Back
About RSIS
Introduction
Building the Foundations
Welcome Message
Board of Governors
Staff Profiles
Executive Deputy Chairman’s Office
Dean’s Office
Management
Distinguished Fellows
Faculty and Research
Associate Research Fellows, Senior Analysts and Research Analysts
Visiting Fellows
Adjunct Fellows
Administrative Staff
Honours and Awards for RSIS Staff and Students
RSIS Endowment Fund
Endowed Professorships
Career Opportunities
Getting to RSIS
Research
Research Centres
Centre for Multilateralism Studies (CMS)
Centre for Non-Traditional Security Studies (NTS Centre)
Centre of Excellence for National Security
Institute of Defence and Strategic Studies (IDSS)
International Centre for Political Violence and Terrorism Research (ICPVTR)
Research Programmes
National Security Studies Programme (NSSP)
Social Cohesion Research Programme (SCRP)
Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
Other Research
Future Issues and Technology Cluster
Research@RSIS
Science and Technology Studies Programme (STSP) (2017-2020)
Graduate Education
Graduate Programmes Office
Exchange Partners and Programmes
How to Apply
Financial Assistance
Meet the Admissions Team: Information Sessions and other events
RSIS Alumni
Outreach
Global Networks
About Global Networks
RSIS Alumni
Executive Education
About Executive Education
SRP Executive Programme
Terrorism Analyst Training Course (TATC)
International Programmes
About International Programmes
Asia-Pacific Programme for Senior Military Officers (APPSMO)
Asia-Pacific Programme for Senior National Security Officers (APPSNO)
International Conference on Cohesive Societies (ICCS)
International Strategy Forum-Asia (ISF-Asia)
Publications
RSIS Publications
Annual Reviews
Books
Bulletins and Newsletters
RSIS Commentary Series
Counter Terrorist Trends and Analyses
Commemorative / Event Reports
Future Issues
IDSS Papers
Interreligious Relations
Monographs
NTS Insight
Policy Reports
Working Papers
External Publications
Authored Books
Journal Articles
Edited Books
Chapters in Edited Books
Policy Reports
Working Papers
Op-Eds
Glossary of Abbreviations
Policy-relevant Articles Given RSIS Award
RSIS Publications for the Year
External Publications for the Year
Media
Cohesive Societies
Sustainable Security
Other Resource Pages
News Releases
Speeches
Video/Audio Channel
External Podcasts
Events
Contact Us
S. Rajaratnam School of International Studies Think Tank and Graduate School Ponder The Improbable Since 1966
Nanyang Technological University Nanyang Technological University
  • About RSIS
      IntroductionBuilding the FoundationsWelcome MessageBoard of GovernorsHonours and Awards for RSIS Staff and StudentsRSIS Endowment FundEndowed ProfessorshipsCareer OpportunitiesGetting to RSIS
      Staff ProfilesExecutive Deputy Chairman’s OfficeDean’s OfficeManagementDistinguished FellowsFaculty and ResearchAssociate Research Fellows, Senior Analysts and Research AnalystsVisiting FellowsAdjunct FellowsAdministrative Staff
  • Research
      Research CentresCentre for Multilateralism Studies (CMS)Centre for Non-Traditional Security Studies (NTS Centre)Centre of Excellence for National SecurityInstitute of Defence and Strategic Studies (IDSS)International Centre for Political Violence and Terrorism Research (ICPVTR)
      Research ProgrammesNational Security Studies Programme (NSSP)Social Cohesion Research Programme (SCRP)Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
      Other ResearchFuture Issues and Technology ClusterResearch@RSISScience and Technology Studies Programme (STSP) (2017-2020)
  • Graduate Education
      Graduate Programmes OfficeExchange Partners and ProgrammesHow to ApplyFinancial AssistanceMeet the Admissions Team: Information Sessions and other eventsRSIS Alumni
  • Outreach
      Global NetworksAbout Global NetworksRSIS Alumni
      Executive EducationAbout Executive EducationSRP Executive ProgrammeTerrorism Analyst Training Course (TATC)
      International ProgrammesAbout International ProgrammesAsia-Pacific Programme for Senior Military Officers (APPSMO)Asia-Pacific Programme for Senior National Security Officers (APPSNO)International Conference on Cohesive Societies (ICCS)International Strategy Forum-Asia (ISF-Asia)
  • Publications
      RSIS PublicationsAnnual ReviewsBooksBulletins and NewslettersRSIS Commentary SeriesCounter Terrorist Trends and AnalysesCommemorative / Event ReportsFuture IssuesIDSS PapersInterreligious RelationsMonographsNTS InsightPolicy ReportsWorking Papers
      External PublicationsAuthored BooksJournal ArticlesEdited BooksChapters in Edited BooksPolicy ReportsWorking PapersOp-Eds
      Glossary of AbbreviationsPolicy-relevant Articles Given RSIS AwardRSIS Publications for the YearExternal Publications for the Year
  • Media
      Cohesive SocietiesSustainable SecurityOther Resource PagesNews ReleasesSpeechesVideo/Audio ChannelExternal Podcasts
  • Events
  • Contact Us
    • Connect with Us

