The extended bank: Securing third-party facing applications

The extended bank: Securing third-party facing applications

5 min read


When it comes to securing sensitive data, few industries match the level of complexity or the magnitude of the consequences of failure that exist in the banking sector.

In India, this sentiment has been further underpinned by the rapid digitization of “the bank” as an entity. On the one hand, this technological growth in the past couple of decades has caused operational resilience to increase in leaps and bounds, especially given the employee-intensive nature of the industry. The high-touch customer service attributes of banking also meant a greater customer outreach – think contactless transactions – amidst the digital transformation of the sector; not to mention significant cost savings. 

On the other hand, the digitization of large volumes of confidential data and processes – not limited to payments – has led to increased vulnerabilities and opened up opportunities for cybercriminals, exposing banks to breaches or hacking. The sophistication and intensity of these attacks have only risen as Indian banks have increasingly adopted a digital ecosystem. In 2017, Indian banks witnessed the world’s biggest ever ransomware attack – the WannaCry and Notpetya cyberattack – that led to combined financial repercussions amounting to US$ 15 billion

Third-party Access: An Exposed Nerve? 

Indian banks are known to leverage third-party vendors to execute certain processes (like loan processing). In fact, such is the degree of interconnectedness of banks and their vendors that they are often seen as an extension of the bank itself. 

While that ensures a certain degree of seamlessness in operations, it also means that any losses stemming from vendor actions are the bank's responsibility. In other words, any vulnerability in their cybersecurity infrastructure could be a security risk for banks. As such, this approach also poses a great amount of risk if proper security controls are not in place. 

In the current digital context, collaborating with vendors and external users involves providing them access to sensitive data or banks’ applications and networks to perform operational activities. The vendor employees/agents usually access these applications from unmanaged/BYO devices. This essentially prevents banks from deploying the necessary tools on these devices. Moreover, the majority of these applications are legacy and there is no native support for authentication mechanisms (e.g.: MFA) or protocols (e.g.: AD/SAML)1, hence no way to enforce access control measures. This can pose significant security threats in the form of unauthorized access – for instance, vendor agents continue to use credentials even after their authorization to do so has been revoked. 

Some of the challenges faced by banks include:  

  • Credential sharing and misuse with no audit trail of who has accessed the application  
  • Credential theft and unauthorized access 
  • Internet-facing apps are susceptible to external attacks 
  • Financial loss because of customer data leakage 

Besides the apprehensions around data protection, this also poses regulatory risks. In response to the critical importance of securing vendor-facing applications in the financial sector, the RBI has mandated banking organizations to have MFA for all of their internet-facing applications. Some of the other requirements are: 

  • Zero Trust Approach: The RBI emphasizes a zero-trust architecture, where trust is not automatically granted based on location or network. Authentication and authorization are required for every access request, regardless of the user’s location or device. 
  • Secure Access to Assets/Services: Secure access must be provided to urban cooperative bank (UCB) assets/services from within and outside the UCB’s network. Data must be protected at rest (using encryption) and in transit (using secure protocols like AD/SAML). 
  • Outsourcing of Information Technology Services (Master Directions): The RBI’s Outsourcing of IT Services Directions, 2023, provides guidelines for outsourcing arrangements. It emphasizes the need for robust security controls when engaging third-party vendors including access control measures like MFA. 

Overcoming the Challenges of Securing the Extended Bank 

The sum of the cyber threats and the risk of regulatory non-compliance presents a tricky situation for banks and vendors alike. Even if vendors attempt to build MFA into these legacy applications, it is a time-consuming project and since these applications are in production, banks are often skeptical about making any changes to these applications. 

To deal with these issues, many financial service institutions issue separate devices/laptops to third-party employees. While this does secure the access environment across critical applications and data, it adds significantly to the overheads of management and maintenance. Moreover, delays in enabling access can lead to loss of productivity of vendors and unwanted expenses for the bank. This is where a trusted strategic technology partner, like Accops, can help secure the extended bank while significantly bringing down associated overheads. 

Accops solutions are tailor-made to address the most pressing concerns around third-party vendor access concerns in the modern context. Accops Digital Workspace product suite with ZTNA access (Accops HySecure), VDI brokering (Accops HyWorks), and MFA (HyID) features helps organizations set up a secure remote access platform. The comprehensive DLP and endpoint control features ensure that there are no data breaches. 

Using Accops’ solution, banks can enable:  

  • A virtual workspace (Windows/Linux-based) that has the required applications/resources that vendor employees/contractors need.  
  • MFA to ensure authenticated access.  
  • Vendors to work using their own/their employer-provisioned devices with the following security controls: 
  • Block screenshot and screen sharing of the VDI session when logged from the vendor device 
  • Device-bound access to the organization network, only from approved devices 
  • Perform a host scan to assess the posture of the vendor/contractor device before granting access to ensure compliance with baseline security requirements 
  • Watermark within the VDI session with the username, hostname, etc. 
  • Block copy-paste/download of data from the virtual workspace  
  • Lock down the vendor device to kiosk mode where the vendor employee is allowed to access only the VDI when logged in.  
  • Allow access only from whitelisted IP locations (e.g. approved vendor office premises) 

All the policies listed above are on-demand which means these policies get applied only when the vendor logs into the organization’s network. When the vendor signs out of the network, the policies are not applied and hence the vendors can use their devices for work outside the banks’ scope. 

Moreover, for legacy applications, Accops provides a secure access gateway inline during application access. This ensures that field agents’ access to the application happens only over the gateway. At the time of login through the gateway, MFA will be prompted which the field agents will have to provide for completing the logging into the application.  

For more modern applications that support protocols like SAML or if the application is integrated into Active Directory, Accops provides third-party employees with the option to directly access the applications. At the time of logging into the applications, Accops MFA will be prompted. 

Accops can also enforce additional contextual policy checks at the time of login which can include all or any of the following depending upon the customer’s requirement 

  • Check geolocation of the field agent and allow or deny access based on geolocation  
  • Check device posture like browser type, browser ID, and device OS of the field agent and allow or deny login if any of these parameters have changed from the previous login.  

There are layers of nuances to ensuring security in the BFSI sector. Accops helps banks and financial institutions achieve this without incurring avoidable costs. Reach out to us to know how Accops can help you achieve this for your organization at contact@accops.com

The complexities involved in securing the BFSI sector can make it a tricky, not to mention costly, affair. Accops helps banks and financial institutions achieve this without incurring avoidable costs.