The Banked philosophy on security
Banked operates on the secure by design principle that is adaptable based on your security framework. What we mean by this is we handle your requests with all the security bells-and-whistles like encryption in transit and at rest with FIPS 140-2 Level 3 compliant Hardware Security Modules (HSM) for key management, we also offer additional controls where an elevated security model is required.
A high level overview is given in the Table below and for a deeper look at some of these categories, please see the forthcoming subsections.
| Control | Description | Status |
|---|---|---|
| HTTPS | Encryption in transit, with Transport Layer Security (TLS) 1.2+ | <i>always on</i> :white_check_mark: |
| Block encryption | Encryption at rest, with AES-256 + modern ciphers | <i> always on</i> :white_check_mark: |
| Authorisation | Banked supports the OAuth2 protocol for authorisation.<br> as well as HTTP Basic for legacy set ups | <i>always on</i> :white_check_mark: |
| Firewall | Typically layer-4 and layer-7 Web Application Firewall (WAF)<br> for OWASP Top 10 rulesets and rate-limiting | <i>always on</i> :white_check_mark: |
| mTLS | Client authentication / mutual certificate authentication<br> between client and server | <i>on request</i> :closed_lock_with_key: |
| FLER | Field level encryption & redaction (FLER) using HSM-backed PKI | <i>on request</i> :closed_lock_with_key: |
For a client authentication setup, redaction, or if you require field level encryption at the request/ response please get in touch with us at support@banked.com.
Encryption in Transit
┌───────────┐ TLS1.2+(HTTPS) ┌──────────┐
│ Client │──────────────► │ lb-ext │ • TLS 1.2 is bi-directional with mTLS
└───────────┘ └─────┬────┘
│
┌─────────────┐ ┌─────▼────┐ • Interservice communication is always
│ service-a │◄┐ │ GW │ mTLS in cluster
└─────────────┘ │ └─────┬────┘
mTLS───────┘
┌─────────────┐ │
│ service-b │◄┘
└─────────────┘
When clients send a request to Banked's APIs all their requests must use HTTPS whereby the clients ensure validity of certificates including expiry and in some cases the certificate authority issuer.
Banked also supports an architectural implementation of client authentication, aka Mutual TLS (mTLS) whereby the certificate validation is handled by both parties. Please get in touch for options if that's something your organisation requires.
Irrespective of external requirements like mTLS, Banked's internal communication between services are always mutually authenticated ensuring confidentiality in-cluster.
Encryption at Rest
Banked's systems use various persistent storage mediums including encrypted buckets, SQL databases and archive storage, all of which are encrypted using AES-256 symmetric key encryption.
┌───────────┐ ╔════════════════╗ ┌ HSM keys are always │ service-a │─────TLS────────┐ ┌───►║SQL databases ║──┐ │ generated in the HSM └───────────┘ ┌┴┐ │ ╚════════════════╝ │ ╔═══KMS/HSM══•──┤ ┌───────────┐ │A│ │ ╔════════════════╗ └──►║ ║ │ │ service-b ├─────TLS───────┤P│──────►║Cloud buckets ║─────►║ FIPS 140-2 ║ │ └───────────┘ │I│ │ ╚════════════════╝ ┌──►║ Level 3 ║ └ HSM keys never leave ┌───────────┐ └┬┘ │ ╔════════════════╗ │ ╚════════════╝ the HSM │ service-c ├─────TLS────────┘ └───►║Dataflow streams║──┘ └───────────┘ ╚════════════════╝
The Banked Security Ecosystem
All these components are underpinned by strong security guarantees at the applicaiton layer (Layer-7 WAF & rate limiting), hardened operating system kernel at the compute layer with extensive security monitoring for intrusions and unwanted behaviour.
PSD2
The second Payment Service Directive (or PSD2) increases security and encryption standards. Banked doesn't do "screen scraping" or API reverse engineering. We follow the Strong Customer Authentication (SCA) approach, and only use open/public APIs that are PSD2 compliant.
Validation
Our information security programme as well as the security architecture and infrastructure that underpins our services are regularly assessed by some of the largest Banks on the planet. They go through rigorous auditing for weaknesses and exposures, as well as alignment with some of the strongest security design principles in the financial industry.
And the beauty of all of this is that Banked handles a lot of this complexity for you so client implementations can remain as simple as possible.