      rsis.ntu
      rsis_ntu
      rsisntu
      rsisvideocast
      school/rsis-ntu
      rsis.sg
      rsissg
      RSIS
      RSS
      Subscribe to RSIS Publications
      Subscribe to RSIS Events

      Getting to RSIS

      Nanyang Technological University
      Block S4, Level B3,
      50 Nanyang Avenue,
      Singapore 639798

      Click here for direction to RSIS

      Get in Touch

    Connect
    Search
    • RSIS
    • Publication
    • RSIS Publications
    • Securing Financial Institutions: Emergence of Open Banking
    • Annual Reviews
    • Books
    • Bulletins and Newsletters
    • RSIS Commentary Series
    • Counter Terrorist Trends and Analyses
    • Commemorative / Event Reports
    • Future Issues
    • IDSS Papers
    • Interreligious Relations
    • Monographs
    • NTS Insight
    • Policy Reports
    • Working Papers

    CO22039 | Securing Financial Institutions: Emergence of Open Banking
    Adam Palmer, Wias Issa

    19 April 2022

    download pdf

    SYNOPSIS

    As the global financial industry continues to innovate, concepts such as open banking have emerged, creating opportunities to improve consumer banking experiences and accelerate growth. While innovative, they have introduced new data security risks, which require equally innovative security strategies to mitigate them.

    COMMENTARY

    THE CONTINUED spread of cyber crime attacks on banks in Singapore, and on banks in the Ukraine just before its invasion, highlight the national security risks facing the financial services sector as critical infrastructure. Simultaneously, the global pandemic has accelerated the need for financial institutions (FSIs) to undergo digital transformation accelerating new initiatives like “Open Banking” and cloud adoption.

    These innovative approaches, however, also give rise to new data security issues. Best practices for addressing these new data security concerns were highlighted in the recent regulations published in Singapore related to application security.

    The Emergence of Open Banking

    The global regulatory cyber security landscape for FSIs continues to evolve. The enactment of the European General Data Protection Regulation (GDPR) and its broadened security requirements inspired a global surge of new data privacy laws, including the Singapore Personal Data Protection Act (PDPA), and the California Consumer Privacy Act (CCPA) in the United States. These regulations now apply broad privacy and security requirements to many organisations processing personal data.

    Data security, and especially security in emerging technologies, is a common focus of these new regulations. In the financial services sector, there is increasing attention to security in areas such as cloud infrastructure and “Open Banking,” which provides third-party service providers easier access to financial data (see Figure 1 below).

    Figure 1: Open Banking Overview

    Figure 1
    Figure 1 – Source: Ubiq Security

    In June 2021, the Monetary Authority of Singapore (MAS) released an Advisory on “Addressing the Technology and Cyber Security Risks Associated with Public Cloud Adoption” and in January 2022, the US-based National Institute of Standards and Technology published a draft guidance on Cybersecurity Considerations for Open Banking Technology and Emerging Standards.

    FSIs are undergoing a digital evolution in open banking and cloud adoption. Offering new business opportunities and value for customers with improved service options, especially where physical access to banks is limited. However, the emergence of these new platforms also requires a renewed focus on integrated security standards and processes within the IT architecture.

