Open banking: Securing the customer financial data supply chain

On the surface, Open Banking seems straightforward: providing APIs that allow partners to build applications and services by accessing a financial institution’s data and functionality. The potential is undeniable, but the road ahead passes through the adoption of new frameworks for API development, integration, and security. More importantly, it requires financial institutions, API aggregators, and FinTech companies to have a solid API Security infrastructure in place.

Two degrees of separation (at least)

Open Banking regulations have led to APIs becoming a strategic infrastructure for partner integration and connectivity. Onboarding a new partner seems tough, but it’s nothing compared to managing a complex network that includes unknown users and consumers.

Consider this: When a user wishes to access financial information through a 3rd party fintech application, they would use the user’s banking credentials in the app, which in turn would use APIs to log into the bank to exchange data. In many cases, this process would be further mitigated by a banking aggregator, which would connect between the application and the bank’s API.

Financial data indirectly accessible to users can create new security governance concerns, such as multiple third parties handling banking credentials. Additionally, it can lead to blind spots in how consumers (apps) and users are interacting with the APIs. As a result, the effectiveness of the security controls on data access declines, increasing the risk for data leakage and API abuses from third parties.

Security leaders must have visibility into their partners and users and how they are interacting with APIs. Visibility is essential for ensuring the integrity of partner integration.

From partner integration to partner integrity

The financial data supply chains of open banks have a great deal of variance. Nevertheless, while the API strategy and implementation differ, the three ‘links’ of the chain are always present: the APIs, consumers, and users.

Gaining visibility into all three is key to establishing the integrity of data access, preventing data leakage and API abuses from third parties. In turn, this heightened visibility can also go beyond security and uncover opportunities for improved performance and customer experience.

Integration banner

Know your API: Taking the first step towards partner integrity is to ensure all the organization’s APIs, endpoints, and methods are accounted for, and that no ‘Shadow APIs’ and legacy APIs are left behind. This is easier said than done, as APIs proliferate across platforms, environments, teams, and applications, and are continuously deployed with new functionalities.

Know your consumer: Once an inventory is in place, it is key to map all consumers – partner applications – accessing the APIs. When it comes to consumer behavior, understanding the how, where and when is just as important as who. The unique profile of every consumer needs to be established, along with proper mechanisms to identify changes – and anomalies.

Know your user: Finally, the third layer of visibility addresses the user behavior. This starts with making sure that user identity is maintained, authenticated, and authorized. From there, deep behavior modeling can further uncover user behavior, establish usage patterns, and alert malicious activity and functional attacks by legitimate users.

Opening up without being vulnerable

As customers’ expectations of the quality and variety of services available through digital channels rise, banks invest in providing a compelling customer experience. Open banking is quickly evolving into a major source of innovation, reshaping the banking industry yet again. The open banking revolution is well on its way, heavily relying on APIs.

Acknowledging the complexities around behavior visibility when it comes to open banking APIs, Imvision augments MuleSoft’s security capabilities to deliver advanced API security for enterprises.

The pairing of Imvision with MuleSoft technology enables enterprises to achieve security consistency across teams, environments, and use cases. Joint clients are able to enhance their API security backbone to cover production, testing, and development, weaving API management and security across the API lifecycle. 

*** This is a Security Bloggers Network syndicated blog from Imvision Blog authored by Simon Sorrel. Read the original post at: