There is a battle waging in the financial sector that is not related to market supremacy, but to the protection of IT assets and customer data. Nowadays, Cyber attacks are unfortunately always around the corner and some examples are the Capital One data breach of July 2019 and the 2018 attack on HSBC.
Every day millions of people use services belonging to the fintech sphere and it is to these services that they entrust their data and their assets. If on the one hand the customer wants to give confidence to the new operators of the financial market, on the other hand data security and continuity in the provision of services are integral parts of the nascent trade-off that characterizes new business models as well as the habits of final consumers.
The issue of business continuity was at the center of the recent switch from normal business to smart working, linked to the consequences of COVID-19. Fintechs are no exception, on the contrary, the burden of having a business continuity plan at hand weighs heavily on them, which can carefully consider all sources of risk, triggers, responsibilities, roles and response processes in case of an accident. Specifically for fintech companies, we can mention some factors triggering a business continuity problem: an infrastructure failure, a cyber attack, a large-scale power outage, terrorist attack, etc.
In the cyber environment, an attack vector can reside in the application itself: it can depend on connections with third-party systems (e.g. IoT platforms) but also the cloud can be a vulnerable point. The term cloud refers to the distribution of computing services, such as servers, storage resources, databases, networks, software, analytics and intelligence, via the Internet, to offer rapid innovation, flexible resources and economies of scale. It is today an essential piece of the fintech landscape due to its scalability, performance and cost reduction. And for this reason, security as a whole must be approached differently due to the increase in the level of complexity of the infrastructure as well as that of security management. Finally, the cloud presents itself as a possible solution for business continuity.
How to ensure cloud security?
Coherently with their identity, Fintechs are willing to adopt innovative solutions for their business and cloud technology is a key part of their backbone.
According to the PwC’s “Financial Technology 2020 and Beyond” report, they are approaching cloud solutions with scalability and growth purposes; nevertheless, the authors admit that along with remarkable opportunities, challenges come too: security, data protection, and regulatory compliance-related issues play a crucial role in this scenario.
Fintech companies of every sector recognize that specific threats do, in fact, exist when it comes to the management of customer information in the cloud. And they need to develop and implement a structured plan to protect themselves, their image and their stakeholders.
“Hosting our loan origination system in the cloud connects financial institutions to unlimited data access and storage,” says Har Rai Khalsa, CEO of fintech startup MK Decision. “As a fintech, ensuring cloud security is imperative to protect sensitive customer information.”
In order to understand how to exploit cloud potential properly and in a secure way, the first question that we should ask ourselves is: what kind of threats are we exposed to?
1. Insider Attacks
When thinking of "avoiding attacks", the logic suggests protecting yourself from external threats, but what companies have historically learnt is that, quite often, and this case is not an exception, one of their major weaknesses is the “human element”.
Attackers are aware of this and this is why they often target the people within an organization rather than the cloud servers themselves.
Insider threats – malicious or not – represent a big risk because in this case external security measures do not have to necessarily be breached.
2. Cloud Sprawl
One of the big advantages of using a Cloud Solution Provider (CSP) is that they are always evolving in terms of purposes, offering new services and technologies to fintechs. Unfortunately this constant evolution has a relevant aftermath: attackers will exploit legacy technology that is no longer in frequent use, which the CSP may have neglected to shore up. This phenomenon is known as cloud sprawl.
Fintechs can fight this with a good hygiene of the overall IT infrastructure and by creating defined processes and clear boundaries for all the services that benefit from this solution.
A botnet is simply an array of connected computers or devices that are coordinated by software to carry out a specific task or function. Botnets do not have to be malicious, but when a malware infects a cloud system of computers, servers, and routers, it creates a botnet that can be extremely harmful and put customer data in jeopardy. Attackers take command of an entire group of devices and gain access to a treasure trove of financial data.
New threats will continue to emerge along with new ways of exploiting old vulnerabilities, but you can take steps to ensure the minimisation of the risk that derives from fintech data in the cloud by using widely recommended practices:
User Activity Monitoring;
CSP Vetting: opt for a cautious and detail-oriented approach when choosing a CSP for your fintech.