    The Expanding Data Security Challenge

    To support open banking, FSIs need to expose application programming interfaces (APIs) and allow approved third-party providers to access sensitive consumer financial data.

    Open banking is often closely tied with a growing transition to cloud-based infrastructure (where customer data is stored and/or processed by external, third-party cloud providers), which provides flexibility, scalability, and cost savings. However, when adopting these new platforms, FSIs need to ensure that the security framework for these new approaches is also in line with regulatory requirements, internal policies, and protects customer privacy.

    The emergence of open banking and the transition to cloud-based infrastructure creates a complex web of new relationships for FSIs. For open banking, FSIs need to open access to sensitive data to third-party service providers, but also ensure they are protecting that data and maintaining regulatory compliance.

    Cloud computing creates additional security complexity as FSIs are dependent on infrastructure that they do not own and do not fully control.

    Creating a Security Architecture

    Third-party applications with legitimate access to FSIs through APIs are among the greatest risks to data security. If a third-party application or API is compromised, sensitive customer and financial data may be exposed to an unauthorised user. Security reviews for third-party vendors and service providers are essential to minimising an organisation’s supply chain risk.

    However, this approach is generally unscalable and ineffective, as it can be arduous, expensive, and at times superficial, leaving FSIs unable to fully eliminate all data security risks. FSIs should instead work to minimise the risk and impact of a supply chain breach by implementing granular access management policies and encryption for sensitive customer data.

    Data encryption is often a good solution for minimising data security risk and most organisations rely on cloud-native, storage data encryption controls. However, these controls are mostly ineffective against modern threats, as they implicitly trust authorised user accounts, which are often compromised by attackers.

    The previously noted MAS Security Advisory on a shared security responsibility in the cloud (see Figure 2 below) suggests that FSIs should be mindful of their own responsibility for, and control over, data security.

    More specifically, Section 22 of the Advisory supports a new application-level encryption strategy and “Bring-Your-Own-Key” (BYOK) and “Bring-Your-Own-Encryption” (BYOE). BYOK allows financial services organisations control and management of cryptographic keys that are uploaded to the cloud to perform data encryption. In BYOE, data is encrypted before it enters the cloud, and the keys are not transferred to the cloud.

    Figure 2: Shared Security Model

    Figure 2
    Figure 2 – Source: Ubiq Security, adapted from AWS’ Shared Security Model

    What FSIs Can Do To Protect Themselves

    There are at least six steps that organisations can consider in developing a secure approach to cloud and open banking:

    • Adopt mature policies, standards, and procedures to provide the
    necessary requirements and guidance for new platforms;
    • Create an inventory of applications and assign a criticality rating to
    each application based on risk exposure;
    • Define minimal, security requirements based on risk level that must be adhered to when developing and deploying new applications and systems;
    • Expand the capabilities of IT and security teams to build and support application security capabilities;
    • Focus on integrating security into all application and cloud architecture
    development processes; and
    • Implement granular, role and attribute-based access control and
    application-level encryption into applications.

    A Security-by-Design Strategy

    The evolution to open banking and cloud computing provides FSIs with a great opportunity for innovation. However, there is a need to also design security that meets evolving business and regulatory requirements. Recent supply chain cyber attacks have generated a renewed focus on how cyber threat actors can also leverage relationships with trusted service providers to attack companies.

    As FSIs re-architect their infrastructure with emerging technologies, “security-by-design” is essential for enterprise-wide data security and regulatory compliance. Organisations should ensure that they can protect data in these new environments, which requires a review of the overall architecture to fill the gaps sometimes left by traditional security strategies.

    FSIs should use security strategies, as described above, to create a robust set of “security-by-design” principles: Implement security throughout the lifecycle of all systems and applications; build an enterprise-wide security architecture; and integrate security reviews into all critical processes.

    About the Authors

    Adam Palmer is an Adjunct Senior Fellow at the Centre of Excellence for National Security (CENS), S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University (NTU), Singapore. He also the Chief Information Security Officer (CISO) at First Hawaiian Bank in the US.

