Episode 1: The Secure Journey to Open Banking on a Cloud

In today’s episode, we will discuss the secure journey to open banking in the cloud. We are excited to be joined by Iain Paterson, CEO of Cycura. Cycura provides top-tier security services which help organizations in understanding their cybersecurity exposure to help them become more educated with individualized cybersecurity solutions. Also joining us today is Michael Swan, Vice President of Research & Development here at Portfolio+.

In this podcast series, we are going to be taking people through the journey of open banking on a cloud platform. Because security is top of mind, we are pleased to kick off the first one with an in-depth discussion of making the journey secure.

Transcript +

Dianne:

Hello, I am Diane Cupples, CEO of Portfolio+. Welcome to the first in a series of podcasts where we will be focusing on walking financial institutions, FinTechs and start-ups through the journey of open banking on a cloud platform.

Read More...

As security is top of mind, in today’s episode we will be focusing our discussion on making the cloud journey secure. We are excited today to have Iain Paterson, CEO of Cycura with us. Cycura provides top-tier security services which helps organizations understand their cyber security exposure and then help them become more educated on the cyber security solutions available to them. Also joining us today is Michael Swan, Vice President of Research and Development here at Portfolio+. Welcome gentlemen.

To kick things off, while I provided a brief overview of your company, I think it would be great if we could hear a little bit more about you and your background in the financial services industry. Could you share a little bit?

Iain:

Sure, thanks and thank you for having me on this first podcast. It’s a tremendous pleasure and honour to participate. I’ve been in cybersecurity for nearly 20 years now. I started out in banking working at TD. My background is in systems engineering and I used to help build and deploy a lot of the core applications that were used either internally for bank functions, or externally – customer facing. Everything from anti-fraud systems to parts of the trading platform and things like that. I did that for several years at the bank and then I pivoted over into a dedicated security role working in security operations. My knowledge of the banking systems, how they all interfaced, and how the networks interoperated was an advantage that I had over people coming into the organization in a security role, never having kind of experienced it before. So, I did that for eight or nine years and then pivoted over to healthcare which was a real eye-opener. In banking, you are used to having every tool at your access. Sometimes multiple copies of it, and then healthcare is kind of the opposite where you have no tools but still have the needs for a very high level of security. I then moved into government. I was Director of Security Operations for an organization called e-Health, so I was responsible for the health records for about 13 million people in Ontario. Finally, I joined Cycura and that was six years ago and so I’ve been building this practice to offer a high-level security consultancy to customers in multiple different verticals, but banking is certainly, and FinTech is certainly one of our focuses. Our focus is around very technical security assessments; helping people identify where there are bugs and vulnerabilities, logical flaws, areas that could be abused by an attacker in applications, or in infrastructure, particularly as we move more towards cloud-centric infrastructures. We are helping people basically identify those vulnerabilities and make sure they remediate them in a very pragmatic way.

Dianne:

Great, sounds interesting and very exciting. Mike, we know that security is top of mind for everyone, and you have been working with Iain to ensure our platform at Portfolio+ is secure and cloud ready. How would you describe our journey so far?

Mike:

We have been on a fantastic journey of looking to address open banking and really open our system to play with in an open banking ecosystem. But when you are playing in an ecosystem, you certainly run into situations that change the entire security regime and paradigm that we need to address. And so, we’ve been working together with Iain’s company for three years now, specifically around securing our API set and open banking, as we move further into that. Now we are looking at also migrating from being a software provider to end customer to being a full cloud-enabled, cloud native delivery system, and operating it on behalf of our customers. This again changes the entire security implications and regime as we move from being a pure software supplier to being a full data operator within a cloud environment. And so, we’ve been on the journey for the better part of three years now, and we’re moving very quickly and expect to be fully cloud enabled by the end of this year and we will be available in the marketplace.

Iain, when we think about something like that, what are some of the things that we need to be thinking about in that type of environment?

Iain:

The transition and journey to the cloud is something that a lot of organizations are going through. It is an interesting time in security, computing, architecture, and infrastructure. A lot of organizations started out in traditional infrastructure, much like yourselves. You were developing software to be deployed on premise, run on big infrastructure within organizations. Then the cloud comes along, and a lot of the mainframe people out there will say we did that first (the whole shared computer resource) but cloud came along and commoditized that ability to put workloads in different places and fit the resource demand in a flexible manner. This really changed the way that people looked at things like, do I need to have a giant data center or multiple giant data centers for redundancy? Do I need all my workloads running in there? And the answer in banking is that I probably need both. A lot of organizations – software as a service organization, especially ones that are newer, will never have their own data center, just because they can depend on this public cloud service to operationalize their entire business. And that is neat, and you couldn’t have done that 10 years ago, right? You could have tried co-location or stuff like that, but you still owned servers. It is very different these days. What we need to think about when we migrate towards that though, is obviously the data that we are entrusting into this public infrastructure. How are we moving that data in there? How are we securing the data that is in there? Now that we have got so much flexibility now to allow other participants in the ecosystem, as we get so many participants, how are we sharing the data with them or giving them access to the data for them to transform it or to you know, compute against it and draw information out of that data? How are we securing that? Those transactions? How are we securing the data when we put it into the cloud and how are we securing the cloud itself? And something that we always say to customers as they go to the journey is that the cloud is going to be very safe from you. The cloud will always be secure in of itself, but what you put into the cloud, is not necessarily secure because you are using it as an underlying infrastructure to deliver a service and to deliver access to data, or whatever you’re going to do, computationally. But you have the responsibility and the liability to ensure that what you build and deliver on the cloud is secure. I think a lot of people think that inherently just because you put something in Amazon or in Google Compute, is that it comes with many protections. There are certain security plug-ins and functions and features that you can enable and buy, and that is very cool. Security has become a marketplace too, but your underlying application still needs to be secure and the way that you manage data needs to be done in a secure and sane fashion. Otherwise, you have a ton of risk and I think people understand that risk maybe even less than they did when it was with traditional infrastructure.

Dianne:

This really opens up a lot of different areas that you need to look at. How can we defend against this, when if we are hearing it correctly, there really is no perimeter around what we need to do? Like it is a vast area that we need to try and secure, not just from our point of view, but also for the partners that we work with?

Iain:

You used a great word there: perimeter. That is how we used to think about security, right? Everything was inside our organization or inside our data centers, and the whole concept was that we are going to have a defense in-depth strategy, we are going to build an iron ring around the infrastructure that we own, and then we only allow certain parties to transact with us. Conceptually, it is still kind of the same, but it is no longer you know, your corporate office; I mean, nobody works in their corporate office anymore today. So, the perimeter now lives at the endpoint, so where you are doing your day-to-day business. It lives at the edge, if you are computing workloads, kind of at the edge of the network for the purposes of speeding of transactions, or to make transactions more lightweight, and that is interesting. That is kind of an evolving space. Certainly, that cloud infrastructure the people are putting a lot of their workloads into is now part of your perimeter. The question that people need to think about now is, if I have built a security program and it is based on a set of policies and standards and controls, how am I extending that security program into that cloud computing space? Do I have the same level of visibility? Am I monitoring it in the same way? All of that is thankfully quite doable because there is a marketplace for a lot of interesting services and solutions that can be leveraged in the cloud. So you can get a virtual firewall and put that in front of your application, or virtual WAF (Web App Firewall) and you can get centralized logging and feed it into your SIM (Subscriber Identity Module). So, all of that is possible with the cloud but people need to change the way they are thinking about their security programs so that it’s an extension into that cloud space. That’s the dynamic shift that I think that a lot of people are trying to catch up to.

Mike:

I think you hit on an interesting concept there, Iain. We should delve a little bit further into that. You talked about the marketplace and we are talking about opening up and being within an ecosystem. You mentioned that inherently, the cloud is safe and secure for us, but then what is happening within that cloud and within the opening up of marketplaces? Being able to integrate new services and understanding who you are talking to and where that service actually sits within the regulations and security policies? Did you inadvertently start trading data with someone that is not within the policies and procedures you are looking for? What sort of due diligence do you think we need to start doing on partners?

Iain:

You just hit on I think probably the biggest challenge I would point out in this new economy, this new dynamic. We now almost have endless flexibility in terms of architecture in how we enable things and how we connect things. Portfolio+’s journey has certainly been building out these extensive sets of APIs in order to service all the different functions and needs of many different types of customers in the banking space – both traditional banking and this new open banking dynamic. That API outlook is really what most organizations in the world are doing. So, we are going to trust each other to transact through those APIs. We are going to allow ourselves to send and receive data through them and whatever other functionality we want to enable. And by doing that, we are protecting ourselves in some ways because we are limiting exposure. Your question, though, is how do we know who we can trust? How do we know that the partner that we are transacting with has done a level of due diligence? Currently, the best way is to ask them, and not just say hey, do you guys have a security program in place? It is more detailed and pointed things like, can you explain what your security program looks like? How are you ensuring that you have done due diligence so that if I am to share data with you, if we are going to transact together, if you have some sort of security program, what is my exposure? What is my secondary risk that I become exposed to by partnering with you? And so, this is one of the places that the security industry has not solved for incredibly well yet. We do rely a lot on security questionnaires that we will send out to partners if we intend to transact with them or if we are going to entrust them as a custodian of data on our behalf or vice-versa, we are going to become a custodian of their data. Show me what your security policy is. Show me the last time you had a penetration test conducted. Show me that you do vulnerability scanning on a regular basis. Give me some proof that your standards have been implemented, and that is currently the norm. There are other tool-centric methods that you can get into where you can evaluate somebody’s security posture externally. But should you as a potential partner go and invest in that? Maybe not. I think really it comes down to, whoever you are going to partner with being able to show that due diligence and that they have done a certain level of testing of their own security controls and processes. That is probably the best way to validate that I can recommend today.

Dianne:

Iain and Mike, we’ve been talking about this as a journey. We have used the name here today and I’ve heard it in other circles as well too – you know the journey to the cloud. How appropriate do you think the word journey is when we are talking about this?

Iain: Mike, I will let you go first.

Mike:

It is an incredibly important word because it has never quite done. It is constantly evolving and whereas some of the underlying concepts may not change, the methods and the ability to deliver services are changing constantly within that. So, when you think about our software and where we are going from; a real transformation from what we have on premise software to offer cloud native. How we bring those services forward and then once we get there, where can we evolve the new services for the betterment of our customers, and with that ability to operate again as regulation allows within the open banking world? So it is that constant journey and then with those new requirements and experimentation and transformation we do, comes in the, and how is our security journey really evolving within that? That is why it is kind of very exciting to be working with Iain because we’ve certainly learned a lot working from his company. The first time we went through our API validation testing, and we are about to start another one in the next couple of weeks, we are very excited about. But we are always moving forward, and we are taking a great and wonderful trip.

Iain:

I think Mike really said something that resonates with me there. We are always moving forward on this journey; we are looking forward to the new ways that we enable business that we can engage with a wider audience. We talk about open banking – it is the entire world and I think that is the exciting thing about open banking. We are looking to engage with people who probably do not have access, not necessarily as our sole focus, but we are going to enable banking for people who do not have access to traditional banking or do not consider traditional banking as the way that they would want to or prefer to transact. The possibilities there are essentially endless as we continue to evolve the delivery capabilities and what technology will allow us to extend out to the public that we are going to do business with and the partners that we are going to do business with. The marketplace approach is going to speed that up. So open banking is such an exciting and kind of a green field that we are going to experience. From a security lens, we also look back at the way that we built things and the way we delivered things and we learn from where we did find problems before. We make sure that as we design things for this new cloud-enabled, cloud-centric future, that we are incorporating a lot of those good decisions and learnings that we made previously into the future build. Through a marketplace approach and through certainly a lot of changes in technology, we have been able to introduce a lot of those previous learnings into this cloud-centric future, which is great. In general terms though, when we talk about security and the journey, we always say security is a journey with no destination because as we continue to build and enable different types of technology that extend our approach to business and things like that, the way that we look at it is that the threat landscape grows and grows and grows. The different threat vectors and the actors that we are up against, will evolve and change over time. So that is why what we do is because we want to help people understand like now, where do you stand? What is your true position relative to the threats that we know are out there? How can you make yourself more resilient so that you can be secure in this changing dynamic? And then we re-engage, and we work with you at different points in time as you get further down your journey, and come along to help keep you on the straight and narrow and avoid the worst of those evolving threats that are out there as the environment changes. I think that there are tons of examples of that, that you can look at in the press and big stories lately. The whole ransomware situation has obviously exploded in recent years and it is a major threat factor against most organizations. It is not necessarily going to impact open banking – It is going to impact organizations that are enabling the open banking. That is one example. In the open banking space what we are going to have to be hyper-vigilant about is certainly the proliferation of automated attacks against the services that are being offered. The other day I shared some information with you about the velocity of botnet type attacks against some of these open banking platforms and services. There are a lot of threat actors out there who are building their own automation to try and disrupt these services, or to try and commit fraud against these services. Or, sometimes just to observe these services for purposes that we do not even necessarily understand yet, but probably would lead to fraudulent attempts against customers down the road. You know, they are scraping these websites that are being built-up so that they can create a fake one to try and get a user to login to so that they can get access to accounts and things like that. So that is an example of how the threat vectors are changing and evolving constantly and the journey from a security standpoint is to try and stay ahead of that.

Dianne:

Interesting. You have talked about looking forward and looking backwards and always constantly taking stock of essentially where we are and where we need to be. Your focus has been primarily in the health care industry, but we are talking today about open banking in the financial services industry. Do you see any similarities between the two different industries?

Iain:

Yes, there has been a huge boom in healthcare around telehealth and telemedicine in recent years. Particularly, Covid has helped accelerate that. Healthcare is now being delivered in the community and that has been enabled through technology. Cycura is now owned by a Canadian health technology company, called Well Health Technologies. They have a very similar model to what Portfolio+ is building which is a marketplace for health tech applications. So, they have got this app called Health Approach which is allowing different health technology companies to come and offer that as a marketplace to all the different clinics that Well owns and does business with, and all the different partners that Well has. I see certain similarities in how the evolution of these technologies is starting to allow for different delivery of service. A service that we normally think of, for example is when I am sick, I have to go to my doctor’s office, or I need to go to the hospital. The reality is that a lot of care can be offered in the community or at home via consultation. For example, mental health – there has been a lot of great services and vendors that have come up in that space over recent years who are doing at-home counselling sessions where through a platform you can be connected to a wellness counselor and do a therapy session from the comfort of your home. This is actually very similar to how open banking is opening things up to new customers. It is going to open up to people who maybe were not comfortable going to a physician’s office to seek mental health care, or perhaps couldn’t afford to work with a mental health partner, based on geography or something like that. We now have global access then to these kinds of services. Open banking is going to do the same things – obviously, we are going to have to think about the regulatory and compliance side of these things, but we are going to create a much more interconnected global economy through open banking and that is very exciting.

Mike:

I think to add on to that a little bit, which is important about the similarities in the industries is looking to our evolutionary journey of what has already been seen in other industries. So where can we learn from other industries? But the underlying tenant for both healthcare and banking is privacy and security. Those are journeys that we are both jointly on and learning what are we seeing in the healthcare industry and how it applies to the banking industry and vice versa. They are very similar into how private data is, how secure data is, and what is the security regime around it? So that is where I really see a synergy of learning from each other.

