On September 8th, 2021 Noord hosted a virtual boardroom in association with Radware. The event consisted of an introduction from Marius Baczynski, Director of Cloud Security Services (EMEA) at Radware, accompanied by a short case study presented by Rui Mendes, Head of Connectivity, Control and Internet at Clearstream. This was followed by a discussion among senior IT professionals on the topic of securing applications in the financial ecosystem.
Marius Baczynski kicked off the session, noting that apps have become the lifeblood of any organisation, especially during the pandemic when digital presence has become the single most critical element for businesses. When applied in new contexts such as Open Banking, apps have the power to revolutionise entire industries. Unfortunately, though, apps are also subject to cybercrime, which can disrupt business continuity. The purpose of the boardroom is to discuss how organisations can overcome the regulatory and technological complexity in a highly regulated industry to leverage but also protect critical apps for the ultimate benefit of the ecosystem as a whole.
Rui Mendes then provided his experience of securing apps and data, noting that in recent years, the ecosystem has become much more heavily regulated. Whatever companies are doing is becoming more strictly controlled and service requirements are becoming tougher. Whereas 10 years ago, firewall requests were made on paper and filed away, requests now have to be raised very quickly and there are several controls to ensure they are implemented correctly. Moreover, it is difficult to automate everything, especially if companies have a lot of legacy infrastructure.
Reasons for attending and key challenges
Participants were asked to introduce themselves briefly and give their reason for attending or a key challenge faced by their organisation. Participants brought a range of expertise, including IT security analysis, risk and compliance, fraud investigation, data protection and machine learning. Many were representing major banks, insurance companies and credit card firms.
Attendees were keen to see what their peers are doing and keep up to date with the latest developments in the field. Key challenges cited included mitigating insider threats, ensuring detection capabilities and organisational resilience in light of the increase in ransomware attacks, keeping abreast of regulations, transitioning to paperless systems and facilitating a large-scale return to the office as the pandemic restrictions ease.
Improving application security
Rui noted that in recent years, his company has seen an active change in the way that malicious actors are attempting to launch cyber attacks. As a result, the company puts a lot of effort into selecting the right partners and validating the solutions it puts in place. Ultimately, the right technology is meaningless without the right processes to back it up. Moreover, increasing controls has meant that the role of a systems engineer has moved more towards that of an administrative job, with systems engineers now having to spend much more time writing documents and preparing KPIs to ensure that the controls have been implemented properly.
One participant from a credit card company said that however good systems are, and however high or thick the walls are, the human element is always the weak link, be it through neglect or malicious intent. For this reason, it is important to give employees ownership of what they are doing and treat them as company partners rather than penalising them for causing a breach.
Marius explained that in his view, apps are increasingly being targeted by cyber criminals because the app environment is much more complex than the infrastructure environment, with companies competing to deliver new app versions as quickly as possible and apps sprawling beyond internal data centres to external cloud providers. These factors lead to greater weaknesses and also increase the attack surface. Additionally, cyber criminals are tending to attack the API rather than the app itself, as apps are more likely to sit behind some defences and some knowledge of how the app works is required to exploit it. API, however, transmits useful data and can be captured from outside of a company’s internal walls.
Exploring effective app security solutions
Marius noted that as apps face different categories of threats, only platforms can truly hope to solve the challenge of app security. Having solutions communicate with one another is crucial to improve the protection capability. Such solutions need to be holistic, sophisticated and based on machine learning, especially as fourth generation bots are incredibly adept at mimicking individual and group behaviour. In addition, a critical capability for the future will be decoupling app security from app location.
Increased security and regulatory demands
One attendee made the point that regulations can vary by country or data type, which can pose challenges. However, companies can overcome these challenges by starting off with the requirements they need to meet, ascertaining the level of compliance they require (depending on the type of company they are and the data they are managing), looking at how they serve global customers and finally dealing with any ad hoc cases. Clearly, having an excel sheet with a list of controls is no longer fit for purpose, and companies need to develop a solid system, not least to be able to prove compliance to auditors.
Another attendee noted that it is constantly challenging when controls are being managed outside of the country of data localisation. Ideally, there would be a one-stop-shop where companies can see that all their controls are working in a particular region, but clearly, pulling up all the necessary data requires much more bespoke activity.
One participant representing an investment bank said that a lot of their organisation’s app support was still managed on site, as the company is quite conservative and risk-averse. In response, Marius suggested that there are two key advantages to cloud solutions: rapid onboarding and simplified management.
Protection from attacks
Marius noted that malicious bots are increasingly using account takeovers and web scraping as methods of attack. The PCI DSS standard recommends that effective app security management should leverage a negative signature-based model and a positive security model capable of detecting abnormal, unusual or questionable traffic within traffic which is theoretically allowed.
Many leading app security providers provide protection from the network edge, but it is very difficult to implement a positive security model from this position. In this respect, the centralisation of policy management and control is essential in an increasingly complex world. Although some company stakeholders may see centralisation as invasive, this kind of model makes it easier to avoid weak points.
Closing of the session
In closing, one attendee noted that participants had touched on common themes. None of these are insurmountable, but it is a case of striking the right balance between what an organisation can automate and what it needs to reserve for its IT experts.