Many banks know that cloud-native banking is the future, but security remains a worry. That’s why, at 10x, we have made it our mission to surpass the ordinary on cloud security.
Through years of change, many banks are hosting a museum of technology in their data centers. Layers of legacy technology have built up over the years and replacing them is complex and difficult. Many banks understand there are huge benefits to be gained from moving core banking operations to the cloud. But they are rightly worried about security and control over customer data.
Meanwhile, security has moved from being a checklist item carried out in the background to a point on the boardroom agenda. There are good reasons for that: in financial services, security lapses now bring severe penalties. And when customers can’t make payments or access their banking services, it makes headlines.
That makes banks understandably cautious about core banking system security. Just like any technology, cloud services come with security risks and weaknesses. And making cloud platforms safe can require a significant investment in time and resources.
Most cloud-based solutions come with basic security controls, but protecting a bank to industry standards requires the kind of extra measures that we have built into our systems at 10x.
Core banking system security starts with people
We have assembled a team of security specialists who have previously worked for banks. Beyond that, we screen everyone to ensure that we hire the right people and, once they are employed, give them regular, mandatory, and role-based security training.
This extends across our organization because security is everyone’s responsibility. The identity and access management policy at 10x operates on the principle of Zero Enduring Privilege access. Our staff and clients only get access to the data or environment needed to perform their role, and only for as long as is necessary.
Furthermore, we operate a ‘secure by design’ approach, which means security requirements, controls, and coding principles are established at the beginning of the process, not bolted-on at the end. There’s also a specialist Security Design Team that has oversight of significant changes.
In my view, I’ve got 320 security practitioners, because every single developer is working with clearly defined set of processes, tools, and technologies that enable them to design and build the 10x platform securely.
Gagan Bhatia CISO at 10x
Gagan Bhatia, CISO at 10x, says: “In my view, I’ve got 320 security practitioners, because every single developer is working with clearly defined set of processes, tools, and technologies that enable them to design and build the 10x platform securely.”
Keeping data secure
For any platform provider, data security is fundamental. But it’s especially important in financial services, where data is usually highly sensitive. We have a comprehensive and robust approach to securing client data, through which all data is classified and encrypted, both at rest and in transit. This keeps sensitive information secure and inaccessible to unauthorized parties. Moreover, we integrate Amazon's Key Management Service (KMS) for encryption processes, allowing clients to provide their own KMS key and retain complete control of their data.
As a cloud-native platform, we leverage the robust infrastructure of Amazon Web Services (AWS). This brings AWS's extensive certifications to our platform and enhances our security measures. We use ephemeral platform components and stringent ingress and egress controls. These are complemented by token-based authentication using a standardized policy engine to ensure a fortified security perimeter. Gagan says: “AWS offers strong foundational preventive controls, but we have added more and augmented them with strong operations, reporting, and engagement.”
Our commitment to core banking system security extends to our suppliers, each of which undergoes a rigorous onboarding process. Part of this requires suppliers to complete a thorough due diligence questionnaire, helping us assess and mitigate privacy risks effectively. We also apply appropriate contractual safeguards, such as Data Processing Agreements, to maintain the highest standards of data security and compliance. This comprehensive vetting process guarantees our suppliers align with our stringent security protocols.
Testing and certification
The above is just a taste of our extensive list of security processes and controls, but they would be nothing without regular testing and certification. Our industry leading Security Incident and Event Management tools provide 24/7 monitoring and alerts. Logs are collected and aggregated for automatic review and alerts are fed to our Security Operations Centre for triage and response.
We conduct internal penetration tests on our systems continuously, so that we uncover potential vulnerabilities as soon as possible. Additional penetration tests, carried out by external and independent assessors, take place at least once a year.
All of this is subject to internal and external audits and certification. We currently hold ISO 27001, ISO27017, and 27018 certifications, alongside SOC 2 Type II.
A transparent approach to core banking system security
At 10x, our policy is to be as transparent as possible with clients. For example, every month, we give clients a complete bill of materials for every component within the platform, explaining the changes, vulnerabilities, and risk, and how we’re managing them. This is a rare degree of openness for a SaaS provider, and one that illustrates our collaborative approach to security. All of our certifications and documentation can also be viewed in our Trust Portal.
As more banks consider migrating backend services to the cloud, this level of collaboration and transparency should be very appealing.
We can help banks quantify risk and support with regulatory approvals. Building expertise in securing financial services in the cloud is challenging and time-consuming – too much so for banks to do it alone. That’s why at 10x, we build a transparent partnership with banks, giving them the tools and trust to successfully implement cloud-native core banking.
Watch our latest webinar
For more, check out our latest thinking – a migration webinar with AWS. Now we've covered core banking system security, learn how to successfully migrate to a cloud-native core.
Migration requires the right approach to successfully understand, manage, and mitigate implementation risks. Understanding how to de-risk and accelerate your migration strategy is imperative and will put your business ahead of the curve.
Listen along to the webinar by filling in the form below.