Finserv open source security
Tags: finance , financial-services , fintech , Open source
The fintech ecosystem is flourishing and exciting things are happening these days at the intersection of digital technology and financial services – thanks in part to an infusion of global fintech investment that reached US$98 billion across 2,456 deals in H1’21. This far outpaces last year’s annual total of $121.5 billion across 3,520 deals.
Fintech companies are creating and rolling out a wide range of solutions that are impacting nearly everyone, dramatically broadening the reach, flexibility, and level of innovation in financial services. In addition, technology is helping enable enormous progress in bringing financial services to the many people who have previously been excluded from the formal financial system.
Cyberattacks are on the rise
The rapid growth of an ecosystem comes with its own set of challenges. One of the key challenges for the fintech revolution is cybersecurity. According to a cybersecurity report by Boston Consulting Group, banking and financial institutions are 300 times more at risk of cyberattack than other companies.
In their latest report, the European Central Bank identified the main risk factors that the eurozone banking system is expected to face over the next three years. These risks are increasing with the continued digitization of financial services, the obsolescence of certain banking information systems and the interconnection with third-party information systems.
Given the complexity of the digital financial ecosystem, it is inevitable that some solutions will be insufficiently secure against cyberattacks. And it’s highly likely that those vulnerabilities will be found and exploited. In addition to causing immediate financial losses, breaches can undermine longer term confidence in new solutions, leading to lower adoption rates particularly among users with less experience engaging with digital services. The gap between technology and regulation is acute in fintech and particularly so, with respect to cybersecurity in the fintech context. This is the inevitable result of mixing solutions that are evolving at a rapid pace with regulatory frameworks that change far more slowly.
Cybersecurity and the API economy
There will be more interfaces between traditional financial service providers and fintech startups, and therefore, more cyber vulnerabilities as data crosses those interfaces.
As fintech startups grow in number and sophistication, they will establish an increasing number of links with traditional providers through Application Programming Interfaces (APIs). Interfaces between systems are a common source of cyber vulnerabilities arising from mismatched assumptions made by the designers of the systems being connected. To help guard against this, interfaces between digital financial systems should be subject to particularly stringent scrutiny and testing during the product development process, including by people who can take a clean-slate, holistic view of the aggregated system.
Cybersecurity – The journey begins at OS
An operating system that provides security controls, such as continuous vulnerability patching, malware defenses, secure configuration and hardening, will take fintechs a long way towards reducing the risk of security incidents or breaches.
Ubuntu, the most popular platform among experienced developers and the most widely deployed platform on the public cloud, provides all the above security controls to fintechs and finservs. Ubuntu is designed to provide minimal attack surface, with no open ports by default. It also has one of the smallest container images among enterprise operating systems. It incorporates state-of-the-art malware protection and anti-exploitation mechanisms, such as Address space layout randomization (ASLR), heap and stack protection, non-executable memory, Unified Extensible Firmware Interface (UEFI) secure boot and others as explained on Ubuntu’s security pages.
Furthermore, Ubuntu includes AppArmor, a simple-to-use and easy-to-understand application confinement framework, enabling the confinement of applications by the operator. AppArmor is the engine behind our snap application management system, which enables organisations to run third- party applications confined and isolated, thus decoupling the security of the operating system from that of individual applications.
How Canonical can help fintechs on their cybersecurity journey?
Given that vulnerability management is fundamental to any cybersecurity program, Ubuntu’s vulnerability disclosure policy is transparent, and machine readable (OVAL) data is provided to enable the audit of vulnerabilities on Ubuntu. Furthermore, Canonical ensures timely fixes and ships the necessary tools like OpenSCAP to enable automated workflows, such as vulnerability scanning, compliance audits and remediation.
Secure configuration and hardening
Hardening always involves a tradeoff with usability and performance. The default configuration of Ubuntu LTS releases, as provided by Canonical, balances usability, performance and security. However, systems with dedicated workloads and deployments that are targeting specific platforms or clouds can benefit from hardening. Profiles such as the CIS benchmark enable a hardened operating system that follows the CIS Controls guidance. Canonical works with CIS as well as DISA to enable them to create guides and rules for their respective CIS benchmarks and DISA-STIG.
Attestation and security certifications
Canonical ensures that the Ubuntu operating system is third-party attested. Cryptographic core packages in Ubuntu are regularly certified under NIST’s FIPS 140-2 program. The security mechanisms of the operating system are further certified under the Common Criteria Operating System Protection Profile (OSPP) on the EAL2 level. The Common Criteria (CC) for Information Technology Security Evaluation is an international standard (ISO/IEC IS 15408) for computer security certification used by financial institutions and many other organizations dealing with sensitive data.
Read this white paper to learn more about security frameworks and how they can benefit your business.
Canonical’s subscription model
While Canonical’s free standard maintenance of Ubuntu Long Term Release (LTS) is sufficient for many users, Ubuntu Advantage and Ubuntu Pro address financial institutions’ enterprise security needs.
Ubuntu Advantage and Ubuntu Pro provide your organization the necessary tools to comply with cybersecurity requirements by tackling vulnerability management in the long term for the operating system and applications, audit and compliance tooling for secure configuration and hardening, such as CIS benchmarks, as well as third party attestation of the security mechanisms with Common Criteria and a FIPS140-2 validated cryptographic core.
Photo by Alexander Schimmeck on Unsplash