A key security vulnerability that many banks still need to address is how to keep data safe when it is being used by an application — often called “data in memory.”
The issue is becoming particularly urgent for financial institutions that want to promote innovation by extending access to outside developers and fintechs trying to work on new applications.
Data in memory is an attractive opportunity for hackers, said Alissa Knight, a senior analyst at Aite Group. When data is at rest in a warehouse or in transit, it is encrypted. But banks have yet to consistently encrypt data is when it is in use, she said.
In a fast-paced development environment where applications are expected to be updated in the cloud regularly, that can leave the data vulnerable. Firewalls get breached, but encrypting the data even when it is behind a firewall reduces the damage hackers can do, Knight said.
“I’m not going to say it’s a silver bullet, but it adds an additional layer to security," she said.
Raj Nagaratnam, chief technology officer for cloud security at IBM, agreed.
“In-memory encryption is like nirvana,” he said.
It can assist banks and app developers in their work because it lessens the burden of having to protect the bank’s information. Banks “want less code and more automation,” he said, “enabling more developers to use security without them being security developers."
Startups dive in
One Bay Area startup has been attracting attention from banks with its pitch for protecting data in memory, in addition to encrypting while at rest or in transit.
Fortanix — which is working with IBM and recently received $23 million in Series B funding led by Intel Capital — has a client base that is about 40% banks so far, according to its co-founder and chief executive, Ambuj Kumar.
Kumar claims that Fortanix created a new type of technology called run-time encryption.
In theory, even if a hacker has the password to a cloud application, the bad actor wouldn’t have access to customer data since only that cloud application could decrypt the data based on the rules Fortanix sets during encryption. “It keeps data encrypted even when applications are running on the server,” Kumar said.
IBM is now offering Fortanix’s technology to its banking clients in a product called DataShield.
As more banks sign onto IBM’s cloud (Banco Santander
The pace of development is another factor fueling the need for extra security. “Banks are being pushed to build and deploy software faster, moving from a new version of an app once a year, twice a year, to being able to release incremental versions weekly, sometimes even daily,” said Joshua Thorngren, vice president of marketing at Twistlock, an application security platform for applications built in the cloud.
Kumar said preventing data breaches is not the only use case for his company's technology.
Fortanix helped two banks that wanted to enrich their anti-money-laundering applications, in effect allowing for each bank to share encrypted data with the other through their respective applications. The banks could not see each other’s customer data, but the applications at each bank could decrypt the data and use it to learn and refine their algorithms.
Solutions like the one that Fortanix offers will become more popular as more institutions adopt so-called zero trust security, a framework that says that applications shouldn’t trust users just because they have access to the application, said Knight.
At the same time, she expects there would be a lot of questions about the implementation process.
“Data is the center of gravity for any organization,” Knight said. “That’s the nerve center the financial institution centers around. Bankers are going to want to know how easy it is to implement and what happens if the deployment goes wrong.”
Joining Intel Capital in Fortanix’s latest round of funding were Foundation Capital and Neotribe.
Fortanix plans to use the capital infusion to accelerate the deployment time within an institution. Kumar said the goal is to be able to deploy the encryption in less than a day so that CEOs can easily present the effectiveness to the board. Right now it takes a week to two weeks to get the technology fully in place and functioning after it is adopted.
“Our goal is to create a predefined package so they click a button in their network, and it immediately starts to deploy it with minimal disruption to their infrastructure,” Kumar said.