https://www.fintechfutures.com/wp-content/themes/fintech_child/assets/images/logo/fintech-logo.png
  • Home
  • COVID-19
  • News
  • Intelligence
    • Back
    • Analysis
    • Interviews
    • Features
    • White Papers
    • Case Studies
    • Surveys, Reports & Infographics
    • Webinars
    • Podcasts
    • Videos
    • Library
    • Techwire
    • Browse
  • Publications
    • Back
    • Banking Technology Magazine
    • Supplements
    • Daily News at Sibos
    • Subscribe to Magazine
  • Content Hub
    • Back
    • COVID-19: industry impact & response
    • Challenger Banks Guide
    • Food For Thought
    • I’m Just Saying
    • Through a Gen Z Lens
    • Ask The Expert
  • Videos
  • WTF? Podcast
  • Awards
    • Back
    • Banking Technology Awards
    • PayTech Awards
  • Digital Events
  • Advertise
  • Jobs
  • More
    • Back
    • About us
    • Contact us
    • Advertising / Media Kit
    • Banking Technology Magazine Calendar
    • Reports Calendar
    • FinTech Futures Newsletter
    • Events
  • FinTech
  • BankingTech
  • PayTech
  • RegTech
  • WealthTech
  • LendTech
  • InsurTech
  • US Edition
    • Intl. Edition
Banking Technology
  • NEWSLETTER
  • Home
  • COVID-19
  • News
  • Intelligence
    • Back
    • Analysis
    • Interviews
    • Features
    • White Papers
    • Case Studies
    • Surveys, Reports & Infographics
    • Webinars
    • Podcasts
    • Videos
    • Library
    • Techwire
    • Browse
  • Publications
    • Back
    • Banking Technology Magazine
    • Supplements
    • Daily News at Sibos
    • Subscribe to Magazine
  • Content Hub
    • Back
    • COVID-19: industry impact & response
    • Challenger Banks Guide
    • Food For Thought
    • I’m Just Saying
    • Through a Gen Z Lens
    • Ask The Expert
  • Videos
  • WTF? Podcast
  • Awards
    • Back
    • Banking Technology Awards
    • PayTech Awards
  • Digital Events
  • Advertise
  • Jobs
  • More
    • Back
    • About us
    • Contact us
    • Advertising / Media Kit
    • Banking Technology Magazine Calendar
    • Reports Calendar
    • FinTech Futures Newsletter
    • Events
  • US Edition
    • Intl. Edition
  • newsletter
  • FinTech
  • BankingTech
  • PayTech
  • RegTech
  • WealthTech
  • LendTech
  • InsurTech

bankingtech.com

bankingtech.com


Credit where it’s due – why the Singapore regulator has it right on security

  • Written by FinTech Futures
  • 28th April 2014
Eric Chiu HyTrust high-res

Eric Chiu is president and co-founder of HyTrust

In a sense, there’s no reason why IT security professionals should care about the Monetary Authority of Singapore, writes Eric Chiu. After all, this organisation – officially the central bank of Singapore, the sovereign city-state in Southeast Asia – exists to “promote sustained non-inflationary economic growth, and a sound and progressive financial centre.” So what does that have to do with virtualised data centres and cloud computing?

Here’s what: MAS has implemented security measures that, among other policies, go a long way toward preventing attacks by rogue operators working on the inside. Those are exactly the defence mechanisms that can play a valuable role in protecting every IT infrastructure, especially those that are virtualised and carry a huge concentration of risk.

In the banking authority’s exhaustive Technology Risk Management Guidelines manifesto, there are three basic internal security principles. The first is labelled “Never Alone,” and it stipulates that “certain systems, functions and procedures are of such sensitive and critical nature that financial institutions should ensure that they are carried out by more than one person at the same time or performed by one person and checked by another. These functions may include critical systems initialisation and configuration, PIN generation, creation of cryptographic keys and the use of administrative accounts”.

This simple rule actually applies far more broadly, particularly in this industry. Many big banks and other financial services providers now require exactly this kind of dual approval for specific actions – for example, transferring funds or writing checks over a certain amount. Had the policy been more actively enforced, it’s fair to say that some of recent history’s most spectacular debacles could have been avoided: England’s venerable Barings Bank went under through the misguided actions of a single rogue trader, and France’s Société Générale nearly suffered the same fate for the same reasons (it did lose billions in the process).

