Securing APIs in FinTech: A Case Study of Finastra
- Application Infrastructure & Middleware - API Integration & Management
- Cybersecurity & Privacy - Application Security
- Equipment & Machinery
- National Security & Defense
- Product Research & Development
- Leasing Finance Automation
- Tamper Detection
- System Integration
Finastra, one of the world's top three FinTech companies, faced significant challenges in securing its APIs. APIs form the core of Finastra's service, connecting banks with FinTech services. However, API security has become increasingly complex over the years, with attacks on the rise and traditional application security tools failing to provide adequate protection. The company's API traffic grew by 51%, while malicious traffic increased by 211%. Attackers have realized that APIs are now used for more business-critical services and share an increasing amount of sensitive data, leading to a heightened focus on exploiting APIs for attacks. Finastra faced internal and regulatory pressures to secure its APIs. The company needed a solution that could prevent account takeovers, identify abnormal behavior, and differentiate between 'normal' abnormal (e.g., a changed API) and malicious traffic.
Finastra's customers are banks, credit unions, and other large financial institutions. These customers have extremely high standards for security, which Finastra must meet. The company's open and collaborative developer platform, FusionFabric.cloud, allows these financial institutions to connect with third-party financial solutions. Finastra's API security solution not only needed to protect its own services but also add value to its customers and its ecosystem of third-party FinTechs. The company's approach to API security involves developers during build time and security teams during runtime, with a strong emphasis on automation.
Finastra embarked on a journey to find an API security solution that could meet its requirements and add value to its customers and third-party FinTech ecosystem. The company initially attempted to solve API security with in-house tools but ultimately decided to buy a solution. Finastra selected Salt to protect its APIs. Salt's architecture provides the necessary context to aid in the discovery of APIs, prevent attacks, and eliminate vulnerabilities. It also supports efforts on both the 'right side' at runtime and the 'left side' during build time. Finastra integrated Salt into its CI/CD pipeline and throughout the API lifecycle. The hybrid approach of the Salt platform allowed Finastra to meet data privacy requirements by keeping all sensitive data within the company's environment. Salt's support of webhooks enabled Finastra to integrate into different security workflows and leverage automation where needed.