Skip to main content
banner image
venafi logo

Why Banks Need to Protect the Machine Identities of APIs

Why Banks Need to Protect the Machine Identities of APIs

photo of a broken piggy bank with coins and cash falling out
November 18, 2019 | Mark Priebatsch


For today’s businesses to grow


and provide new services to their customers, they need to become more agile and interconnected. This requires them to open up access by third parties to information that allows them to more quickly provide the features and functionality that their customers are always clambering for.
 

For instance, now banks need to provide younger populations with the services they want when they want them. If banks are not prepared to quickly provide content, facilities and features to their user base, they may have trouble retaining business. To maintain this “stickiness” banks will have to provide an open banking API reference for the FSI service providers to be able to utilize, to allow them to provide customers with what they need.


Open Banking API - Secured?

In the financial services industry, particularly in Australia, we have an open banking API that allows third-party application services or providers to get access to user information. These APIs allow services to be presented to users in many different ways that are more beneficial for them. But when the banks create this open API, they're essentially allowing third parties (that users don't know) to have access to account details that could be used in harm’s way.

 

 

For that reason, many users may not wish to have account details made publicly available to a third party other than their bank. But new markets for banking, such as Generation Y or millennials, are more accustomed to providing personal information without much reflection. These segments are comfortable sharing on Facebook and they tend to use other social media with abandon. For example, if you look at mobile banking users, they've all got a Instagram, Twitter or Facebook. In fact, the banks increasingly use social media to try and win over the next generation of customers, and so that mindset is not about to change any time soon.
 

So, from an API perspective, this could create an absolute great hole for any would be attacker to get access to a user’s information if they could somehow discover that access condition. This risk makes it paramount to protect the identity or the key that is used to access that open banking API. In this new world, we can’t just think of machines in terms of microservices, containers, virtual systems, or otherwise. In reality, they will become the APIs of tomorrow and we will need to protect these identities.

See how APIIDA is developing an automated to protect machine identities within APIs - for the first time.

 

 

 

 

Protecting API Machine Identities

But protecting API machine identities may be challenging as they fall outside the direct influence of the bank. In this sense, they may represent an attack vector because the bank has to trust that the information coming from the third party is really coming from that entity. So, we see with inside the bank, they can control the protection of their machine identities, even verifying their authenticity. But now banks have to somehow enforce that third-party application developers do the same and protect the identity that they're using to initially authenticate with the bank.
 

So, that in itself is opened up the risk surface for banks. Instead of just having a perimeter that's protected externally and has limited public facing keys, banks now have thousands of developers out there all who would have access to those APIs by signing up and getting a key. In this scenario, how would the bank enforce the protection of that key at that third party?



With third-party developers all over the world, it’s difficult for the bank to control who can get access to a system where the API key is stored. Because this key is used to provide the API connectivity to the bank, then it is incredibly valuable to attackers. This makes it more important than ever that organizations require their partners to protect all types of machine identities.
 

How well are you protecting your API keys?

Learn more about machine identity protection. Explore now.

 

Related posts

Like this blog? We think you will love this.
picture of a red retro robot laying on the floor, head detached
Featured Blog

Are Your Machine Identities Getting the Respect They Deserve?

Even though organizations are clearly focusing more attention on protecting user iden

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Mark Priebatsch
Mark Priebatsch

Mark consults members of the Global 5000 within the machine identity protection space. He is a highly accomplished technology and business advisor, with over 25 years of experience in working with corporate clients across the technology industry, in particular within the fields of cybersecurity and identity management.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat