How microservices are changing the game for operational resilience and cyber security in payments

Cloud adoption among banks has accelerated exponentially in recent years with views now pivoting towards seeing cloud as central to resiliency challenges. Unlike cloud-based systems, legacy technology cannot be easily patched and upgraded. As a result, weaknesses can remain in a system for a significant stretch of time. It is not surprising that 64% of enterprises believe that cloud-based systems are a more secure alternative to on-premise architecture.

Achilleas Pitsillides - Chief Information Security Officer @Form3 August 4, 2021 - 7 minutes

Since the advent of computerised systems in the late 1980s, banks have relied heavily on their technology to protect finances around the world.

Historically, enterprise banks have depended on monolithic data centres and legacy systems to provide security. However, in the 21st century, legacy technologies are comparatively vulnerable, when compared to modern cloud-based payment architecture which uses componentised microservices with multiple layers of protection that when updated, don’t affect the whole system. Designing secure payment systems is a persistent challenge for banks that are determined to go it alone, resulting in the potential for even small vulnerabilities that may not be visible to be exposed to cyber threats.

 

Meanwhile cloud adoption among banks has accelerated exponentially in recent years with views now pivoting to see cloud as central to resiliency challenges. In the recent Financial Stability Report, The Bank of England cite that “this is happening in advanced economies and emerging markets as well - because there are advantages of using the cloud, both in terms of cost and possibly in terms of resilience”

Managing resilience is one of the top business objectives for cloud adoption in 2021 by UK banks.

 

Advances in cloud technology and its current all-time low-cost point means that banks of all sizes are now able to achieve the same Enterprise grade cyber resilience and security in payments by partnering with established Cloud-native technology partners.

 

What do we mean by Cyber Resilience?

 Let’s briefly explore some of the key components that make up cyber resilience:

●      Threat protection: As technology advances, so do cyber criminals. Effective threat protection relies on constantly iterative, vigilant systems that respond rapidly to threats as they occur.

●      Adaptability: Criminals carry out sophisticated operations by observing habits and taking advantage of observable weaknesses; so businesses need to adapt and be prepared to change if they want to remain secure.

●      Durability: Cyber resilient businesses can still function after an attack.

 

Legacy technology in banking is rigid and complex. Being able to satisfy the above criteria requires not only highly secure systems but flexibility and scalability, agility and automation to track and respond in real-time to new or different behaviours or change settings every few seconds.

This is especially important as widespread digital technology and access have made it easier than ever for cybercriminals to attack.

 

How to Ensure Cyber Resiliency: The Risk of Going It Alone

A significant reason for continuing investment in on-premise systems in banking (even after the advent of cloud computing) was the perceived notion of control afforded by the technology. However, legacy systems are more vulnerable to attack than ever before. Attacks come in many forms – data breaches, denial of service, stolen accounts and of course internal challenges such as insecure applications and inadequate training.

 

Unlike cloud-based systems, legacy tech cannot be easily patched and upgraded. As a result, weaknesses can remain in a system for a significant stretch of time. It is not surprising that 64% of enterprises believe that cloud-based systems are a more secure alternative to on-premise architecture.

 

Lacking cyber security in banking is particularly dangerous in the payments space, especially as businesses attempt to evolve their services to cater to a demanding public.

 

Designing Secure Payment Systems: How Safe Is Cloud based Payments Infrastructure?

Payments are one of the most essential services banks offer to their customers. As such, secure payment systems can help banks avoid nightmare scenarios whilst delivering a competitive service for their customers.

 

Historically data centre security was built on the premise of a secure perimeter. Antibot, Anti-firewall, threat prevention, network security tools and so on.

Then the public cloud arrived –instead of one perimeter there are now multiple perimeters. Each individual component now has its own security controls, autoscaling, is capable of elastic workloads and more. Furthermore, cloud-based security enables broad visibility across all your environments and can leverage AI and machine learning to identify and act automatically to alerts and anomalies. This also helps identify blind spots or weak points in your systems.

 

High availability, disaster recovery and redundancy are now the new normal and vastly improved by cloud vendors in the last decade who also provide service guarantee for availability and performance.

 

Banks working with specialist cloud-native technology providers benefit from highly secure payment processing solutions that also remove the burden of maintenance and updates from their shoulders.

 

 

How Managed platform providers deliver Cyber Resilience

Specialist managed platform providers who adopt DevSecOps business models, use industry best practices and embed cloud security into the design of their payments platform from inception offer a wide range of benefits to banks.

 

Microservices combined with automation means technology providers can deploy multiple, incremental changes in a single day. And by fully automated, I mean environments, testing, deployment and service monitoring. This means that customers can benefit from new features immediately.

Any updates made to the platform happen without any disruption to service as one piece of code doesn’t depend on another to work.

 

Microservices are loosely grouped together and are typically lightweight, allowing for rapid improvements without causing other elements of the technology to break. Containers enable architecture to scale in line with demand, as well as aligning to developers' environments increasing velocity.

All customers use a shared platform and therefore benefit from strong security controls and protocols as well as detailed audits. Any security improvements made therefore cascade out to all users.

 

 

What Banks Should Look for in Secure Payment Processing Solutions 

There are key features that banks should keep in mind when partnering with a secure cloud-based payment processing solution. The best Fintechs should be able to provide banks with:

 

·       Multi-cloud native​ technology

·       A DevSecOps business model

·       Globally scalable​

·       Continuous monitoring

·       AI and Machine learning

·       Full automation – not just in testing

·       Rapid, continuous delivery​

·       Guaranteed uptime and strong SLA’s

 

Security failures have the potential to cause substantial damage to the financial system. Legacy approaches are no longer adequate in a digitally mature economy.

 

Catching cybercrime in real-time

Modern, agile cloud-native technologies using microservices, API’s and containers as well as AI and machine learning to detect patterns and/or irregularities and act on them is now standard practice. End to end secure protection and full automation across environments, monitoring, testing and deployment lessen the risk for error as well as those hidden gaps in technology that may not be easily visible.

 

Through partnering with Cloud-native technology providers, banks can therefore transform their technological capabilities at the same time as increasing their cyber resilience. And in my view that is a win win.

Achilleas Pitsillides

Chief Information Security Officer @Form3

Achilleas is Form3's Chief Information Security Officer and is responsible for building, maintaining and continuously improving our security management system and security frameworks. Security is embedded into all Form3 practises including regular auditing and testing of controls, policies and processes.