The two-man rule is even more relevant to technology. The most high-profile breach of national security information, the Edward Snowden fiasco, occurred because this single individual, by virtue of his position as a systems analyst, had virtually unlimited access to highly classified data in the National Security Administration. If the system was configured in such a way as to prevent him from accessing information without explicit approval from another person in the organisation, ideally a superior, it might have helped prevent the entire debacle. (For the record, the NSA is now in the process of implementing the two-man rule.)

Other victims are likely to follow suit. Target is still in the news – and likely will be for a while – for the massive data breach it suffered late last year. It appears that, perhaps among other tactics, thieves were able to gain access to the control point that distributes software to the retailer’s point of sale mechanisms. A policy that required secondary authorisation for software updates could have conceivably made the hack twice as difficult. And while it received less attention outside the IT universe, Adobe was similarly hit with a massive attack on its source code files, affecting some 38 million users. Here, too, a ‘never alone’ policy could have prevented the problem.

As simple as it is, the rule is not exactly new. It has even entered pop culture: A key scene in the 1995 submarine thriller Crimson Tide revolves around the characters played by Denzel Washington and Gene Hackman arguing over a decision to arm nuclear missiles, a procedure that requires dual approval.

All of which brings us directly to virtualised infrastructures and the cloud. Many organisations are migrating to these computing models, which involve a software-defined concentration of risk as a by-product of easy access to information. This in turn means that an entire class of systems professionals has the power and ‘authorities’ to extract any kind of information they wish. Many of the recent high-profile cases highlight the problem of wide-ranging insider access. It’s also not only about rogue operatives on the inside; the theft of insider credentials by outside parties immediately escalates the dangers of breaches and fraud.

Corporations have the obligation and responsibility to develop their version of the ‘never alone’ policy for all sensitive data and mission-critical operations. In fact, the ‘two-man rule’ in a sense goes further by streamlining the security measure and enables organisations to scale the tactics to meet business needs and operational demands. It’s not a panacea, any more than a single security measure is. However, it does offer a stronger defence, and makes it easier to contain the damage once a breach occurs. And that’s why IT professionals should care.

Tags: Cybersecurity HyTrust, MAS Analysis, Industry Comment Worldwide

Leave a comment Cancel reply

-or-

Log in with your FinTech Futures account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

Related


  • Diversity & Inclusion Roundtable: How fintechs can go from words to action
    Charitable D&I initiative Fintech Finishers joined forces with Captec, Revolut, Mouro Capital and Divido.  
  • Understanding employee experience will give banks a leg up
    It makes intuitive sense that happy employees lead to happy customers.
  • Banking Tech Awards 2020 Winner: Bank BRI & Infosys Finacle – Best Use of IT for Lending
    Revamping customer lending through partnerships and back-office change.
  • "Cloud first" emerging at the heart of end-to-end transformation
    81% of FIs future-proofed their technology infrastructure by moving to the cloud, 63.6% reduced cost.
  • Why the BNPL sector is growing like crazy
    There is plenty of room for experiments in BNPL, and many customer segments are yet to be addressed.
  • Girl boss
    Representation matters, for all of us. Represent what is possible, but above all, what is desirable.
  • Budget 2021: What does it mean for UK fintech?
    FinTech Futures scrolls through the UK chancellor’s new budget to pick out the fintech impact.
  • Dear Luc: Your most pressing fintech problems solved
    In Dear Luc, we answer the questions the industry's fintech founders are too embarrassed to ask.

Related Content

  • Regtech: watching personal mobile devices in financial services, but why?
  • Ethical challenger algbra banks on tech to define it in “fintech gold rush”
  • Insurance software: choosing wisely
  • Supporting business leaders during COVID-19

Dock - virtual roundtables

Dock is free to attend for banks and FIs

Click here to register

Sponsorship opportunities available at Dock

Click here for more info

Magazine

Banking Technology February issue out now

10th February 2021

Banking Technology December/January issue out now

16th December 2020
view all

Webinars

Webinar: Balancing app innovation and cybersecurity in financial services

5th March 2021

Webinar: How to stop massive mobile banking fraud with app security and risk-based authentication

