How can banking become better protected? What measures can help to turn the tables on rogue actors and bring stability to the finance world? Are neobanks at the greatest risk?
To explore these issues, Digital Journal spoke with Bill Mann, CEO of Styra.
Digital Journal: Please introduce yourself and your company
Bill Mann: My name is Bill Mann and I am the CEO at Styra. We are the founders of Open Policy Agent (OPA) and leaders in cloud-native authorization. We built Styra Declarative Authorization Service (DAS) as a management plane for OPA to provide cloud and DevOps teams with a unified platform for authorization to mitigate risk, reduce human error and accelerate their own platform development.
DJ: Why is there increased consumer attention to banks’ security measures?
Mann: There is increased attention to banks’ security measures because there is more information at consumers’ fingertips than ever before. These consumers are more educated and more in-tune with the pitfalls and risks that come with digital tools and services. Additionally, privacy is more top of mind for everyone globally than it was previously. Consumers want to know how their information is being used and protected by all of the organizations they interact with.
DJ: Is this increase in concern based solely on neobanks or are there concerns with incumbent banks as well?
Mann: Consumers used to trust banks more back when they did business in-person. Now with neobanks and online services from traditional banks, consumers are more cautious. With everything online, consumers are wary about how much they should trust these banks. They know that there is more room for breaches and for information to be compromised or shared with another entity. The more internet-like banking becomes, the more consumers will be cautious. These consumers have seen other internet services fall victim to hacks and breaches so they know what malicious actors are capable of.
DJ: Is there a growing need for authorization? Why?
Mann: Yes, there is certainly a growing need for authorization. Banks are complex software houses with a lot of components and they are going through a major modernization at the moment because of the growing use of cloud and mobile services. Because of this, banks, like all other industries, have been busy spending time on authentication. While this adds a level of security when users log into accounts, authorization adds an additional layer and determines which users and services have access to certain information and tasks.
Currently, banks are at the forefront of solving authorization on the back-end of their apps. We’ve seen a lot of discussions around entitlement management, which is a use case for authorization. It determines what a service can do and why as well as what a service or user is entitled to.
These are big discussions within banks because they have been solving these problems with proprietary systems and now they are trying to solve it in the modern stack, which is highly complex and has a diverse set of technology. Because it’s more complicated with hundreds of components and millions of decisions within applications, banks need authorization to enhance security and compliance while providing top-notch user experiences.
DJ: Why is it important for banks to tighten security?
Mann: It’s important for banks to tighten security because today’s consumer is able to switch banks more easily. If a customer does not trust their current bank, they will move to one that they trust more.
We’ve seen this with younger generations migrating to new social media sites based on what their preferences are. Because these younger generations are looking for a banking experience that suits their wants and needs, banks must market new modern features while ensuring that security is top-notch.
DJ: How can banks build consumer trust? Why is it important for banks to build consumer trust?
Mann: To build consumer trust, banks need to be forward in their communication around security as well as when there are mishaps in their organizations. We know that consumers are looking for banks who are transparent about security, so banks need to share how they are handling privacy in layman’s terms and blend security into their offerings. By building secure products and communicating services to consumers along the way to show that it is secure, such as during a money transfer in a mobile app, consumers will trust these banks more.
It’s important for banks to build this consumer trust because if they don’t, customers will no longer be loyal to them and will move their money elsewhere.
DJ: How does Open Policy Agent assist banks in addressing compliance and regulation with security?
Mann: Open Policy Agent assists banks in addressing compliance and regulation with security by providing core capabilities to decouple authorization and policy from the system that need to have authorization. Removing policy decision services from the application and having a dedicated service that can provide policy information and centralizing it, brings multiple advantages to an organization.
The first advantage is that policy definition can be left to a smaller part of the organization, which is more in-tune with compliance and regulation versus leaving it to developers in the organization to define these policies.
The second advantage is that within applications, there are a lot of policy decisions. These application developers know about their application and service but they don’t always know security. So, decoupling allows the application developer and platform engineers to delegate the decision and policy to security and compliance teams in the organization. That decoupling is the fundamental reason why Styra and OPA can help banks.
For example, in the past, app developers were burdened with authentication. They would have to write code to accept authentication credentials and then they’d compare those credentials to those stored in a database. Authentication vendors have removed this burden for applications developers with SDKs and pre-built screens to streamline the process of adding authentication into their applications.
After the authentication comes to authorization. As the application developer, you would have to determine if the specific user can see the bank transfer or are they allowed to create a foreign wire transfer. All of this logic had to be done by the developer. To streamline the process in the new world, the developer would call a service and ask if the specific user is allowed to set up a wire transfer with a foreign bank. The service would take the information and say yes or no. The developer would respond based on the answer they got. That’s the decoupling that’s necessary, especially as new compliance regulations are put in order.
DJ: What do you think the future holds? Any final thoughts?
Mann: In the near future, banks will have a center of excellence for defining policy across applications, which will be segregated away from the developer teams. This will speed up application innovation because developers will not be held back by authorization and entitlement decisions. The banking industry has already learned a lot when it comes to building the new generation of apps that focus on security and using common services. Authorization is just the next logical step.
