Funds Europe magazine’s latest European FundTech Lab forum, held recently in London, brought together experts and practitioners from across the fund management and banking sectors to explore the latest developments in digital technology and their ramifications.
Alongside interviews and sessions on innovation, women in technology and new business models, Capco Digital’s Charles Wood, currently working on the build and launch of Royal Bank of Scotland’s Mettle digital bank, took part in a panel on cybersecurity and data integrity that touched on a number of issues around managing risks, the proliferation of APIs and the accelerating shift of data into the cloud.
Charles noted that, despite some gaps - for instance around Transport Layer Security, which is central to authentication, privacy and data integrity between applications - he remains a firm believer that the architecture of the web and the infrastructure of the internet are intrinsically fit for purpose.
That said, Charles argued for the adoption of ‘hard kernels’ as an operating model when it comes to security. This requires a shift away from a traditional ‘high perimeter’ and ‘squidgy centre’ approach, which puts all the onus for defense on the first security layer – the outermost defense. “Better instead to treat everything as an individual unit that is separately hardened,” said Charles.
This ‘trust no one’ approach effectively treats everyone, including internal users, as potentially hostile external actors. “Of course, you need to ensure that internal staff, such as engineers, can do their job securely within that operating model,” he added.
One solution is to embed security staff within the engineering teams to advise and help them navigate through any issues, starting with no privileged access for engineers and subsequently extending access strictly where necessary. Such ‘least privileged’ models are effective - but as Charles acknowledged, “they can certainly cause friction and arguments within organizations”.
Monitoring must be another key component of any approach, Charles noted: “People will always make mistakes, so better to focus on minimizing the mean-time to recovery, rather than maximizing the mean-time to failure. That is the cloud mentality – strive for early recognition and swift remediation.”
The panel then turned their attention to the impact of regulation around security and integrity, specifically GDPR. Noting that “regulation always brings interesting opportunities for innovation”, Charles nonetheless conceded that there does exist a conflict between GDPR, a privacy law, and initiatives such as PSD2 or Open Banking, which advocate wider data sharing: “When you pull up a piece of data through an API, you immediately have two copies of this data - and that runs contrary to GDPR, where the central focus is on limiting data proliferation.”
Collaboration was the final topic on the agenda. While financial services does a good job collectively in areas like anti-money laundering and cyber fraud, Charles flagged that when it comes to technology-based threats or issues, the situation is less positive – especially when we consider that these threaten every technology company, not just financial services. Disputes around ownership of a problem remain all too common when, for example, a misconfigured resource opens up a vulnerability - as happened recently with a high-profile hack via a bank’s cloud provider.