Managing Risk through Cloud App Authentication and 360° Control
The easy availability of IT services delivered as cloud services together with the revolution in the range of devices that are used to access these services has created challenges for organizations in the areas of security and compliance. Employees and associates can use their personal cloud services to perform their jobs without reference to their employer. Line of business managers can acquire cloud services without performing risk assessment or considering the impact of these on compliance. To compound the problem mobile devices can be used to access these services from outside of the organizational perimeter anytime and anywhere.
Microsoft announces Project Bletchley on Azure Blockchain as a Service (BaaS)
by Ivan Niccolai
KuppingerCole has long noted the importance of blockchain technologies, whilst also noting that the key challenges to the adoption of blockchain technologies remained standardisation, privacy & security, as well as dilemmas regarding the types of blockchain technologies to adopt. In regards to these final two points, the main arguments have centred around the use of permissioned vs unpermissioned blockchains, as well as anonymous, pseudonymous or identified blockchains.
Microsoft made some wise decisions in response to these challenges. Initially, by announcing Blockchain as a service (BaaS) offerings on Azure last November, and subsequently announcing many new partnerships with various blockchain technology start-ups and consortiums, it gave organisations the opportunity to quickly begin experimenting with various blockchain tools easily and without the need to make decisions about which specific technology to use at this early stage of maturity of blockchain technologies.
Microsoft now has further progressed its BaaS offering with Project Bletchley. Finally, organisations can begin to make use of concrete benefits of blockchains whilst still remaining agnostic in regards to which specific blockchain used to deliver these benefits.
In short, Project Bletchley enables the use of blockchains-powered middleware solutions. The first of the two major tools offered by this latest announcement are called “Cryptlets”. This blockchain and development-language agnostic tool allows an organisation to leverage the power of time-stamped decentralised ledgers (blockchains) to secure organisational data without compromising the confidentiality of this data. For example, non-repudiation of a transaction between systems which process confidential data can be ensured by referencing some encrypted, time-stamped information stored on an external blockchain, while ensuring that this information remains completely useless to any other third party not engaged in the original transaction.
Cryptlets thus enable a whole new category of Project Bletchley middleware tools that can provide additional security, scalability and performance to typical middleware use cases even if the blockchains used to provide these features do not natively allow such types of features. Some key examples of this toolset include identity, encryption and key management features. This new blockchain-powered middleware stack will work with existing Azure services such as Key Vault and Active Directory.
By using this combination of centralised, authoritative systems such as middleware, public key infrastructure and authentication stores along with features of decentralised, algorithmic consensus-based technologies such as blockchains, it becomes possible to overcome the limitations of both types of technologies whilst also providing new hybrid technologies with better security and performance characteristics.
Centralised systems are necessary to most organisations, yet the authoritative management nodes of these systems often become the targets of malicious actors. Once these key root nodes are compromised, it is often very difficult to recover from a successful attack as it is very difficult to establish the ‘last known good state’ of the sensitive data. By decentralising this information on time-stamped blockchains, it becomes much harder for an attacker to manipulate the information on a compromised authoritative node.
Project Bletchley finally provides some concrete tools for enabling these hybrid centralised/decentralised secure systems which up until now have mostly only been theoretically discussed. What is important again here is that this project is blockchain technology agnostic. Just like TCP/IP, the value from blockchains (or networking for that matter) does not come from the use of a specific blockchain implementation, but how it can support a given use case.
Blockchain is more than Bitcoin
by Martin Kuppinger
Martin Kuppinger about Blockchain and that it is more than just a part of the Bitcoin cryptocurrency.
No Real Security Without Multi-Factor Authentication Everywhere
Clearly, there is a trend towards approaches for strong, simple, and flexible authentication, beyond passwords. The benefits fall largely under the categories of an improved customer experience, since with Multi-Factor Authentication (MFA) channels, the reduced dependence on passwords allows password policies to be more user friendly.
Executive View: AdNovum Nevis Security Suite - 71094
by Matthias Reinwarth
A solution for managing secure access to corporate resources and protected assets. Strong authentication, a broad spectrum of access management methods, sustainable maintenance processes of identities and authorization data form the basis for secure and auditable user access to applications.
Executive View: Bomgar Privileged Access Management - 71307
by Matthias Reinwarth
Bomgar Privileged Access Management is a comprehensive solution for managing, controlling and monitoring secure privileged access to critical systems. It implements administrative session management and recording while providing collaboration within sessions and integrates with enterprise infrastructure like IAM, SIEM, ITSM and Change Management systems.
Authentication, Access, Assets: The Triple A of Securing Sensitive Systems and Information
In more than two thirds of all cyber breaches, a misused privileged account serves as the entrance gate. Historically, managing privileged access focused on protecting privileged accounts by securing and managing passwords. But today, simply rotating passwords isn’t enough to defend against increasingly sophisticated cyberattacks. When it comes to securing privileged systems and data, organizations need to broaden their focus on controlling Authentication, Access and Assets.
Blockchains and Their Impact on the Finance Industry
by Ivan Niccolai
There is a lot of talk about the impact blockchains will have on the finance industry. The same holds true for FinTechs. However, what will be the real impact? Will we still have the same banking system in five or ten years from now? Or will some groups of banks (the small community banks such as Volksbanken, the large banks such as Deutsche Bank) disappear and becoming replaced by new players? Or will the banks absorb the FinTechs?
Before approaching this question, a brief overview of the fundamental characteristics of blockchains and key concepts is useful. A blockchain is a distributed data structure, brought to worldwide attention by the bitcoin cryptocurrency, that maintains a growing list of transaction records in a way that is extremely resistant to tampering. Algorithmic consensus is the key defining feature of a blockchain. While a public blockchain such as bitcoin’s is completely decentralised as well as distributed, the bitcoin blockchain’s is better defined as a specific type of blockchain: a distributed ledger. Consensus is key, as blockchains replace implicit trust with a consensus algorithm share by all participating nodes, be they public or “permissioned”. A permissioned blockchain is a restricted-access blockchain where, unlike bitcoin, only authorised node may perform or validate transactions on the blockchain.
Consensus is the mechanism by which all the participating nodes reach agreement about the integrity of the existing distributed transaction log and allow new entries to be written to this append-only, linear data structure. The only way that nodes participating in a blockchain can attain consensus is by the use of a published mathematical algorithm. The consensus mechanism is termed sometimes termed “trustless” – though not all blockchains only operate with completely anonymous/pseudoanonymous nodes – as the nodes do not need to trust whatever the other nodes state as truth, they only need to all share the same consensus algorithm which is used to verify blockchain integrity and permit new transactions onto the distributed log after a majority of nodes can perform the same algorithmic checks.
Another key feature is independently-verifiable tamper-evidence. It is trust mechanism for consensus that allows the other key feature of and independently-verifiable distributed log integrity. Just as the nodes make use of the algorithm for achieving consensus, a third party can audit a blockchain and be able to attest to its integrity.
Figure 1: Example of how a Blockchain works (Source: World Economic Forum)
While blockchains are seen by many as having the potential to be a key enabler for a wide range of applications, from the Internet of Things to Life Management Platforms, here the focus will be on key use cases in the Financial sector. With the above core concepts in mind, it is possible to examine some possible blockchain use cases in the financial sector.
Blockchain technology asset registries could be deployed to manage virtually any asset class (e.g. ships, aircraft, automobiles etc.) and provide a complete unalterable audit trail of ownership, maintenance and valuation.
By its nature the Blockchain is an unaltered chronological record of transaction history, delivered in a fully transparent and accessible form.
Many regulatory processes require a document to have gone through certain states before any given state (e.g. AML, KYC processes). Recording these state changes in the Blockchain conclusively demonstrates compliance with these processes without the need of an intermediary. This could be extended to include proof-of-audit/control whereby each new version of a document could be denoted to have changed according to a defined set of rules. The result of these rules-based processes could potentially dramatically reduce the cost of governing regulatory compliance
International Funds Transfer
The current process for cross-border payments, SWIFT, relies on intermediaries (correspondent banks) before reaching the ultimate physical location. The process is slow with expensive customer fees and bank risks due to weaker banking standards in some jurisdictions. Blockchain offers a new approach, with no geographical borders, middlemen or opacity that has plagued legacy cross-border payments with the added benefits of fast processing and no correspondent fees.
