantly, they had to adapt and meet the requirements of a new digital world.
Now, these applications don’t reside with banks, they reside on the cloud and have to interact with various services that external companies like Google, Amazon, Salesforce, etc. provide. They rely on them for analytics, telemetry, auditing data, marketing data, etc. Because of this, the centers of data were no longer data centres. What I mean is, data now lived everywhere, from mobile devices to cloud services like Amazon Web Services (AWS). This new model required stronger safeguards, security, and encryption, because data now had to be transmitted over the internet.
Where we are
In light of this new model, how do banks ensure their data and their customers’ data is protected?
As I mentioned before, banks and financial institutions already had privacy, security, and regulatory compliance in mind when modernizing their operations. Now, there are three principles that are fundamental to maintaining a secure banking environment that satisfies both pre-existing and new regulations imposed by the government: confidentiality, integrity, and application security.
Could you elaborate on those principles? What does satisfying the “confidentiality” principle entail?
In this context, “confidentiality” just means making sure no one except you and your bank can see your data. Naturally, when using your banking application, you want to be assured that no one can access your data while it’s in transit. Banks go to great lengths to make certain that their systems use the highest encryption standards to protect their data and their clients’ data. This means that when using a properly developed banking app, no one will be able to see anything you’re doing on the app even should they somehow manage to covertly intercept your data. Confidentiality is achieved using the latest encryption—Transport Layer Security (TLS) with Advanced Encryption Standard 256 (AES256).
Side note:if you’re wondering how secure AES256 encryption is—it would reportedly take 77,000,000,000,000,000,000,000,000 years and the dedication of the entirety of earth’s population to crack one encryption key. Not to mention, all of those people would need 10 computers each, capable of processing 1 billion key combinations per second. So, it’s safe to assume it’s pretty secure!
What about the “integrity” principle?
Integrity means ensuring data isn’t tampered with in any shape or form. The desire for this is pretty self-explanatory: you’d naturally want your data to be safeguarded from being tampered with. This is achieved in a number of ways. There are mechanisms to enforce data-integrity checks at the machine-level, to make sure data isn’t corrupted or altered in any way while in transit or when stored. There’s a lot of technology and processes that are used to achieve this, including packet duplication, parity, checksums, asynchronous data replication, etc. etc. In essence, even in cases of outages and system failure, data has to remain secure, untampered with, and stored on multiple systems to avoid total loss.
The “security” principle seems straightforward enough, but what exactly goes into achieving that?
So, “security” is the aspect that actually protects users from malicious threats from both “state” and “non-state” actors. From a security standpoint, “state” actors are individuals or groups sponsored by foreign governments that carry out malicious attacks. Banks are critical pieces of a country’s infrastructure, and are thus natural targets. “Non-state” actors operate in a similar manner, but without the support or direction of a foreign government.
Banks and financial institutions safeguard against these threats by using firewalls to ensure only authorized applications can access data. This is where Intrusion Prevention Systems/Intrusion Detection Systems (IPS/IDS) are applied, both to only grant access to authorized users and to protect against malware. There are also measures taken to prevent Denial of Service (DoS) attacks, so that a customer’s access to their banking services isn’t interrupted. A combination of these techniques are used in what’s called “stateful inspection”—that is to say, before data can move between a client and a server, the data is inspected in multiple ways to ensure that it’s clean and legitimate.
All of this is done by banks to provide their clients with the highest level of security, while giving them a new, modern banking experience. Governments are, of course, very actively engaged in setting and implementing standards for security, which include things like PCI-DSS (the standard for the payment card industry), SOC2, ISO27001, ISO9001, ITIL, etc. all of which banks need to meet in order to operate.
Security is taken very seriously, to say the least.
Where we’re headed
What do you think the future holds for the banking industry? Does that future come with its own set of challenges?
Well, there are a couple of things: there’s an increasing evolution of machine-learning, the data it provides, as well the services that can be built on it. Not to mention the 5G revolution that will further accelerate the digitization of the world. I think we’ll begin to see new banking experiences including packages tailored for individuals based on their data, as well as new modes of banking like virtual tellers. Of course, this is all predicated on next-gen technology that we’re seeing start to enter the marketplace.
What this specifically means for the protection of individual data is as of yet unknown. We can be certain that there will still be regulations and a requirement for any new innovation or system to preserve the principles we spoke about before. Things will have to be secure, untampered with and protected from malicious entities.
It’s too early to say definitively whether these new pieces of tech will be innovative or just a headache, but the industry will adapt. It always does!
Freelance writer and communications professional at the University of Toronto. He’s an avid cinephile, voracious reader, and a terror at karaoke bars.