Ensuring API Security in the Era of Open Banking: A Critical Necessity

Ensuring API Security in the Era of Open Banking: A Critical Necessity

The rise of Open Banking paradigms in BFSI

Although Open Banking and PSD2 was incepted in Europe and UK to promote competition and innovation in the financial industry since 2018, but one of the first use cases of Open Banking in India was rolled out in 2016 in the form of Unified Payments Interface (UPI). In last couple of years, the use cases of Open Banking have outgrown the predictions we made at the time of inception; currently both Retail and Business banking segments are adopting numerous use cases of Open Banking. There are few use cases of Open Banking being adopted in BFSI:

  • Aggregation and financial management
  • Credit Risk and Decisioning
  • Acquisition and Onboarding
  • Payments
  • Corporate Treasury
  • Cross border payments
  • Wealth Management for Corporate
  • Connected Banking Experience

The latest use case for Open Banking is Business as a Service (BAAS) which is empowering third party applications to host a native business banking experience to the SMEs. This native experience is powered by stack of Open APIs externalized by Banks through their secured API Gateway. The rise of BAAS has opened the avenue for Fintech and third party financial services  to innovate ways to increase financial inclusions, digital adoption and business growth in the BFSI ecosystem.

 

The Risks of Open Banking and potential threat factors:

Open Banking being the major component of Digital Banking are mostly run-on Data and APIs, precisely Open APIs which are conformed with standardized access management. APIs being acted like the conduits to transfer high risk financial data across the stakeholders, it’s a day zero ask to keep the APIs secure from any attack and undefined access. The dependance of Open Banking’s on APIs has increased the frequency and complexity of cyber attacks in last few years. According to report and experts, the API attacks observed across industries are more than the amount API traffic.  Customer’s PII information, financial data and consent management tokens always make Open Banking a very lucrative prey for the cyber attackers and potential risk for many Day Zero attacks.

 

The Best practices to guardrail Open APIs in Open banking ecosystem:

Intelligent and automated tooling to prevent attacks – Technologies like Artificial intelligence, Machine Learning can be employed to harden the security posture of any Open Banking ecosystem. Advanced threat protection is very crucial in API driven ecosystem as in the fully digitized environment Customer is always in control thus the propensity of Day zero attacks are very high. By using AI and ML powered security tool, orgs can detect any anomalous API user behavior and that can led to foil any potential Cyberattacks on the gateway.

Identifying Shadow and Zombie APIs – As the business use cases are growing the number of APIs is also increasing exponentially. This increase the potentialities of having Shadow and Zombie APIs in the systems, these are the APIs which were created long ago or may be not in use for long time and can be very vulnerable to any new attacks due to the lack of upgrades.

The intelligence capabilities to identify those APIs and prevent them to react abruptly are much needed, an AI driven discovery dashboard can be very helpful to detect such APIs.

Shifts in Legacy Security Measures – Authentication, Authorization and Payload Encryption, these are the most used methods to secure the API ecosystem in any organization. In the present day when cyber attackers are becoming smarter each day these common mechanisms are not enough to secure your API business. These legacy security measures sometimes succumb in front of any man in the middle attack or Broken Object Level Authorization (BOLA) attacks. Its always suggested to have an extra layer of advanced security to identify any such attacks on top of the existing proxy-based gateway architecture.

Zero Trust policies across ecosystem – Policy makers and custodians of API security layers need to implement a very stern policy for API access management. An API governance framework should be devised in adherence to all the stakeholders need to be framed before launching any Open Banking platform. Onboarding of the external users in Open Banking platform should be done once it passed through all the criteria of the framework.

Real time prevention of attacks – With the exponentially incremental API usage real time monitoring is immensely needed as granular monitoring can only identify the threat. AI and ML powered security solution can be big help for this ask, organization should leverage intelligent and fully managed API security solutions which has Advanced DDoS attack protection, WAF, CDN etc.

API Gateway is the enough to secure Open API ecosystem – A myth we all believe

Why do you need extra security tool if you have a state-of-the-art modernized API Gateway in place? A very common question often asked to the control function bodies and the answer is API Gateways are great tool to meter, monitor API traffics and prudently used to host APIs for externalization purpose. With no offense to all the existing players who are providing API gateways for years successfully, we need some extra cushion to secure and harden our API externalization policies and for that API security tools are needed on top of the Gateways. Developers who create the apps in gateway to access the APIs over stipulated authentication mechanism, but the attackers are sometimes clever enough to make those apps turn into weapon to break into the Open banking ecosystems. Traditional web application attacks make the API security at risk in the gateway by augmenting the vulnerabilities. The key driver points to have sophisticated API security tools on top of the gateway are:

API gateways can only monitor the endpoints, it does not have full control over the product processor applications webservices and the API signatures.

Attackers can leverage a valid API token to clone the business logics hosted in the product processor layers.

With the incremental counts of Open APIs, its always a risk to have shadow or zombie APIs in gateway. Attackers can easily leverage those to control the data layers.

Analytics Dashboard to strengthen your security posture

In any complex and enterprise architecture, as the number of APIs grow the potential of risk also grow exponentially. At that time, it becomes very important to have a dashboard visibility of all the APIs highlighting the health risk, vulnerabilities, presence of PII data, propensity of BOLA etc. in the internal ecosystem. In Open banking ecosystem, it’s also important to monitor the outbound calls. Thus all the callbacks/webhooks should also be under the scope of the API security dashboard to prevent any Day zero attacks.

Ensure ZERO DATA SILOS

In Open Banking, data plays the pivotal role by determining the DNA of your open banking strategy. But often we see managing old and unstructured data is a huge pain, situation worsen when you have Data in Silos manner which is one of the major risks for Open Banking ecosystem. In order to control siloed data, organizations are now introducing Data Lake architecture which take the whole control over the Data access inside the organization and simultaneously it cleanses unstructured data to a quality structure. In any API first organization data lakes are secured by the API security posture as the data are only allowed to transmit via APIs.

Abhijit Dey
Vice President – API Banking Product
Axis Bank

Disclaimer: The views expressed in this feature article are of the author. This is not meant to be an advisory to purchase or invest in products, services or solutions of a particular type or, those promoted and sold by a particular company, their legal subsidiary in India or their channel partners. No warranty or any other liability is either expressed or implied.
Reproduction or Copying in part or whole is not permitted unless approved by author.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

Sign Up for CXO Digital Pulse Newsletters

Sign Up for CXO Digital Pulse Newsletters to Download the Research Report

Sign Up for CXO Digital Pulse Newsletters to Download the Coffee Table Book

Sign Up for CXO Digital Pulse Newsletters to Download the Vision 2023 Research Report

Download 8 Key Insights for Manufacturing for 2023 Report

Sign Up for CISO Handbook 2023

Download India’s Cybersecurity Outlook 2023 Report