    Wias Issa is a cybersecurity expert with concentration in threat response countermeasures and cryptography. He has held several executive level positions at Symantec and Mandiant in Singapore, Japan, and the US. He is CEO of Ubiq Security in the US.

    Categories: RSIS Commentary Series / Country and Region Studies / Cybersecurity, Biosecurity and Nuclear Safety / International Political Economy / International Politics and Security / East Asia and Asia Pacific / South Asia / Southeast Asia and ASEAN / Global
    comments powered by Disqus

    SYNOPSIS

    As the global financial industry continues to innovate, concepts such as open banking have emerged, creating opportunities to improve consumer banking experiences and accelerate growth. While innovative, they have introduced new data security risks, which require equally innovative security strategies to mitigate them.

    COMMENTARY

    THE CONTINUED spread of cyber crime attacks on banks in Singapore, and on banks in the Ukraine just before its invasion, highlight the national security risks facing the financial services sector as critical infrastructure. Simultaneously, the global pandemic has accelerated the need for financial institutions (FSIs) to undergo digital transformation accelerating new initiatives like “Open Banking” and cloud adoption.

    These innovative approaches, however, also give rise to new data security issues. Best practices for addressing these new data security concerns were highlighted in the recent regulations published in Singapore related to application security.

    The Emergence of Open Banking

    The global regulatory cyber security landscape for FSIs continues to evolve. The enactment of the European General Data Protection Regulation (GDPR) and its broadened security requirements inspired a global surge of new data privacy laws, including the Singapore Personal Data Protection Act (PDPA), and the California Consumer Privacy Act (CCPA) in the United States. These regulations now apply broad privacy and security requirements to many organisations processing personal data.

    Data security, and especially security in emerging technologies, is a common focus of these new regulations. In the financial services sector, there is increasing attention to security in areas such as cloud infrastructure and “Open Banking,” which provides third-party service providers easier access to financial data (see Figure 1 below).

    Figure 1: Open Banking Overview

    Figure 1
    Figure 1 – Source: Ubiq Security

    In June 2021, the Monetary Authority of Singapore (MAS) released an Advisory on “Addressing the Technology and Cyber Security Risks Associated with Public Cloud Adoption” and in January 2022, the US-based National Institute of Standards and Technology published a draft guidance on Cybersecurity Considerations for Open Banking Technology and Emerging Standards.

    FSIs are undergoing a digital evolution in open banking and cloud adoption. Offering new business opportunities and value for customers with improved service options, especially where physical access to banks is limited. However, the emergence of these new platforms also requires a renewed focus on integrated security standards and processes within the IT architecture.

    The Expanding Data Security Challenge

    To support open banking, FSIs need to expose application programming interfaces (APIs) and allow approved third-party providers to access sensitive consumer financial data.

    Open banking is often closely tied with a growing transition to cloud-based infrastructure (where customer data is stored and/or processed by external, third-party cloud providers), which provides flexibility, scalability, and cost savings. However, when adopting these new platforms, FSIs need to ensure that the security framework for these new approaches is also in line with regulatory requirements, internal policies, and protects customer privacy.

    The emergence of open banking and the transition to cloud-based infrastructure creates a complex web of new relationships for FSIs. For open banking, FSIs need to open access to sensitive data to third-party service providers, but also ensure they are protecting that data and maintaining regulatory compliance.

    Cloud computing creates additional security complexity as FSIs are dependent on infrastructure that they do not own and do not fully control.

    Creating a Security Architecture

    Third-party applications with legitimate access to FSIs through APIs are among the greatest risks to data security. If a third-party application or API is compromised, sensitive customer and financial data may be exposed to an unauthorised user. Security reviews for third-party vendors and service providers are essential to minimising an organisation’s supply chain risk.

    However, this approach is generally unscalable and ineffective, as it can be arduous, expensive, and at times superficial, leaving FSIs unable to fully eliminate all data security risks. FSIs should instead work to minimise the risk and impact of a supply chain breach by implementing granular access management policies and encryption for sensitive customer data.

