As the financial services industry continues the transition to a digital business model, customers expect new digital capabilities. Customers have gotten used to 24/7 access to their financial accounts, for instance, and expect ongoing application enhancements that provide more customized products and services. This means that banks and financial services firms collect and process user data.
As financial services firms seek to meet customer demand and provide excellent service, they are also bound by strict government regulations to ensure the privacy of their users and minimize the risks and likelihood of a data breach. As a result, these firms need to provide updated, interactive applications and online user portals as well as advanced security tools and strategies in order to stay competitive. Neither can come at the expense of the other. To meet these dual requirements, regulators and customers alike expect banks to employ robust security measures across distributed networks and into the application layer in order to curb cyber risks.
Because the internal networks of banks often rely on legacy systems and code, this is a challenge – the process of creating, testing, releasing and deploying new code has historically been a slow process. Moreover, in many organizations, security is still thought of as a separate process owned and managed by a separate team. Sending new software updates or applications to be tested by the security team further extends the release of new software and features. This is why so many technologically progressive banks are having such success with the DevOps process, and have been adopting it at a higher rate than most other industries.
DevOps occurs when the development and operations teams collaborate in the software development process. The transition to a DevOps model affects more than just the software development process. Enabling banks and other financial institutions to deliver software and software updates rapidly and continuously through a collaborative approach can often require a change in company culture and philosophy. But the value is that it allows development teams to make updates throughout the software lifecycle, not at one distinct point in the process.
This approach has enjoyed adoption far and wide, but financial services providers have been particularly enthusiastic. In fact, a recent study shows 45 percent of financial services companies have already adopted a DevOps approach.
Though DevOps has been rapidly accepted for enabling new software iterations and features to consumers, there is some concern among security professionals that faster development and deployment can hamper security. These concerns are not wholly unfounded.
Some development cycles are longer and leave room for more extensive security testing, but no piece of software is ever 100 percent secure. Thus, it’s reasonable to assume that software that can be updated as frequently as every hour is also more likely to have more gaps in its security. In many industries, if a security gap is discovered, it can simply be fixed in the next iteration of the code deployed. But in finance, that sort of lag time is unacceptable. Once data or money has been stolen, the damage has been done. This is why it is important to detect threats and mitigate them immediately. If a breach is detected early and dwell time is minimized, the cost of an attack can be significantly reduced.
The irony here is that DevOps has also gained ground among malicious actors. New malware releases often move faster than security does. Therefore, the continuous integration and continuous deployment (CI-CD) that DevOps creates is necessary in order to keep pace with malicious actors.
Recommended: Security Controls and Automation
To ensure in-depth defense during a faster deployment cycle, financial services firms have to adopt multiple security controls. This ensures that if vulnerable code delivers a great new feature but with an unknown flaw to consumers there need to be additional security measures in place that will keep it from being exploited. Combining a strong network security infrastructure with constant application and service monitoring ensures end-to-end protection as new software is deployed.
Because the DevOps approach is primarily adopted for the purpose of web application development, it’s necessary that a part of this infrastructure include a web application firewall (WAF). A next-generation WAF provides comprehensive application protection that scans for and patches vulnerabilities, and keeps applications from being exploited by the risks identified in the OWASP Top 10. Additionally, threat intelligence can be fed to the WAF to keep applications safe from even the latest sophisticated attacks. Which means that if an application is running a common exploit or is being probed by malware, the WAF will recognize it and know to deny network access to the application.
A successful DevOps program will have automation as another primary component. As code is committed to a central system by developers, an automated process looks at the submissions in the repository and builds a new version of the software.
The security protocol of DevOps initiatives will also need to be automated in order to keep up with increased volumes of both internal development and cyberattacks. Security automation capabilities are becoming more sophisticated through the use of artificial intelligence and machine learning. Eventually, this will allow for a fully automated, secure DevOps process, with the ultimate goal of enabling intent-based security.
Security and Agility
Financial services firms have a great deal to gain by adopting the DevOps approach, including remaining competitive and defending against cybercrime. When software has such a short development cycle, complete security cannot be guaranteed. For this reason, financial services firms must integrate additional network-level security controls. These controls extend security from mobile devices and IoT through the network core and out to the cloud. As financial services firms move forward with their DevOps process, the above recommendations will help construct an intelligent, integrated security system that allows agility at the same time.
About the Author: Brian Forster is a Senior Director at Fortinet (News - Alert) where he oversees and manages all aspects of the financial services vertical, including thought leadership, demand generation, sales enablement and account-based marketing. Prior to Fortinet, he held a leadership role at Juniper Networks and has spent most of his career within the high tech industry, including three years at Accenture and seven years at IBM (News - Alert) in a variety of positions. He is a graduate of Pomona College with a B.A. in Political Science and an M.B.A. from Goizueta Business School at Emory University.