Lessons from the FinTech Trenches Securing APIs at Finastra
On a recent webinar with Security Boulevard, we were fortunate to host Nir Valtman, Finastra head of product and data security, to share insights into his API security journey. You can view the entire session on the Salt YouTube channel, and here are some of the highlights from the discussion:
1:49: Finastra overview — Finastra is one of the top three largest FinTech companies in the world. FusionFabric.cloud is the company’s open and collaborative developer platform and marketplace where financial institutions such as banks and credit unions connect with third-party financial solutions. APIs form the core of the Finastra service, and Nir explains how APIs are critical to connecting banks with FinTech services.
7:13: API security overview — APIs have been around for the better part of 20 years, but a lot has changed since the early days. Unfortunately, not everyone’s expectation for security has kept up with those changes. Michelle McLean with Salt outlines changes to API usage, development practices, and the impact these changes have on security.
As Michelle points out, API security has become more complicated in recent years, attacks are on the rise, and traditional application security tools don’t provide the right protection. We see this reality borne out in the findings from our recent State of API Security Survey report, where 91% of those surveyed experienced a security incident in the last 12 months. The report also points out that API traffic for our customers has grown 51% while malicious traffic has grown at 211%.
Attackers have figured out that APIs today are leveraged for more business critical services and share an increasing amount of sensitive data, which has led to an increasing focus on tapping APIs for attacks.
14:17: The next generation of API security — For years, tools like WAFs have been a mainstay in application security stacks. With the proliferation of APIs, the limitations of WAFs have started to show. Michelle talks about the need to move beyond in-line proxy-based tools such as WAFs that have a limited scope and explains the characteristics of the next generation of API security solutions.
Get the latest API Security report and see how you compare
Download Report17:01: Finastra’s API security journey — Nir walks through the API security challenges Finastra faced at the start of its API security journey and the evaluation process the company used as it looked into different approaches. These challenges came from both Finastra internally and from regulators, increasing the pressure to meet requirements to secure the APIs at the Finastra service’s core.
Nir and his team needed a solution that could stop account takeover and identify abnormal behavior in terms of anything that doesn’t fit what they expect to see. It was also essential to be able to differentiate between “normal” abnormal (e.g., a changed API) and malicious traffic.
Ultimately, Nir saw the need for an API security solution to address Finastra’s requirements and add value to Finastra customers and its ecosystem of third-party FinTechs.
20:48: Data classification — At Finastra, data classification is not just a checkbox, and it extends beyond simply classifying the data. For Nir and his team, data classification includes understanding where APIs are exposing sensitive data. This valuable insight is something Finastra can provide to regulators and share with FinTech partners to help them understand and work together to mitigate risk.
22:28: Finastra’s customer standards — Finastra customers are banks, credit unions, and other large financial institutions. These customers come with extremely high standards for security, and Finastra must meet these standards. Nir explains the team's activities and tools they use to meet those standards at every step of the API lifecycle.
24:06: Why Finastra selected Salt — Nir describes the selection process as a long journey, one that started by identifying the challenge. He talks about Finastra’s attempt to solve API security with tools written in house and why the company ultimately decided to buy vs. build.
Nir also describes the team’s approach to evaluating solutions and why it’s crucial to tell vendors what you need and not just ask them what they have. This approach ultimately helped Finastra get exactly what it needed to protect their APIs and formed the basis of a partnership in which Finastra has influenced the Salt Security roadmap.
28:35: Salt capabilities — Finastra selected Salt to protect its APIs, and Michelle explains more about Salt, covering why the architecture of your API security solution matters. She talks about the need for context and how Salt provides that context to aid in the discovery of APIs, the prevention of attacks, and the elimination of vulnerabilities. She also covers how Salt can help efforts on both the “right side” at runtime and the “left side” during build time.
34:49: How Salt is integrated at Finastra — Nir describes how he and the team were looking for a specific set of capabilities in an API security solution. One such capability would address data privacy requirements and the need to keep all sensitive data within the company’s own environment. Nir talks about how the hybrid approach in the Salt platform helps Finastra do exactly that.
He also talks about how Salt integrates with the company’s CI/CD pipeline and the importance of workflow integration throughout the API lifecycle. Integration at Finastra includes the development side and how their security teams use Salt to respond to attacks during runtime.
40:00: Finastra architecture — At Finastra, API security involves developers during build time (on the left) and security teams during runtime (on the right). Across the board, automation is vital. He talks about the Finastra application environment, the role WAFs play in that environment, what API gateways provide, and how Salt fits into this architecture. Nir also covers how Salt’s support of webhooks allows Finastra to integrate into different security workflows and lets the company take advantage of automation where needed.
47:34: Q&A — Wrapping up, Nir takes questions from the audience covering how Finastra protects internal microservices environments and how Salt augments other protections in place. Nir also provides perspective on how to think about approaching security for different environments like internal and multi-cloud. He shares some thoughts on best practices and how to approach building an API security strategy. He talks about how the Salt hybrid option helps keep Finastra data safe, and he closes with an analogy to explain the difference between an API gateway and an API security solution.
If you want to learn more about the Salt Security API Protection Platform and how to improve your API security, visit https://salt.security/. If you’re interested in seeing the Salt Security API Protection Platform in action, contact us for a customized demo today!