    Data encryption is often a good solution for minimising data security risk and most organisations rely on cloud-native, storage data encryption controls. However, these controls are mostly ineffective against modern threats, as they implicitly trust authorised user accounts, which are often compromised by attackers.

    The previously noted MAS Security Advisory on a shared security responsibility in the cloud (see Figure 2 below) suggests that FSIs should be mindful of their own responsibility for, and control over, data security.

    More specifically, Section 22 of the Advisory supports a new application-level encryption strategy and “Bring-Your-Own-Key” (BYOK) and “Bring-Your-Own-Encryption” (BYOE). BYOK allows financial services organisations control and management of cryptographic keys that are uploaded to the cloud to perform data encryption. In BYOE, data is encrypted before it enters the cloud, and the keys are not transferred to the cloud.

    Figure 2: Shared Security Model

    Figure 2
    Figure 2 – Source: Ubiq Security, adapted from AWS’ Shared Security Model

    What FSIs Can Do To Protect Themselves

    There are at least six steps that organisations can consider in developing a secure approach to cloud and open banking:

    • Adopt mature policies, standards, and procedures to provide the
    necessary requirements and guidance for new platforms;
    • Create an inventory of applications and assign a criticality rating to
    each application based on risk exposure;
    • Define minimal, security requirements based on risk level that must be adhered to when developing and deploying new applications and systems;
    • Expand the capabilities of IT and security teams to build and support application security capabilities;
    • Focus on integrating security into all application and cloud architecture
    development processes; and
    • Implement granular, role and attribute-based access control and
    application-level encryption into applications.

    A Security-by-Design Strategy

    The evolution to open banking and cloud computing provides FSIs with a great opportunity for innovation. However, there is a need to also design security that meets evolving business and regulatory requirements. Recent supply chain cyber attacks have generated a renewed focus on how cyber threat actors can also leverage relationships with trusted service providers to attack companies.

    As FSIs re-architect their infrastructure with emerging technologies, “security-by-design” is essential for enterprise-wide data security and regulatory compliance. Organisations should ensure that they can protect data in these new environments, which requires a review of the overall architecture to fill the gaps sometimes left by traditional security strategies.

    FSIs should use security strategies, as described above, to create a robust set of “security-by-design” principles: Implement security throughout the lifecycle of all systems and applications; build an enterprise-wide security architecture; and integrate security reviews into all critical processes.

    About the Authors

    Adam Palmer is an Adjunct Senior Fellow at the Centre of Excellence for National Security (CENS), S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University (NTU), Singapore. He also the Chief Information Security Officer (CISO) at First Hawaiian Bank in the US.

    Wias Issa is a cybersecurity expert with concentration in threat response countermeasures and cryptography. He has held several executive level positions at Symantec and Mandiant in Singapore, Japan, and the US. He is CEO of Ubiq Security in the US.

    Categories: RSIS Commentary Series / Country and Region Studies / Cybersecurity, Biosecurity and Nuclear Safety / International Political Economy / International Politics and Security

    Popular Links

    About RSISResearch ProgrammesGraduate EducationPublicationsEventsAdmissionsCareersVideo/Audio ChannelRSIS Intranet

    Connect with Us

    rsis.ntu
    rsis_ntu
    rsisntu
    rsisvideocast
    school/rsis-ntu
    rsis.sg
    rsissg
    RSIS
    RSS
    Subscribe to RSIS Publications
    Subscribe to RSIS Events

    Getting to RSIS

    Nanyang Technological University
    Block S4, Level B3,
    50 Nanyang Avenue,
    Singapore 639798

    Click here for direction to RSIS

    Get in Touch

      Copyright © S. Rajaratnam School of International Studies. All rights reserved.
      Privacy Statement / Terms of Use
      Help us improve

        Rate your experience with this website
        123456
        Not satisfiedVery satisfied
        What did you like?
        0/255 characters
        What can be improved?
        0/255 characters
        Your email
        Please enter a valid email.
        Thank you for your feedback.
        This site uses cookies to offer you a better browsing experience. By continuing, you are agreeing to the use of cookies on your device as described in our privacy policy. Learn more
        OK
        Latest Book
        more info