The 5 Pillars of Good Solution Architecture: Security

The 5 Pillars of Good Solution Architecture: Security

By Sergio Barbosa (CIO - Global Kinetic)


A lot of fanfare has been made about the Twelve-Factor App methodology and how it is becoming the best way to approach building a SaaS-based application that makes use of microservices.  I am one of those fans.  When designing a new solution, or upgrading an existing one, having a simple set of guiding principles can be invaluable.  And of course, non-functional requirements.  But if I look at the Twelve-Factor App methodology, it speaks a lot to the “how”, but not to the “what”.  I may very well build a solution that adheres to all Twelve Factors but fail in meeting the non-functional requirements of the desired solution.  By definition, I would have delivered a bad Solution Architecture.

Every good Solution Architecture should have a plan for the following 5 things, within which non-functional requirements can be grouped and addressed:

  1. Security
  2. Performance and Scalability
  3. Availability and Recoverability
  4. Efficiency of Operations
  5. Cost

Let's take a look at each of these areas one by one:

 

Security

Designing for Security requires a “Defence in Depth” approach.  This means that every solution should be continually validating trust as it is executing code and accessing system resources.  Commonly referred to as a Zero Trust model, the solution should not make any assumptions about the privileges that the user or system account executing code and accessing system resources has.  Trust should be validated at each layer in the solution stack, from the physical layer, through the perimeter and network, all the way down to the compute, application, and data layers.

Be explicit about the requirements at each layer, i.e. what are the Authentication rules (which user accounts and how do they authenticate themselves) and Authorization rules (what do the user accounts have access to) at each layer. There are many tools that can be leveraged to implement and manage these rules so that you do not have to write code to do this from scratch.  Most of these tools implement widely accepted standards and best practices, so make use of those.  Identity Management systems like KeyCloak implement OpenID Connect standards, provide single sign-on capabilities, and can be extended to support multi-factor authentication very easily.

 
Defense in Depth
Figure 1: Defense in Depth
 

Security is ultimately about data, and it needs to be clear at each layer what aspect of your data you are securing.  There are three options here, Confidentiality, Integrity and Availability, commonly referred to as the CIA principles.  At the data layer for example, you would have a requirement to encrypt the data at rest to preserve the Integrity of the data.  At the perimeter layer for example, you would have a requirement to prevent DDoS attacks to preserve the Availability of the data.  And at the physical layer for example, you would have a requirement to implement biometrics as an additional authentication factor to preserve the Confidentiality of the data.

At any point in time, the data generated and managed by your solution is either at rest, or in transit on some piece of hardware infrastructure.  That means that you need to protect the infrastructure your solution is deployed to, apply the best network security you can, and implement the most robust encryption algorithms and techniques.  In terms of infrastructure, make sure you have adequate Identity Access Management and role-based security that can access the underlying infrastructure, and that you have adequate failover (more on this later) in place.  For Network Security, implement DDoS protection, Firewalls, Gateways and Load Balancers and constantly monitor traffic, limiting resource exposure/access via IP address, port, and protocol restrictions.  Be especially careful when deploying microservices to orchestration systems like Kubernetes, and ensure you are not making assumptions about the execution privileges inside a cluster.  Encrypt data in transit and at rest, and be explicit about the encryption algorithms that you are using, and how you are using them.  Encryption is a massive topic so to do it justice in a small paragraph is impossible, but pay particular attention to Symmetric vs Asymmetric techniques, one-way vs. two-way encryption, and the difference between encryption and hashing of data.  Classify data as Public, Private or Restricted, and take action to make sure that Private and Restricted data is always encrypted at rest and in transit and that Restricted data can only be accessed by the owner of the data (like in the case of regulatory requirements like POPIA, PCI, GDPR)

 

Figure 2:CIA of Data

.

As the last point on Security, none of the above can be effective if you do not have a security mindset when developing the solution.  Some refer to this as a 'culture of security' within dev teams and organizations.  This means that at every stage in the development of your solution, you are validating the solution against your security requirement.  Initially with core security training when onboarding developers into your teams, then while developing each feature of your solution evaluating the impact of the security requirements of the solution against that feature.  Design for these security requirements by using thread modelling and attack surface analysis, implement the code according to them, verify that the implementation meets the success criteria, release the feature after final security review with an incident and response plan and then implement feedback loops from your monitoring data in your production environment.  This the Security Development Lifecyle, and the most important plan you need in place to meet the non-functional requirements grouped in the Security pillar.


Figure 3: Security Development Life Cycle

In summary, it is useful with each of these pillars to have a baseline or standard that you work from and then evolve and improve. In the next post we take a look at the second pillar, Performance and Scalability, so stay tuned...