Also, as the recent breach of the Bangladeshi Reserve Bank demonstrates, centralised systems for the processing of electronic payments are a key target for well-funded attacks by cyber criminals. The SWIFT system is geographically distributed, but it depends on trusted, centralised control nodes maintained by all banks participating in the payment network. By compromising a single node, the criminals were able to fraudulently make transfers of almost a billion US dollars. A decentralised system with a trustless consensus mechanism such a blockchain instead would require 51% of all the participating nodes to be compromised in order to be able to add fraudulent transactions to its distributed ledger.
Securities Issuance and Settlement
The Securities Exchange Commission has approved the issue of public securities via Blockchain-based technology. This is often termed-post trade processing, allowing complex security agreement between multiple parties to be agreed to and stored in a distributed ledger, thus reducing administration costs and the risks of a party reneging on a trade.
Blockchain can facilitate the setup and management of insurance contracts using Smart Contracts technology to ensure data accuracy, correct payment and settlement of premiums, brokerage, commissions and claims. All parties to a contract will have access to identical exposure data which will resolve existing data quality issues and help to leverage better modelling models to measure aggregate exposures and to make capital allocation decisions.
While the potential for blockhain technology to have disruptive effect on the finance sector, and rattle the up until now comfortable market position of the largest players in this market such as global banks and insurance companies, some researchers think it is too early to hail the demise of traditional financial services providers. They cite a number of challenges to mainstream blockchain adoption, the greatest of these is regulatory resistance to the use of blockchains. This position is understandable, not necessarily due to any inherent technical limitations, but largely due to a perception of blockchains that has been dominated by the bitcoin cryptocurrency and the difficulties of non-technical regulators to grasp the core concepts behind blockchains. A fundamental paradigm shift in thinking is required when examining algorithmic consensus systems and approaches to insuring information confidentiality. Blockchains, permissioned or public, can easily make use of hashing and cryptographic algorithms to store confidential data, and the very nature of consensus only works if the consensus algorithm is known by all the participating nodes and all third-party auditors.
Another key hurdle is standardisation. Blockchains must be seen as platforms, over which applications and ecosystems can be built to leverage its key strengths, and platforms, more than any other technology require the adoption of standards to provide business benefits. The blockchain landscape today is still very new, and quite far off from widespread agreement over the adoption of some of the many standards proposed.
Executive View: Forum Systems Sentry and Identity Federation - 72511
by Matthias Reinwarth
Sentry, Forum Systems flagship product, implements a wide range of features: support for a wide range of federation use case scenarios are complemented with API Gateway functionality and mature Web Access Management services.
Data Loss Prevention Best Practice
The first step in protecting intellectual property and sensitive information is to classify it. This can be accomplished manually via author classification or automatically via content filtering. Some tools simplify the process and provide greater governance.
Executive View: Balabit Contextual Security Intelligence Platform - 71306
by Alexei Balaganski
Contextual Security Intelligence is a new IT security concept, which states that additional levels of security controls restricting business performance should be avoided and replaced with more efficient monitoring tools. Balabit’s CSI Platform combines Log Management, Privileged Activity Monitoring, and User Behavior Analytics into an integrated real-time security intelligence platform.
Security & Privacy by Design is Agility by Design – time to rethink Banking IT
by Martin Kuppinger
81 million dollars, that was the sum hackers stole from the central bank of Bangladesh this year in April by breaching the international payment system SWIFT. Three other SWIFT hacks followed quickly in other banks. SWIFT reacted by announcing security improvements, including two-factor authorization, after first remarks that the reasons for the successful attacks lie with the robbed banks and their compromised systems.
Whoever has made a mistake here, maybe all involved parties, the growing number of cyberattacks against banks is not really surprising, since hackers tend to go where the money is. And even if the Bangladesh case might have been the biggest assault so far, it is just one in a long chain of attempts and conducts of online bank robberies. Cybercrime has become the biggest risk for financial institutes today. The reason behind this are – besides the money - often the heterogeneous legacy systems of many institutes, which simply weren’t originally built for the cyber world. They open huge doors for successful attacks. What does that mean for financial institutes? First, they urgently need to consider a huge paradigm shift concerning IT and information security.
For years the last bastion against digitalization, many banks successfully withstood the cloud and all later developments like IoT without their business models having to suffer. They maintained their own infrastructures in secluded data center silos and kept running their own monolithic systems for core banking applications. Customers, both B2B and B2C, accepted this. It seemed to be safe and normal. (It had also to do a lot with regulatory requirements, of course.)
This initial situation has however changed dramatically: More and more young and dynamic competitors enter the market. Most of these fintechs specialize in a certain aspect of financial services and use the latest technologies to communicate and deal with clients when needed everywhere in real-time. Traditional banks already notice the heavy winds of change through a decreasing number of younger customers, “millennials”, who like to bank mobile “on the go” and put more trust into peers than into classic institutions.
To stay relevant by becoming more agile and satisfying the needs of connected consumers, banks have, at least partly, begun to integrate the new world into their business models. However, this also demands rethinking of information security questions. In a hyperconnected world the old perimeters like firewalls are not of much use any more, if at all. With IT being anytime everywhere and more and more people, devices and things becoming connected with each other, the attack surface grows exponentially. New threats arise in these internal and external relationships, elaborated phishing and privileged user attacks just being two examples.
The perimeter shifts to the identities of people, KYC (Know your customer) compliance being one example, but also devices and billions of ever new things. In this context the further development of blockchain technology with advanced identity and access management prospects promises a huge leap for worldwide secure and transparent financial transactions (unforgeable records of identity, no double spending possible, automated verification, self-executing contracts, encryption, data integrity through time-stamps, hashing etc.), even though certain limits to this innovative technology still
need to be addressed. Could they e. g. better be solved with permissioned, private ledgers, where only known users are enabled to participate? SWIFT seems to be already experimenting on this.
Whatever the solution(s), Security and Privacy may not be an afterthought anymore. Both need to start right with the development of products and solutions. Many industries have already understood that. It’s time for the digital finance world to internalize the concept of security and privacy by design too. I can almost hear those who say that this will hinder and agility and slow processes down. In fact, it is clearly the other way round and cannot be emphasized enough: Security and Privacy by Design help any business to become even more agile than ever before. They’re actually the foundation of successful and economic Agility by Design.
Of course many banks already considered “security by design” even in their old mainframe infrastructures. In fact, they were often really good and quite progressive at it, with dynamic authorization (ABAC) and so forth. Sadly, these efforts don’t count much in a highly dynamic and digitalized world. Agility by design can today only be reached by thinking security by design anew and by also realizing the regulatory demands of privacy by design. If they do both aspects right, financial institutes stand a good chance to persist also in completely new competitive and risk environments. This won’t work with the old core banking IT however, since it is neither agile nor secure enough and it also doesn’t fulfil modern privacy requirements.
The Impact of the new EU Data Protection Regulation on the Finance Industry
by Karsten Kinast
After several negotiations und multiple drafts of the General Data Protection Regulation (GDPR), its final text was adopted in April 2016. The GDPR updates the current EU Data Protection Directive according to the technological developments that have taking place during the last 20 years. The GDPR applies to all member states in the same way and also does not make a distinction between industries or sectors; however, the new provisions may have a higher impact in certain sectors or industries, as they will be subject to stricter requirements regarding the processing of personal data.
The finance industry, including comprises banks, investment funds, foreign exchange services, etc., is one of the sectors that will be subject to stricter requirements:
- Especially the fact that the data processed might relate to bank accounts, the financial situation of customers or their financial and patrimonial solvency leads to a stricter data protection regime under the GDPR as it requires that the undertaken data protection measures must reflect the quality of data appropriately, which evidently is considered to be of highest nature. In other words: Finance Industry by Law is supposed to be a Leader in Data Protection and any potential breach would mean a higher sanction than in other businesses that might follow similar e.g. illicit procedures (fines go up to 4 % of annual turnover of a group or up to 20.000.000,00 EUR)
- The GDPR acknowledges the according risk as well, therefore, data breaches occuring at financial institutions may be subject to the obligation to inform customers if the breach is likely to cause them a significant damage, so that they can take adequate precautions. Data breaches in this business field need to be reported to Data Protection Authorities within 72 hours.
- Generally, the appointment of a Data Protection Officer is mandatory for any institution belonging either to the public sector or if core activities involve large scale processing of sensitive data. This usually should be the case for any company in the financial sector. However, under the GDPR, financial information is not explicitly considered sensitive data but considered to be a risk to the rights and freedoms of data subjects, for example in cases of identity theft or fraud. Therefore, Privacy Impact Assessments will be also mandatory for financial institutions in order to identify risks and minimize potential damages or data breaches and implement accordingly a tailored data protection strategy (privacy by design).
One of the main assets for financial institutions is its customers, this is why prior information and consent will play even a more important role than before in order to reach compliance. Consent must be unambiguous and explicitly referred to each processing purpose. The use of general contractual terms will not be sufficient for the proof of consent.
The GDPR will become effective in May 2018 and by this date, organizations and businesses should be compliant with its provisions.
Executive View: SAP HANA Enterprise Cloud – Security and Compliance - 71117
by Mike Small
An overview of the SAP HANA Enterprise Cloud together with an assessment of the security and assurance provided in respect of five critical risks faced by a cloud customer.
Will blockchains really change the finance industry?
by Karin Gräslund
There is a lot of talk about what impact blockchains will have on the finance industry and for FinTechs in particular. As “disruptive technology,” in 2015 blockchain now seems to be on the peak of its Hype Cycle. There are critical opinions about blockchain technology in the FinTech scene, such as from investor Sir Michael Moritz from Sequoia Capital who stated in a Keynote of the European FinTech Conference Money2020 in Copenhagen, “this technology solves no real problem”. And one of the FinTech representatives from Holvi, Johan Lorenzens expressed his doubt that blockchain Technology “is requested by the customers”. Other successful FinTech founders, like Patrik M. Bryne from Overstock, argues that everyone who understands blockchain, knows it as the next big wave of innovation, perhaps being more disruptive than the internet. So who is right?
The lack of shared terminology and two additional reasons make it difficult to answer: first, Blockchain technology is not easily understood; And second blockchain is not a monolithic solution, but a sum of ledger functionalities in a state of continuous innovation. Today the only common aspect about different blockchain solutions is that they are digital ledgers to register transactions from business partners saved in blocks, which are continuously validated to assure their sequence, unchanged state and origin. All other technical aspects differ between the main blockchain versions.
Objectively looking at business potentials, it appears obvious that there will not be the same banking system five years from now, because blockchain has the ability to dramatically streamline processes in financial services, speed them up, and/or lower their costs. Some blockchain FinTechs are successful and initiatives of conventional financial service partners, like Hyperledger or R3 are proving blockchain technology in real world scenarios now, like the successful monthly real world test of blockchain processing credit default swaps for OTC derivatives between consortium partners reported from the DTCC last month. But these use cases are not productive yet. Duration and extent of blockchain adoption is unsure at the moment. Because of missing maturity and information imbalance among financial service participants, it is likely that some banks will not be able to adapt blockchain technology quickly enough. These might disappear because of low fees resulting from blockchain’s optimizing effects for competitors. But if this group will be the small community banks or the big financial service providers is still unclear. Small banks are often more agile because of organizational size and culture, like the example of Rabobank, while big banks might more easily invest in proof-of-concepts because of their size in capital and human resources. Probably bigger financial service partners will absorb some of the blockchain FinTechs with regard to market power, but initial cooperation among FinTech startups this year could slow this trend down.
Market behavior and adaption are also triggered through incentives, image and trends. It might be a good sign that big technology partners, like Microsoft, experienced in continuous technology innovation at large scale, join initiatives like the R3 consortium now, to empower the financial services blockchain change.