Secure by Design to Tap the Open Banking Opportunity

Open banking, which is seeing increasing adoption, involves banks sharing APIs of their core services with fintechs, retailers, insurtechs and corporates, who in turn build products on top of these services to enhance customer experience. The API ecosystem thus created enables banks to create diverse revenue streams as it allows customers authentication, consent for data sharing, and many other processes.

Sharing user banking data across the fintech ecosystem through APIs, however, requires greater attention to security. The attack surface of APIs must be minimized, and this is only possible if security concerns are factored in at the design stage. Banks need to adopt a security by design approach to realize the benefits of the fintech ecosystem through APIs.

Though regulatory bodies have introduced specific authorization and authentication mechanisms, they are not sufficient to guarantee data privacy and guard against cyber security threats. Majority of API attacks happen because of flaws in business logic and access control violations rather than widely known vulnerabilities such as SQL injection, cross-site scripting and distributed denial-of-service (DDoS) attacks.

Cloud platforms should have built-in capabilities for continuous assessment of APIs and role mappings as part of application development and ensure regressions are not introduced as applications become complex.

DevSecOps capabilities discover, track and fix role-based-access-control (RBAC) vulnerabilities earlier in the development cycle to prevent privilege escalation attacks and unauthorized access to API resources. Continuous API scanning mechanism helps businesses expedite the release cycle of secured APIs.

As different development teams with disparate tool sets work on multiple APIs, enterprises must follow best practices such as validating schema, tracking configuration changes, enabling security automation via bot protection and vulnerability checks, securing private end points, encrypting data, activating access control to resources, and monitoring for security violations.

In AWS environments, there are a host of native capabilities - such as AWS Web Application Firewall (WAF) bot control - to gain visibility into transport layer security (TLS), and detect source IP address of a malicious bot. Data encryption of the API request and response messages secure API end points, which can be done using applications such as AWS Certificate Manager.

Machine learning can be used to process data exchanged through APIs. Securing APIs does not refer to only adding security controls, but also extends to anomaly detection abilities. Machine learning algorithms can be used to identify and flag anomalous behavior and malicious data trends. AWS Config is a service that is used to track changes to API configurations.

The entire banking ecosystem runs on trust. Consumers should be convinced that their open banking app is secure. TCS, in partnership with AWS, has enabled financial institutions to embrace open banking by building secure APIs that bridge services and customer experience. TCS AWSBU Security Foundation Designer Solution offers security design patterns leveraging native AWS capabilities to create APIs for development teams so that a centralized point of control to enforce security is in place.

TCS has built open banking platforms for its clients offering highly secured APIs leveraging AWS services. A Norwegian bank decided to offer a simple person-to-person (P2P) payment solution over a mobile platform, which required a complete modernization of its monolithic architecture to microservices. TCS partnered with the bank to transform from a traditional bank to an open API ecosystem by building a cloud foundation with the flexibility and scalability needed to build the APIs. The payment platform took less than one-tenth of the time taken to capture equivalent customer base as their traditional bank and saw 25% of the country’s adoption within six months of launch.