By Lars Larsson, CEO of Varnish Software
Seven security features and best practices to build into modern API infrastructures
Application programming interfaces (APIs) have been around for decades but only with the rise of the FANG (Facebook, Amazon, Netflix, Google) companies over the last five years have new developments in cloud and mobile technologies really kicked-off. During this time APIs went from being development tools discussed primarily in tech circles, to being the business drivers of what is now defined as the API economy.
Whether you believe analyst predictions, industry reports or trending topics – APIs are now among the most popular financial services technologies. No surprise when you consider that APIs are the glue that connect “things” and applications to the internet in a modern web architecture. Financial service companies access (or give access to) these things, applications and the data they generate in order to harvest new business opportunities.
In the rather conservative financial services industry with many new challengers on the scene, APIs promise to inject new life into digital transformation initiatives that improve communications and services. In the midst of all the hype, however, financial services companies need to be mindful that APIs can also quickly turn into a weak security link.
Today’s hackers aren’t just breaking into servers, they’re attacking how people communicate with infrastructure—exploiting billing systems, user signups and overall API infrastructure. With more levels of exposure, the first vulnerability hackers will seek to exploit will be the communication between applications, servers and other devices. Therefore, in financial services, security should always be built into an API infrastructure from the start.
Below are seven security features and best practices financial services companies should include in their API architectures:
Basic authentication and authorisation
One important and often missed step in securing the API infrastructure is to add a basic authentication and authorisation layer. Authentication confirms a person’s identity and can happen through API keys (which is essentially an authentication token). Authorisation confirms what that person is allowed to do, and rules can be added to grant access to individual APIs based on the client’s identity.
If a person triggers an API request (for example, if someone wants to access an application or database) this request is matched against a defined ruleset in the local database for authentication and authorisation. Who is granted access to what is defined here. If the lookup is successful, which means the user has been granted the right to access, the request will proceed. If it fails, access through the API is denied.
Transport security through TLS/ SSL encryption
It’s not enough to use authentication and authorisation, but you also need to ensure that data travelling through the API is secured. That’s where Transport Layer Security (TLS), formerly known as Secure Socket Layer (SSL) and often referred to as TLS/SSL, comes into play. TLS/SSL are cryptographic protocols that provide communication security between two communicating computer applications.
Full TLS/SSL support on both the server backend and client side should therefore be integrated into the API infrastructure. Nevertheless, as TLS/SSL protocols are continuously under attack, it’s important to pay attention to any new developments and versions out there.
Further you should verify the parameters of your TLS/SSL certificate to ensure they are working as expected.
Data service instead direct data access
Users should not access the database directly but through data services instead. The reason behind this is that security policies like authentication and authorisation are usually enforced on the application layer and are often not supported by the database. To ensure that the defined access control rules are working correctly and important security concepts are supported, access should always go through data services instead.
Audit logs and hashing personally identifiable information
Audit logs provide you with information about what resources were accessed through the API. They include information on destination and source addresses, timestamps and user login information. Audit logs help to discover if an application is or has being attacked. The level or extent to which a company should run audit logs depends on whether applications or information accessed through the API is mission critical or security sensitive. However, it’s important to ensure that any personally identifiable information (PII) is removed or encrypted. One way of doing this is to hash PII, which basically means that a piece of text is transformed into turning into non-identifying data, usually numerical values.
Web application firewalls (WAFs)
A WAF is a kind of firewall that applies a set of rules to an HTTP conversation. It controls the access to an application or service by blocking any API call that does not meet the configured policy of the firewall. WAFs are good complements to secure your API infrastructure.
Update and patch management strategy
Very often hacks occur through vulnerabilities that are not only already well-known but for which security patches exist. With an update and patch management strategy in place those security hacks can be reduced.
Best practices for specific platform/development stack
Finally, to ensure the security of your API infrastructure, a rule of thumb is to always follow the best practices of the specific platform in use and of the development stack.
If designing the API infrastructure from the start with these security features and best practices in mind, financial services companies don’t need to fear that their APIs will turn into the weak link and can count on them as drivers of digital transformation initiatives.
The FIVE ways to ensure cyber security this 2021
Web hosting experts Fasthosts give their top five tips for keeping customers secure in 2021
The pandemic has allowed the UK’s e-commerce sector to hit a record number of online sales in 13 years1. So, with more online shoppers than ever before, how can we promise customers online security for a better 2021?
Web hosting experts Fasthosts.co.uk have comprised a list of top tips which will optimise user experience, ensure online security, and protect websites from unauthorised access as we enter the new year.
Fasthosts has pulled together the top five tips for ensuring cyber security and how you can implement them in 2021.
Limit User Access and Restrict Admin Privileges
Ensure cyber security by simply limiting those who can access sensitive information. The more users with the capacity to enter off-limits areas, the greater the likely hood of a cyber-criminal breaching your system.
Through limiting user access, you’re immediately reducing the risk of an online assault on your web space. A hierarchal structure means only those who necessitate access to personal, password, and payment data have the permissions to go ahead and do so.
The framework for a restricted admin website can be as intricate as necessary depending on your needs, but it can also be as simple as creating two different site formats which split up administrators and standard users.
Abide by Best Practice Security Standards
When protecting customer data it’s crucial that you adhere to universal security standards and attain all up-to-date certifications.
Encrypting data transferred between servers is one of the first steps in creating a secure online environment. Secure Sockets Layer (SSL) is a protocol that codes information through 256-bit encryption, making it all but impossible to translate should it be intercepted by a malignant third party. SSL certification also presents your website as legitimacy by proving its safety with a padlock in the address bar and the letters ‘https://’ at the beginning rather than ‘http://’.
If you’re processing payments, you should be following the standards laid out by the Payment Card Industry (PCI). The PCI offers advice on the areas that require particular care, including sensitive authentication data (CAV2, CVC2, CVV2, CID, PINs, PIN blocks, and magnetic stripe data) and a user’s financial information (card number, cardholder name, expiration data, and service code).
You’ll need to complete a self-assessment exam to double-check what level of compliance you’re currently working at and how you can further improve online security.
Constantly Monitor User Activity
Establishing a system that allows you to keep tabs on activity and rapidly respond to suspicious on-site movements is one of the most effective ways of preserving cyber security. By enforcing a framework like this- often referred to as cyber monitoring – it becomes easier to uncover security weak spots, identify common user practices which don’t raise concern, and identify the behaviours of malicious intent.
It’s important to perform regular testing across all of your protective systems. This makes sure your site isn’t open to a to silent attack and puts your security methods into practice.
Encouraging a Strong Password is Crucial
It doesn’t matter how flashy or intricate your security software is, if a user is using a feeble password, your system is left open for opportunist hackers to invade. Passwords that are most easily guessed often include predictable patterns or personal information such as names, birthdays, childhood pets, or popular sports teams.
By making it compulsory to sign up with a more encrypted password, ideally containing at least one random number, capital letter and special character, you’re doing all you can as a responsible website owner to ensure the safety of both your users and customers. Similarly, encouraging users to often update their password helps reduce the potential of hackers accessing sensitive information.
If users are opposed by having to remember a complex password, offer a password manager that keeps track of any changes.
Implement a 2 Factor Authentication
Implement a two-factor authentication. Even if an unwelcome user somehow guesses a user’s password, the intrusion is made very difficult with the additional protective layer.
Two-factor authentication is really simple to use, you send a user a randomised code as an SMS or notification after they’ve entered their correct password. Only after entering the code when prompted will they then be permitted to access the site. Enabling two-factor authentication requires very little effort on a user’s part, but it’s a double-barrelled security measure that makes ensuring the safety of personal and payment data a lot more efficient.
Cyber security is crucial in delivering a reliable website, whether for your customers or administrators. For the full article please visit https://www.fasthosts.co.uk/blog/five-ways-to-ensure-cyber-security-in-2021/
Holding Cloud To Account, How Cloud Adds Up In Financial Services
By Dom Poloniecki, General Manager, Western Europe and Sub-Saharan Africa at Nutanix
Cloud computing and the deployment of increasingly cloud-native technologies is happening across every industry vertical. Even in industries where a degree of previous inertia existed such as legal and finance, the drive to cloud flexibility and scalability has become a primary driver for the technology fabric that firms in these markets run on.
As traditionalist operations in the legal trade start to undergo increasing levels of digital transformation, the weighty behemoth systems running financial institutions are also now being carefully and strategically replaced by more efficient, more flexible and more cost effective cloud installations. Now a proud owner of its sub-sector label and hashtag, FinTech is the new financial IT… and FinTech was born on the cloud.
As part of the Third Annual Enterprise Cloud Index report by Nutanix, a specific analysis of the 3,400 IT decision-makers questioned is now dedicated to examining how financial services organisations are using cloud technologies. Looking at the key data points related to Financial Services, we can start to understand the implementation, workload separation and (in most cases still, as of 2020) the migration issues that these firms are experiencing.
In the world of Financial Services cloud computing, the importance of an integrated and intelligently managed hybrid framework can not be overstated. Financial operations can of course draw upon the resource backbone of public cloud for their foundational operational technology requirements. However, they often still need to run a carefully deployed private cloud footprint commensurate with the privacy and security needs of any organisation operating in the financial sector.
The central importance of hybrid
Hybrid cloud and the use of Hyperconverged Infrastructure (HCI) is therefore a key cornerstone for Financial Services hybrid cloud development. This is the route to a cohesively managed hybrid cloud environment, where workloads are optimised according to the security, performance and compliance needs arising from the use case of the data and applications at hand.
The Nutanix Enterprise Cloud Index findings back this reality up and show that the majority (86%) of financial services respondents identify hybrid private/public cloud as the ideal IT operating model for their organisation. So much momentum is there now in this space that financial services companies are running more applications in private clouds than most other industries polled. Their reported usage of private cloud (39%) outpaces all other industries except for IT, tech and telecoms (40%).
As a further validating and driving factor here, HCI is the lower substrate technology behind the big public cloud offerings from Amazon, Google and Microsoft. So HCI and the wider hybrid approach is no longer perceived as ‘just’ a route to cost savings, which perhaps it was as recently as half a decade ago; it now represents an important enabling and facilitating technology to reduce complexity and increase scalability. In the hybrid cloud world where cost is no longer the main driver for cloud implementation, we can say that we have moved on to a point where we identify the ability to ‘achieve business outcomes’ as the primary driver.
HCI for modernised financial challengers
Given the growth of so-called ‘challenger banks’ shaking up financial services with new online services, extended customer loyalty offers driven through dedicated mobile banking applications and other fast-moving business models, traditional financial institutions have realised that they need to become altogether more agile.
Adopting hybrid cloud in Financial Services allows even older and more established firms to build scalable and easily managed private clouds as part of a hybrid cloud model. This scalability can be engineered for rapid growth when and where it happens, but it is also scalability that enables financial organisations to rein in compute resources serving banking products that have proved to be end-of-life and ultimately laid dormant or retired.
It’s important to remember that, as powerful as it is, cloud can still be a complex consideration, especially when aggressively deployed in an essentially hybrid mix of public and private cloud instances. The Enterprise Cloud Index found that for every aggressive hybrid design being deployed, there is an equally aggressive drive to deploy Hyperconverged Infrastructure (HCI).
This is because HCI helps accelerate cloud adoption by sharply reducing the time it takes to build the software-defined infrastructure necessary to support private cloud. It also supports the rapid capacity expansion that enables the scalability benefits of cloud technology. Nearly 50% of the financial sector respondents said they’ve either fully deployed HCI or are in the process of doing so. Another 38% said they will be deploying HCI within the next 12 to 24 months.
It is difficult not to mention the impact and legacy of 2020 and the global pandemic on the financial services technology market space. More than three quarters (78%) of financial services respondents said Covid-19 has caused IT to be viewed more strategically in their organisations. In addition, 50% of financial services respondents said they increased their investment in hybrid cloud as a direct result of the pandemic.
Choice: from the bank teller to the backbone
The key point we keep coming back to here is choice. As financial institutions will be working to offer corporate and individual customers the widest choice of products and services, so too will they need to gain choice of operational compute fabric in the shape of the cloud deployments that they do actually make. More specifically, it’s about these Financial Services businesses having the flexibility to concentrate on the delivery of strategic business outcomes quickly, easily and – crucially – without the need to keep within the limitations of a particular supporting IT model.
As previous Nutanix surveys have shown, companies consistently express a desire for the ability to run workloads in the infrastructure best suited to them, based on a variety of criteria. Be that wanting to enhance security; rapidly on-board new apps during takeovers and acquisitions; reach new markets with different compliance needs and so on.
Over the next five years, financial services organisations expect a significant drop of 13 percentage points in their use of non-cloud-enabled datacentre technology, taking them down to less than 1% penetration. As in almost all aspects of life, some products, tools and processes that we took as standard parts of the way the world works are eventually superseded.
Nobody uses a ‘flatbed slider’ paper-slip credit card reader anymore to take a payment – and nobody will use non-cloud financial services IT functions in the very near future. There may be a few archaic legacy hangers-on, but they’ll be nothing more than the exception that proves the rule. Hybrid cloud for our Financial Services’ future? That’ll do nicely.
First of a kind Virtual Coffee Machine app with social meeting moments to support workforce wellbeing in a remote workplace
Powell Software’s first in a series of wellbeing technology innovations help remote employees socially connect with colleagues and keep the workplace culture alive
As the third UK lockdown continues and many countries worldwide face severe restrictions, Powell Software, a global organisation creating digital solutions and tools for the digital workplace, has launched the first of its kind Virtual Coffee Machine, an application within Microsoft Teams to ensure employees stay better connected, positively engaged and take regular breaks while working from home.
With employee wellbeing at the top of the global workforce agenda for 2021, Powell’s Virtual Coffee Machine app positively connects employees through virtual chats to maintain a culture of togetherness, even when apart.
Replacing the absence of the in-person coffee catch up, HR can swiftly set up a Virtual Coffee Machine break within any Teams channel, encouraging employees to take regular short breaks while inspiring networking and socialising between colleagues.
Matthieu Silbermann, Chief Product Officer at Powell Software said: “The effects of the Pandemic have reshaped the Digital Workplace and research has found that three quarters of employers intend to shift some employees to remote work permanently. However, with one in five remote employees naming loneliness as their top complaint regarding work from home, reinforcing togetherness needs to be a top priority.”
Take a virtual coffee
HR can set up a Virtual Coffee Machine meeting within any Teams channel defining time, frequency and date, and number of people. The app then uses an algorithm that collects data from employees registered in Powell Teams, automatically comparing outlook calendars and generating meeting invites based on the criteria of the meeting. For example, if the Virtual Coffee Machine meeting criteria was set at a maximum of five people and ten people are available to join then two meeting invitations would be sent.
Virtual Coffee Machine consciously avoids one to one or full team meetings, focusing on creating intimate, short social breaks where employees can take time out to engage with colleagues in a positive digital space. Colleagues can also ‘travel’ to differently located virtual offices across their organisation to meet colleagues for a coffee break in different virtual buildings.
Employees are unaware of who else will join the group until the event, to encourage different team members to meet, chat and get to know each other. The app automatically books an agenda and also suggests ice breakers like ‘what was the last film you saw or book’?
If a team member does not want to or cannot join a Virtual Coffee Meeting, they simply decline the meeting invitation.
Silbermann continues: “Powell Software is passionate about connecting employees to their organisation and to each other, ensuring that they have a positive and stimulating experience at work, every day. Remote workers need to be connected, they need to feel part of the company, the culture and feel able to socialise in the hybrid or remote workplace.
“Powell’s new Virtual Coffee Machine app is all about the employee. We all miss the little social moments at the office, whether they be at the coffee machine or the cold water fountain. Coffee Machine allows us to progressively see our workplaces positively come to life again in a virtual way, promoting connectivity, collaboration and employee wellbeing. It’s part of a bigger goal and series of initiatives to bring the virtual building to life.”
Why You Should Take On Debt To Stop Dilution
By Blair Silverberg, CEO of Capital Imagine an exciting space dominated by two major companies, each growing and developing at...
Audi aims to sell one million cars in China in 2023
BEIJING (Reuters) – German premium automaker Audi aims to sell 1 million vehicles in China in 2023, versus 726,000 vehicles...
Netflix forecasts an end to borrowing binge, shares surge
By Lisa Richwine and Eva Mathews (Reuters) – Netflix Inc said on Tuesday its global subscriber rolls crossed 200 million...
MGM Resorts drops takeover plan for Ladbrokes-owner Entain
By Tanishaa Nadkar (Reuters) – Casino operator MGM Resorts International on Tuesday ditched plans to buy Ladbrokes owner Entain after...
Mike Ashley’s Frasers ups stake in Hugo Boss to over 15%
(Reuters) – Mike Ashley-led Frasers said on Tuesday it has increased its stake in German luxury fashion house Hugo Boss...
Sterling rises above $1.37 for first time since 2018; UK inflation rises
By Elizabeth Howcroft LONDON (Reuters) – A combination of heightened risk appetite in global markets and UK-specific optimism lifted the...
Euro sinks amid broader risk rally against dollar
By Ritvik Carvalho LONDON (Reuters) – The euro struggled to join a broader risk rally against the dollar on Wednesday...
Britain to publish new weekly consumer spending data
LONDON (Reuters) – Britain’s statistics office said it would publish new weekly consumer spending data from Thursday, based on credit...
Mercedes unveils electric compact SUV in bid to outdo Tesla
By Nick Carey (Reuters) – Daimler AG’s Mercedes-Benz on Wednesday unveiled the EQA, a new electric compact SUV as part...
England soccer star Rashford nets younger buyers for Burberry
By Sarah Young LONDON (Reuters) – Burberry stuck to its full-year goals on Wednesday after a media campaign fronted by...