Managing API Security Is Essential For the Banking Sector

Managing API Security Is Essential For the Banking Sector

I recently saw a headline that reported multiple branch closures by Lloyds, Halifax, and TSB. Personally, it didn’t affect me so I didn’t read the article. 

Why would it? I do my banking on my phone.

And, that’s mainly the reason why banks are closing their seldom used branches—people are banking online and not physically walking into banks.

As someone who prefers living online, I am not here to debate the benefits of high streets and banks. What I do want to talk about is the role of Application Programming Interfaces (APIs) in modern banking.

According to Express Computer, an Indian IT publication, APIs are spearheading the banking sector’s evolution.

These software programs allow banks to share their data and services with third parties. Third parties, as a result, can improve their services and customer experience.

APIs in Banking

According to the article, banks use APIs both as consumers and publishers.

As consumers, APIs help banks:

  • Automate the customer onboarding process, making it smoother
  • Get real-time information on customer credit-worthiness
  • Make better decisions for loan applications
  • Add value to their core business with investment and financial planning advice
  • Integrate with other services, such as e-commerce stores, and make online payments easier
  • Add other financial products into their range of offerings

As publishers, banks use APIs to reach more customers and diversify their services.

So, yes, the banking sector can thank APIs for a great deal.

However, that brings me to my next point. Since APIs are now an integral part of the banking sector, API security also becomes a larger issue.

I’ve discussed how re-evaluating your cybersecurity stack could help stop API breaches earlier. Then, I came across this post that discusses how identity distribution is essential for modern API security.

What Is Identity Distribution?

APIs enable a network of services that users can access. Once a user is inside that network, from any access point, they can get to any and all information within that network.

Identity distribution is the process of ensuring that the user is authorised to access information, at every point instead of just when they enter.

If you want to think of it in terms of your home security, once a person has entered your house—whether through the front door, back door, or window—they can go through the contents of all your rooms.

Identity distribution is the process of vetting their access and authorization in each room. If they are only allowed to enter the living room, they can’t be let into the master bedroom.

Identity Distribution For API Security in Banking

Identity distribution shouldn’t just take into account who is asking for access. It should also consider the origin of the request, the external application through which the request was sent, and an allow-list of callers.

Unfortunately, this brings up two other issues. 

One, sharing the credentials across the network means everyone who receives those credentials could use them to get the same level of access.

Two, It means distributing the user’s credentials across the network when some of the information might be sensitive. 

In effect, you’re sharing the user’s authorisation credentials (thereby making them available to other services on the network), which also means you’re sharing their information (which could be sensitive).

To mitigate this issue, you’d need proper identity distribution techniques. The technology you use will play a role in how secure the implementation is—that means having a detailed understanding of how your services interact with others and the pathways your users will have to take.

That, in turn, would help determine which services would need what identity data to complete the request.

Additionally, you’d also need to determine what piece of data these services would need to take the authorisation decisions.

Identity Distribution Techniques

Once you know the data that needs to be delivered to other services and who needs it, you can choose from a selection of identity distribution solutions. These can be:

  • Using Transport Layer Security (TLS) end-to-end, even with services within your network, instead of only at the perimeter
  • A locked-down infrastructure, where you control all communications within the network through encrypted connections, and using mutual TLS (mTLS) and frameworks (SPIFFE, Kubernetes) to manage service calls
  • Using established standards like OAuth and JSON web tokens (JWTs) instead of developing your own solutions
  • Using claim-based authorisation instead of using API keys or scopes (because, remember broken authorisation is listed as OWASP’s no.1 API vulnerability, and discussed in an article on API Security Solution by Gravitee.io, the leading API management platform)
  • Using opaque tokens instead of JWTs (which can reveal information to the frontend application or threat actors)
  • Using token-sharing techniques, such as token embedding or token exchanging

As you can see, API security is important across the board, but the banking sector is a bit more high-stakes than others. Whilst a security breach can be devastating regardless, banks are responsible for people’s money and savings. 

Investing in better cybersecurity is not just for them but also for their customers. And, API security is going to be a huge part of it.