9th February 2021

Webinar: Deep dive on ServiceNow’s purpose built product for finserv operations

7th January 2021
view all

Reports & Surveys

FinTech Futures Industry Survey & Report 2021

4th March 2021

Report: The power of data analytics in fintech solutions

25th February 2021

Omdia Universe 2020-21: Temenos recognised as a leader for digital banking platforms

15th December 2020
view all

Content Hubs

COVID-19: industry impact & response

26th June 2020

The rise of challenger banks around the world

26th June 2020
view all

Podcast

What the Fintech? | S.2 Episode 6 | Open banking on the loose

5th March 2021

What the Fintech? | S.2 Episode 5 | Rising to the top

25th February 2021

What the Fintech? | S.2 Episode 4 | TMRW never dies: digital banking in the ASEAN

18th February 2021
view all

Videos

It’s a matter of comms | Episode 2 | Strategy

  • 1
2nd March 2021

Video: Top fintech stories this week – 26 February 2021

26th February 2021

Video: Top fintech stories this week – 19 February 2021

19th February 2021
view all

White Papers

Embedded insurance: a $3tn market opportunity, that could also help close the protection gap

4th January 2021

White paper: The business value of ServiceNow for retail banks

12th December 2020

E-book: Migration to cloud – your guide to delivering an intuitive customer experience

8th December 2020
view all

Techwire

Razer Anzu Smart Glasses Combine Multi-Lens Eyecare and Open-Ear Audio to Connect in Style

5th March 2021

Insurity’s Fully Integrated MGA Software Now Powers Five of the Top 10 MGAs and Improves Productivity by Up to 30 Percent

5th March 2021

Ault Global Holdings Resumes Bitcoin Mining

5th March 2021

BJ’s Wholesale Club Adds Online EBT Payment Option for In-Club Pickup and Curbside Pickup Orders in Select States

5th March 2021

Medallion Financial Announces Second Fintech Strategic Partnership at Medallion Bank

4th March 2021

AM Best Assigns Credit Ratings to CRABI, S.A. de C.V.

4th March 2021

Webinar: Demystifying the Fintech Enablement Ecosystem

4th March 2021

Socure and Baker Tilly Partner to Establish Intelligent KYC Assurance for Fintechs and Banking Institutions

4th March 2021
view all

Twitter

FinTech_Futures

Banking Tech Awards 2020 Winner: Bank BRI & Infosys Finacle – Best Use of IT for Lending “Everybody has gone into… twitter.com/i/web/status/1…

7th March 2021
FinTech_Futures

FinTech Futures weekly round-up - Top stories and happenings from across the globe youtu.be/6vVVJlMp4BM #news… twitter.com/i/web/status/1…

7th March 2021
FinTech_Futures

Regtech: watching personal mobile devices in financial services, but why? fintechfutures.com/2021/03/regtec…

7th March 2021
FinTech_Futures

Banking Tech Awards 2020 Winner: au Jibun Bank – Best Use of AI Rebuilding consumer confidence in investments with… twitter.com/i/web/status/1…

6th March 2021
FinTech_Futures

Diversity & Inclusion Roundtable: How fintechs can go from words to action "Charitable D&I initiative Fintech Fini… twitter.com/i/web/status/1…

6th March 2021
FinTech_Futures

Join FinTech Futures & @OneSpan for an exclusive webinar on How to stop Massive Mobile Banking Fraud with App Secur… twitter.com/i/web/status/1…

6th March 2021
FinTech_Futures

Banking Tech Awards 2020 Winner: TMRW – Best UX/CX in Finance Initiative Interview with Kevin Lam, head of TMRW Di… twitter.com/i/web/status/1…

6th March 2021
FinTech_Futures

Why the financial industry needs Redis Enterprise "Use cases in risk modelling, apps for banking and brokerage, an… twitter.com/i/web/status/1…

5th March 2021

Dock: virtual roundtable experience like no other

18-19 May 2021; FREE TO ATTEND

US Challenger banks: who's who & what's their tech

Free to read

Banking Technology Magazine February 2021

Free digital edition

Banking Tech Awards 2020 Winners Supplement

Free digital edition

Fintech Futures
  • About us
  • Advertise with us
  • Contact us
  • Fintech jobs
  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2021 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X