Open banking has become a strategic priority and an IT security paradox for many financial institutions. The castles have to open their gates and lower their drawbridges, while, at the same time, finding new ways to defend against unwanted guests. In this context, many see IT security as a challenge and an inevitable evil – but nothing could be further from the truth. When done right, securing APIs can actually be the key factor to improving user experience in an ecosystem.
The new role of IT security
The open banking environment forces IT security to redefine its role. In the past, the model of a digital security employee was that of a grim gatekeeper, whereas, today, he is the friendly concierge and the courteous receptionist. To understand this fundamental change, it is worth having a look at the competitive market of online shopping. The way that major market players like Amazon, Zalando or Alibaba have interwoven security elements with customer experience should serve as inspiration for any open banking ecosystem. How customers experience onboarding and the check-out process is critical to business success for an online shop. After all, whether the conversion succeeds, and the customer completes the desired action, is not only contingent upon the attractiveness of the online shop’s products. It also depends on the user experience that awaits the customer in the security-relevant steps, such as registration, authentication and the payment process.
In the open banking context, IT security faces a similar challenge. What is the purpose of integrating new elements in a digital customer experience, only to then hide them behind cumbersome processes? Security elements such as a Web Application Firewall (WAF) to block attacks on services and applications, API gateways for the protection of interfaces, and user-friendly Customer Identity & Access Management become crucial for the performance of an open banking environment. Because a user experience is a security experience.
The 5 security challenges in an open banking ecosystem
Of course, with the financial industry’s inherent complexity and rigorous market regulations, the task is more sophisticated than in other industries. In the following list, we want to shed some light on the top 5 challenges that IT security has to overcome in an open banking ecosystem.
1. Web application firewalls must learn
Increasing demands on the user experience, as well as an increasing networking of services, are seeing conventional web applications die out and pose new demands on WAFs. Modern applications are mobile apps or rich clients that run in the browser. These services – or APIs – are mostly developed as RESTful web services and use different data formats than those used by traditional web applications. The consequence: protecting these APIs requires new technologies, as the basic interaction paradigm between client and server has changed.
2. API security is also web security
Traditional XML gateways are only partially suitable for securing the new type of web services. These are usually designed for SOAP web services that communicate primarily among their peers. This does not fit well with the new world of REST and JSON, which is characterised by agility. In addition, modern APIs are used by a wide variety of clients, from traditional web applications, browser-based rich clients, smartphone apps, to “things” and other software systems. As a result, APIs must be exposed on the Internet. This places new demands on the API gateway, similar to those of a WAF.
3. APIs need access management
Content filtering is very important for protecting APIs. The most important reason for the use of API gateways, however, is access control. Access to APIs must be secured using standards such as OAuth 2.0 or OpenID Connect and it is often required to continue to support SAML for access control on existing solutions. This includes not only the technical authorisation of “clients”, but also user authentication and consent management. This, in turn, requires integration with Web Single Sign-on and Identity and Access Management (IAM).
4. IAM and the customers
The identities in an ecosystem are very heterogeneous and include a variety of “external” identities, such as those of customers, partners, or systems. These identities need to be managed in accordance with local and regional data protection law, such as GDPR, or open banking regulation, such as the European PSD2. With PSD2, banks must provide APIs for account access and payment initiation that enforce strong customer authentication and that may be used by hundreds of so-called third-party providers (TPP). As banks are liable for misuse, access must be tightly controlled. The solution to this complex challenge: customer IAMs (cIAMs), which, unlike enterprise IAM systems, are better at managing external users, as they are easy to scale and guarantee a seamless user experience through integrated onboarding and self-service UIs.
5. Breaking up inflexible organizational structures
Another key challenge is less technical, but rather organizational – namely, the silo thinking of many companies. When various technologies converge to form one large whole, who is the contact person and decision maker? Is it the CISO, because security issues affect the IT infrastructure and network operations? Or is it the Business Department, because integrated solutions ensure a lower total cost of ownership and a faster time-to-market? Or does Marketing have to take the lead, because an intuitive user guidance and lower bounce rates are, at the end of the day, the domain of communication and marketing?
Make API security the starting point of your open banking journey
API security in an ecosystem is no trivial challenge. It demands the undivided attention of a banking ecosystem’s architects and requires significant effort. Currently, the relevant knowledge to design a scalable, future-proof security concept for open banking is owned by a small group of organizations and experts.
As an engineer and consultant for design and implementation of IT security solutions at our partner Ergon Informatik AG, Urs Zurbuchen knows the requirements for secure digitization processes. He has more than 20 years of experience in the design and integration of web application security solutions (web application firewall, authentication, single sign-on, access control) as well as in the design and implementation of identity & access management projects (user administration, authorization management, processes, provisioning). Urs Zurbuchen can advise on the conception of non-technical topics such as organization, guidelines, compliance requirements and regulations as well as on the implementation of application and system architecture audits.
Learn more about:
The role of IT security in an era of open banking
Why every user experience is a security experience and how banks can learn from online shops
The value of an upstream security layer, namely the convergence of application security, API protection and access management
The 5 security challenges in an open banking ecosystem
The 4 requirements that API security has to deliver in an ecosystem