Fuelled by rising consumer expectations for innovative services and easy real-time access to financial products and information, financial services industries (FSI) and fintech organizations are racing to out-innovate each other and capture market share. The sizeable growth of investments into the sector continues to attract new nimble entrants as they develop new digital business models and technologies. Fierce competition forces players to move quickly, pivot, and focus on initiatives to drive rapid growth. Together, these forces are profoundly reshaping payments, lending, insurance, and wealth management.
It’s clear that the barriers to developing new financial services and applications have never been lower. This has also led to an explosion in development activity across the sector. However, when an organization is driven by rapid growth and change to get ahead of competitors, the speed of operations means security controls often get ignored or left behind.
The extent of cybercrime is well-documented – it’s predicted to cost US$10.5 trillion annually by 2025, a US$3 trillion increase since 2015. However, the increasing digitization of financial services attracts greater criminal activity than most because the rewards for cyber criminals are high. In fact, the financial services industry has one of the highest average total costs of a data breach, coming second only to healthcare. If an attacker is successful, they will have access to vast amounts of highly monetizable data such as customer transactions, account information, and private personal data. This data can be used to either commit financial fraud or sell to the highest bidder. Further, the corresponding scrutiny from regulators and government agencies adds to the pressure and risk of lax security.
Two key areas of weakness have emerged: DevOps and the explosion of unstructured data.
The DevOps challenge in financial services
As financial organizations recognize the competitive advantage of timely innovation, DevOps tools and practices are becoming the standard in financial services. In fact, industry surveys indicate the adoption of DevOps in financial services currently sits anywhere between 77% and 91% of all organizations.
Unfortunately, the need for speed for applications often comes at the expense of security. Most non-DevOps environments utilize a centralized security model with security solutions managed by the corporate security team. In application development, the centralized security model presents coordination and communication challenges. For example, the race to launch or change applications may cause the development team to overlook the inclusion of, or updates from, the security teams – leaving vulnerabilities in the code.
As part of the DevOps process, developers need access to quality test data to put their code through its paces, and the easiest way to do this is to copy production data for testing. As soon as a database is duplicated, protection around production data disappears, giving hackers easier access to that archive of unprotected and sensitive data.
The challenge of unstructured data
Most organizations can’t reliably answer where their unstructured data lives, who is accessing it, and what risk exposure the data holds; the financial sector is not an exception. An estimated 80% of all banking data is stored outside databases in unstructured formats such as audio, video, PDF, and email files. Many organizations struggle to handle the growing amounts of unstructured data generated. They don’t know what the data contains or its risk exposure. This lack of insight results in numerous protection blind spots that can be more easily exploited by insiders and malicious actors.
Data loss prevention (DLP) solutions have been used for decades to prevent unwanted access to sensitive data. However, these solutions only go so far. There is growing evidence that DLP’s perimeter controls, endpoint protection, and Privileged Access Management (PAM) capabilities are failing to prevent large-scale data breaches. This is particularly concerning given the sensitivity of this data and stringent compliance and regulations for financial services.
Overcoming the challenge of unstructured data requires tools to maintain data visibility, identify sensitive assets, and meet the compliance requirements governing these assets.
The path forward with DevSecOps and Imperva
So how can financial services and fintechs achieve two seemingly contradicting goals – speed up the delivery process while also ensuring code is safe from vulnerabilities or security gaps?
The answer lies with DevSecOps, a security-first evolution of DevOps. While DevOps offers technologies and techniques to support collaboration between developers and operations teams, DevSecOps introduces security considerations into the existing DevOps pipeline. This includes incorporating security practices like:
- Shift-left security (incorporating security checks as early as possible)
- Continuous feedback loops
- Automation of code analysis
- Compliance monitoring
- Threat investigation
DevSecOps, however, does bring its challenges. There may be resistance to change from those not wanting to leave their comfort zones. Existing tools may need to be retrofitted or replaced. Productivity may dip during the transition phase, and it also brings a slew of new complex security processes and requirements such as:
- Revamping DevOps lifecycles to include security at every point throughout the application development lifecycle
- Secure coding training to increase the collective knowledge of your team around security best practice
- A minimum-security baseline that must be included in your DevOps process and pipeline
- Introducing threat modelling to identify vulnerabilities and mitigate risk
Imperva’s portfolio of security tools and capabilities includes tools to assist DevSecOps teams in increasing their application security and reducing risk without slowing down the fast and agile software delivery process.
Imperva RASP (Runtime Application Self-Protection)
Imperva RASP is built-in to an application to detect and respond to attacks in real-time. When the application executes, it automatically monitors itself and detects attacks, injections, and code weaknesses. This also buys time to fix and patch any detected vulnerabilities because your applications are secure regardless of latent vulnerabilities in original or third-party software.
Imperva Web Application Firewall (WAF)
Imperva WAF automatically stops advanced attacks on hybrid and cloud-native environments, enabling organizations to protect applications anywhere by offering defence-in-depth capabilities to the network edge. Imperva WAF profiles incoming application layer traffic at the perimeter and blocks any known exploits from malicious clients or botnets.
Imperva Data Security Fabric (DSF)
When it comes to both structured and unstructured data, Imperva DSF enables security and compliance teams to quickly and easily secure sensitive data no matter where it resides. By standardizing data security controls across environments, Imperva DSF provides data visibility across all file stores and assets – both on-premises and across clouds. Features include:
- Data Activity Monitoring: identify and report unauthorized behaviour without severely impacting operations or productivity.
- Data Risk Analytics: uses machine learning to identify insider threats and suspicious access patterns before they cause damage.
- Data Governance: Identify, secure, and monitor information assets, including structured, semi-structured, and unstructured data types.
- Data Masking: Rather than copying sensitive data, data masking allows developers to create a fake yet realistic version of organizational data for application testing.
Takeaway conclusion
Financial services industries (FSI) and fintech organizations are running a perilous race. While they try to outstrip each other with innovative new products, they are leaving a string of serious risks in their wake. Should those risks ever lead to a data breach, the impact on reputation and the bottom line would far exceed the benefits provided by the initial innovation.
Imperva’s solutions deliver high velocity without putting the brakes on fast and agile software delivery processes.
Try Imperva Snapshot
It’s our free, fast and easy-to-use cloud data security posture assessment service for Amazon RDS managed databases. Use Imperva Snapshot to quickly assess the status of your databases and the data stored, identify non-compliance with privacy regulations, and compliance requirements for cloud data stores too.
Imperva WAF Free Trial
Take advantage of our free Cloud Security Trial that includes Cloud WAF, DDoS, Advanced Bot Protection, CDN and more.
Try Imperva for Free
Protect your business for 30 days on Imperva.