Nick Hammond, Lead Advisor for Financial Services at World Wide Technology, highlights how a new approach to security sets the stage for innovation at pace

With open banking regulations and the new Markets in Financial Instruments Directive (MIFID II) now in force across the UK and Europe, and GDPR on the horizon, 2018 is set to be one of the most challenging and transformative years for the financial services industry.

Alongside politics and regulation, banks are undergoing a momentous transformation resulting from a range of technology innovations. The most prominent technologies in financial innovation include cloud computing, big data and analytics, artificial intelligence, robotic process automation, distributed ledger technology and the Internet of Things.[1]

To take advantage of these new technology groupings, the shift towards agile development projects is well underway. Gartner says that 75 percent of large organisations now operate bimodally: they are marrying exploratory and experimental development initiatives with efforts to update and renovate the legacy IT environment into a state that is fit for the digital world.

The more agile approach is enabling large organisations such as global banks or investment firms to source digital applications from new, cloud-native vendors. However, as organisations take advantage of the many options to build new and exciting cloud-based applications, they still suffer from a shortage of options to secure this new environment effectively or efficiently.

The shift to cloud architectures has successfully allowed start-ups, challengers and internal teams to change the processes of application coding, testing, deployment and operations. But there has been no credible path mapped out by which enterprises can secure their critical applications, such as their interbank payment services, in this new, more dynamic environment.

With Bring-Your-Own-Device, mobile and remote access policies, as well as growing incidence of third party services being given access to parts of a bank’s data, more and more users are interacting with a bank’s system. The traditional approach towards security, which involved installing a firewall at the perimeter of the system, cannot work.

In addition, the swathe of new regulations rolled out this year increases the mandate from annual compliance tick box activities to continued assurance of critical applications. This means that financial services firms must ensure that mission-critical applications are continually available, secure and behaving in an expected way, despite internal system changes or external stresses.

For financial services providers, the requirement for assurance is made ever more challenging by the shift towards cloud computing and agile development services.Many organisations now want to abstract security policies from infrastructure and wrap controls around individual applications, restricting traffic to necessary application-to-application and user-to-application flows only.

Gartner predicts that throughout this year, 90 percent of organisations will lack an application integration strategy, but in order to wrap policies around applications, visibility of how applications are interacting within an organisation’s infrastructure is essential.[2] Otherwise, the company may find that a security policy creates unintended consequences – by stopping one application from talking to another, for example.

Totransform 2017’s technology dreams into 2018’s reality, financial services firms need a credible new methodology to assure their critical assets.

This must start with a discovery phase to find out what is currently happening. Mapping critical applications in real-time reveals a true picture of their use and interdependencies, and how internal and external users are interacting with different applications. Often, applications are loosely interconnected across many platforms in ways that are not wholly understood. In most cases, organisations lack a system of record to understand how these application silos should be protected to meet new standards.

The next step is to understand what should be happening, in line with the company’s risk and resiliency framework, compliance requirements and external regulatory mandates.  This should be tested in a synthetic model of the current environment before finally the appropriate security policies are implemented.

The net result of this approach, which starts by understanding what is happening, before moving on to what should happen or selecting products to make it happen, is to enable banks and other financial service providers to wrap security policies around individual applications.

If appropriate, applications that were built on legacy infrastructures can then be safely migrated to the cloud, creating ongoing cost and performance benefits – and creating new opportunities for effective integration of innovative technology into the firm’s ecosystem.

To make the most of digital innovation in 2018 and beyond, banks need to start by updating their security and assurance approach. Using a security approach that is fit for a cloud-native environment creates a safe and saleable framework in which to innovate at pace.

[1]http://www.ey.com/Publication/vwLUAssets/ey-the-digital-bank-tech-innovations-driving-change-at-us-banks/$File/ey-the-digital-bank-tech-innovations-driving-change-at-us-banks.pdf

[2]https://www.gartner.com/newsroom/id/3233217