Cloud applications and security issues for Fintechs
We are surrounded by digital transformation and customers expect the high levels of agility and accessibility that cloud technologies can provide. Cloud-based approaches facilitate workflows and enable enterprise-wide scalability. For this, cloud service providers (CSPs) are expanding the range of services. For example, in addition to infrastructure and data storage, Amazon Web Services (AWS) offers computing, analytics, machine learning, security, compliance, and more. Bloomberg explains that 22% of fintech applications run in the cloud and expects that percentage to grow to 80% by 2025. This affects traditional banks as many seek to partner with fintech startups.
Cloud technology is ready to transform the financial sector by leading to more flexible business models. To date, there are many ways in which the cloud is used in Fintech:
Automated services, in the case of Artificial Intelligence (AI) and Machine Learning (ML) cloud computing proves to be of fundamental importance in terms of efficiency in cases of fraud detection, processing of banking services and credit scoring activities which require large computational capability.
Customer Service, cloud-based services are able to achieve better customer satisfaction as they are able to ensure better and continuous operation - so CSPs focus on solving problems and financial players on providing services
Reduce Cost, relying on cloud services certainly brings savings in economic terms as an internal infrastructure would be more expensive. The money saved from developing these systems can be used to provide more services
Data Management, it is certainly in data management that the greatest positive impacts are seen, so that financial institutions can reduce costs, configuration time, maintenance and updates connected to the IT infrastructure of internal servers. The cloud should ensure greater reliability and security for customer data
Business efficiency, since the operational capabilities of cloud computing companies are greater than those of small or medium-sized companies (and even larger ones that are not specialized in technology)
What about security issues?
In adopting cloud technology, CSPs are responsible for the security of the infrastructure while customers must pay attention to managing their access to applications as well as configuring their firewall and database. Keep in mind the objectives that the system wants to meet in terms of security, establish authorization policies, establish rules for logging and monitoring events as well as the data encryption model. In the migration or use of the cloud it is good to analyze the security requirements and the various services offered by the various CSPs, organize the management of credentials and permissions, create separate environments for development and production, and finally the notification and registration system must be configured, relating to the analysis of events.
Alibaba Cloud, AWS and Visa Cloud Connect
Alibaba Cloud allows fintech companies to bring the majority of the workload to the cloud by guaranteeing “low latency and high scalability”. Alibaba's purpose is above all to support new start-ups that need fast growth but don't have the resources: for example, KYC processes, transaction processing, etc. Nonetheless, the financial business can be very sensitive to service interruptions or data accuracy. Both regulators and customers need near-zero downtime: this is why the solution offered by the Asian giant aims to provide platforms with high reliability and disaster recovery capabilities. Finally, the platform guarantees security systems such as WAF (web application firewall) and Anti-DDoS that increase the security of applications.
As a direct competitor on the other side of the world we find Amazon AWS which provides a resilient cloud infrastructure to fintech startups, relying on deep industry expertise. AWS offers AI and ML services that allow even non-expert developers to create personalized experiences and recommendations. The strength of AWS lies in the creation of expertise in the financial sector that comes from years of collaboration with well-known services such as N25, TransferWise and Stripe. AWS has achieved a number of internationally recognized certifications and accreditations, having demonstrated compliance with third party assurance frameworks, including those that impact most financial systems organizations such as PCI-DSS, SEC Rule 17-a- 4 (f), EU Data Protection Directive, GDPR and NIST 800-171. In addition, Amazon offers numerous security services that allow you to manage access, monitor data to detect irregular activity through machine learning, mitigate DDoS attacks, encrypt data, and send alerts when changes are made to AWS resources.
One solution that combines digital payment systems with cloud technology is Visa Cloud Connect. The service will be available from August 2021 thanks to the partnership with TransferWise, a well-known fintech specialized in money transfers. The purpose of this solution is to simplify the aspects related to the provision of services in different parts of the globe such as the creation of local data centers, investing in telecommunications infrastructures and purchasing specific hardware for the management of payments. Visa Cloud Connect will be able to count on the secure connection to VisaNet which includes a unified certification and a test area, visa security services (such as transaction encryption and PIN management), as well as simplified regulation for local markets.
Bocconi Students Fintech Society & B.Cyber Authors: