The financial services sector is expected to continue to deliver new, customer-driven and business-critical capabilities as they continue their transition to a digital business model. For example, customers have come to expect to be able to access and make changes to their financial information online and through mobile web applications. Additionally, consumers now expect more customized services from banks and financial services firms, which means these financial institutions must collect and process data about their users to offer tailored products and services.
At the same time, financial services firms are also bound by strict government regulations to ensure the privacy of their users and minimize the risks and likelihood of a data breach. As a result, financial services firms need to provide updated, interactive applications and online user portals as well as advanced security tools and strategies in order to stay competitive. Neither can come at the expense of the other. To meet these dual requirements, regulators and customers alike expect banks to employ robust security measures across distributed networks and into the application layer in order to curb cyber risks.
This can be problematic, as the process of creating, testing, releasing, and deploying new code has historically been a slow process, especially as the internal networks of banks often rely on legacy systems and code. Moreover, in many organizations security is still thought of as a separate process owned and managed by a separate team. Sending new software updates or applications to be tested by the security team further extends the release of new software and features.
Which is why so many technologically progressive banks are having such success with the DevOps process, and have been adopting it at a higher rate than most other industries.
What is DevOps?
DevOps refers to the collaboration of development and operations teams during the software development process. The transition to a DevOps model affects more than just the software development process. Enabling banks and other financial institutions to deliver software and software updates rapidly and continuously through a collaborative approach can often require a change in company culture and philosophy. But the value is that it allows development teams to make updates throughout the software lifecycle, not at one distinct point in the process.
The DevOps process has been gaining traction across industries, but has been especially well received by financial services providers. In fact, a recent study showing 45 percent of financial services companies have already adopted a DevOps approach.
While DevOps gains popularity for continuously providing new software iterations and features to consumers, there is some concern among security professionals that faster development and deployment can hamper security. These concerns are not without merit.
Even during longer software development cycles that allow for more extensive security testing, no piece of software is ever 100 percent secure. Thus, it’s reasonable to assume that software that can be updated as frequently as every hour is also more likely to have more gaps in its security. In many industries, if a security gap is discovered it can simply be fixed in the next iteration of the code deployed. But in finance that sort of lag time is unacceptable. Once data or money has been stolen, the damage has been done. This is why it is important to detect threats and mitigate them immediately. If a breach is detected early and dwell time is minimized, the cost of an attack can be significantly reduced.
Conversely, cybercriminals have also adopted a DevOps mentality when creating malware, with new malware releases often moving faster than security does. Therefore, the continuous integration and continuous deployment (CI-CD) that DevOps creates is necessary in order to keep pace with malicious actors.
The Need for Additional Security Controls and Automation
A faster deployment cycle means that to ensure in-depth defense, financial services firms have to adopt multiple security controls. This ensures that if vulnerable code delivers a great new feature but with an unknown flaw to consumers there need to be additional security measures in place that will keep it from being exploited. Combining a strong network security infrastructure with constant application and service monitoring ensures end-to-end protection as new software is deployed.
As DevOps is largely used for the development of web applications, it’s necessary that a part of this infrastructure include a web application firewall (WAF). The FortiWeb web application firewall provides comprehensive application protection that scans for and patches vulnerabilities, and keeps applications from being exploited by the risks identified in the OWASP top ten. Additionally, threat intelligence from FortiGuard labs is fed to the WAF to keep applications safe from even the latest sophisticated attacks. Which means that if an application is running a common exploit or is being probed by malware, the WAF will recognize it and know to deny network access to the application.
Automation is another primary component of a successful DevOps program. As code is committed to a central system by developers, an automated process looks at the submissions in the repository and builds a new version of the software.
Moving forward, DevOps initiatives will have to similarly automate their security protocol in order to keep up with increased volumes of both internal development and cyberattacks. Security automation capabilities are becoming more sophisticated through the use of artificial intelligence and machine learning. Eventually, this will allow for a fully automated secure DevOps process, with the ultimate goal of enabling intent based security. Fortinet is a pioneer in the area of threat intelligence automation, especially as part of an integrated architectural approach. In fact, in order to take advantage of emerging AI and automation technology, an architectural approach to security will eventually be a necessity.
The DevOps philosophy offers financial services firms many benefits, such as keeping them competitive in the market. It can also be used effectively against cybercriminals. The reality is, because software is being regularly updated, developers can never guarantee that it is completely secure. That is why it is important for financial services firms to incorporate additional, integrated security controls at the network level, from mobile devices and IoT through the network core and out to the cloud. An intelligent, integrated security system, such at the Fortinet Security Fabric can ensure that firms are prepared to integrate increased security automation into their DevOps process moving forward.
Let’s get a conversation going on Twitter! How should financial services firms incorporate security into DevOps?