No bank is an island: navigating the security challenges of Open Banking
23 July 2018
Welcome back, this is the second in the series of short blogs on security to help banks when considering Open Banking.
In the first blog we talked about using the NIST framework (Identify, Detect, Protect, Respond & Recover) to help us navigate the security challenges in question, so let’s look in more detail at Identify and Detect measures in this blog.
So firstly under Identify:
As a bank, the first question you can ask yourself is: what does my ecosystem look like? No need to dust off your Blue Planet box set - this is about thinking about your relationships (peers, suppliers, market infrastructure) and how these relationships are held together, ie. the connections, such as the telecoms infrastructure.
This is likely to be a cat’s cradle of links and inter-linkages surrounding you; it may not be a straightforward task, but it should help you think through how Open Banking may change your ecosystem, and the things you need to worry about, for instance:
- What are the new connections that will now be part of my ecosystem (the APIs)?
- What are the new third parties in my ecosystem?
- What intelligence or information do I hold on these third parties?
And then under Detect, banks can start to think about:
- What does my current API activity look like?
- What do I worry about already?… (APIs are not new, you can learn a lot from OWASP)
- What are the new things that I need to worry about? Have a think about new threat scenarios.
This will provide a good basis to think through the Protect measures that we’ll look at in my next blog.