Dianne:

One last question for today. What types of due diligence should anybody coming onto the cloud consider or go through from a security point of view, Iain? What would you recommend?

Iain:

Do not assume that the cloud protects you from anything. Treat it like a utility where you are going to have guaranteed connectivity and such within reasonable certainty. And then treat anything you put onto the cloud as basically something that is constantly going to be under scrutiny and potentially attacked. So, you need to think about any data that you are putting in there – how am I storing it? How am I making sure its safe? Practical things like encrypting data at rest – where you can do that. Designing your applications in such a way so that it is feasible. When you are putting something in the cloud, it is inherently only as secure as how you designed the system, the controls you put around the system, and your ability to monitor those controls and the effectiveness of those controls. That will constantly change as new threat factors evolve. You have to stay on top of that. Scrutinize the provider that you’re putting your data in. Working with one of the big vendors like an IBM or Google or Microsoft Azure or AWS – that is going to be a good place to start. There are more boutique vendors out there, and some of them are just building on top of those existing infrastructures, and some have their own private clouds. Think about and figure out the right vendor for you. In Canada, because we have very strong privacy laws, there are some great boutique private cloud providers as well too. If you have concerns around data residency, and so, in the healthcare space, that’s actually become a fairly burgeoning thing too. So scrutinize where you are going to store the data. Going back to what we said about due diligence, any applications that you’re designing and putting out there, it would behoove you to get a third-party assessment by a good qualified vendor to come in and take a look at something objectively and help you understand where the gaps exist in the business logic and what technical vulnerabilities exist in there, so you can get it up to standard before you put it out in the cloud and it is exposed to all the threat vectors and threat actors out there. Those are the bare minimums, and I would certainly be thinking about regulatory or compliance obligations depending on the type of data that I am putting out there and ensuring that I meet those minimum requirements.

Dianne:

Great. Mike – what are you going to take away from today’s discussion with Iain and best advice or practices we want to take on our Portfolio+ journey to the cloud?

Mike:

I think the best advice is to really be understanding of who you are talking to and what you are getting for that service and how the services are put together. Looking at this, as we move into an ecosystem, it is one thing to play in the ecosystem with our APIs versus living in the ecosystem, which is what we now need to do as well, not just for our product but as a company. Making sure that we have done our diligence around that, and security is a journey as well within that. So, we will do our due diligence, and then we’ll continually do our due diligence to make sure that we’re heading the regulatory, the residency, the regulatory, the compliance pieces and hoping we will have a nice long relationship with Iain to make sure that happens.

Dianne:

Great. So Iain, your artwork behind you has caught my eye today. Is there a story behind that that you would be willing to share today?

Iain:

It is an oil on canvas painting from Hong Kong. It is very special to me because my younger brother, and he and I are inseparable – he went overseas to teach for about a year and a half in Korea. He was fortunate enough to tour around Asia and he did so and this was something he brought home for me when I finally got to see him, after not seeing him for an extended period. Certainly, it was special to me and I wanted to have it framed and it sits in the background of all the Zoom calls I am on every day. I really love it.

Dianne:

Well, it is a beautiful piece, and having talented artists in my family, I can appreciate why you framed it and kept it there – it is lovely. So gentlemen, I really appreciate the time we spent together today, both Iain and Mike. Iain, we have certainly learned a lot, and it’s been a pleasure, as always. Thank you for your time today.

Iain:

Thank you so much for having me.

Dianne:

Thank you everyone for listening to our conversation with Iain Paterson. For more information, please visit our website at portfolioplus.com/podcast. If you have any feedback you can reach us or follow us on LinkedIn or on Twitter at PortfolioPlus19. You can subscribe to our podcast series wherever you listen to your podcasts. You can also add yourself to our mailing list and we will notify you when our next podcast is available. Until next time, all the best everyone and thank you.

Comments are closed.