 

OnlyID wins American Business Awards

American Business Award Winners

May 2018

OnlyID, a digital authentication solution that helps protect consumers’ identities and allows them to make transactions across multiple online accounts securely, has won the Gold American Business Awards for best New Product or Service of the Year - Software - FinTech Solution.
“The product is a joint development effort between FIS and Global Kinetic, and we are incredibly proud to be involved with such a hugely successful project and to be working with the incredible individuals at FIS across the United States.”, Sergio Barbosa, CIO, Global Kinetic.

What is OnlyID

 FIS and Equifax jointly created OnlyID™ in conjunction with Global Kinetic developers. OnlyID is a digital authentication solution that helps protect consumers’ identities and allows them to make transactions across multiple online accounts securely.

Without the need of passwords, consumers can access OnlyID with a single registered identity through their preferred financial institutions and e-retailers that have joined the OnlyID Network.

 Thus providing an easier way to access online accounts and protect your personal information. OnlyID is a powerful network comprised of financial institutions, businesses, and retailers. Once your identity is established in the network, use OnlyID to sign in to participating accounts and conduct transactions.
Using a chosen digital device you can create your personal identity in an easy step-by-step process.

 Once your OnlyID account is established, that’s it. A simple, one-step authentication performed in real time allows you to access your accounts in the OnlyID network, creating a more convenient, more secure experience. The OnlyID Network consists of authenticated consumers who use a universal digital representation of their identity to interact with businesses in the network.

Award winning Digital Authentication Solution:

https://stevieawards.com/aba/2018-new-product-awards

OnlyID has proved to be a success thus far and has won awards from the American Business Awards 2018. The product had been awarded with two gold wins in different categories. One being the best Fintech Solution and the second being the best marketing kit.

The two winning categories are listed below :

Congratulations to all involved in the project! This includes FIS and Equifax. The creation of this innovative product could not have been possible without the contributions from the different parties working on the project. The combined skills and knowledge allowed for this successful project to grab the attention and awards from the American Business Awards 2018. The product is also a possible solution to the modern pressing issue of securing digital identities.

About FIS
FIS is a global leader in financial services technology, with a focus on retail and institutional banking, payments, asset and wealth management, risk and compliance, consulting, and outsourcing solutions. Through the depth and breadth of our solutions portfolio, global capabilities and domain expertise, FIS serves more than 20,000 clients in over 130 countries. Headquartered in Jacksonville, Fla., FIS employs more than 53,000 people worldwide and holds leadership positions in payment processing, financial software and banking solutions. Providing software, services and outsourcing of the technology that empowers the financial world, FIS is a Fortune 500 company and is a member of Standard & Poor’s 500® Index. For more information about FIS, visit www.fisglobal.com.

About Equifax
Equifax is a global information solutions company that uses trusted unique data, innovative analytics, technology and industry expertise to power organizations and individuals around the world by transforming knowledge into insights that help make more informed business and personal decisions. The company organizes, assimilates and analyzes data on more than 820 million consumers and more than 91 million businesses worldwide, and its database includes employee data contributed from more than 7,100 employers.

Headquartered in Atlanta, Ga., Equifax operates or has investments in 24 countries in North America, Central and South America, Europe and the Asia Pacific region. It is a member of Standard & Poor’s (S&P) 500® Index, and its common stock is traded on the New York Stock Exchange (NYSE) under the symbol EFX. Equifax employs approximately 9,900 employees worldwide.

About Global Kinetic
Global Kinetic is a leading software engineering company with a team of over 100 tech-savvy and inspired developers, engineers, designers and creatives. This group of highly fuelled people work together at Global Kinetic to spearhead and develop brilliant products, including some that seriously disrupt the market. One of the coolest places to work, this company has the nicest people creating amazing apps and products, which they do with flair and sheer professionalism, mixed with a dash of fun. Steeped in expertise*, they designed and created the world’s first fully immersive gamified children’s mobile banking app in Unity for Standard Bank as one example; in another they designed and developed PayToday, the Venmo for Southern Africa. They’ve built slick and powerful mobile banking experiences for Old Mutual, Bidvest Bank and many more. They have great offices in Century City, as well as in Palo Alto in the US. For more information, visit www.globalkinetic.com

*Global Kinetic (GK) provides enterprise solution engineering services and have capability across the application stack, predominantly .NET Core, Java or Scala deployed to Azure, AWS or physical infrastructure on the enterprise side, and native or hybrid technologies on the mobile side for Apple, Android and Windows Phone. Global Kinetic are evangelists of agile development methodologies, implementing SCRUM on customer projects and provides professional services around the delivery, quality assurance, test automation, requirements gathering, analysis, UX/UI design and architecture

LendIt FinTech Conference: FutureBank and Connekt

FUTUREBANK DIGITAL AND API BANKING PLATFORM INTEGRATES ENTERSEKT’S SECURE CONNEKT PAYMENT FUNCTIONALITY AT LENDIT FINTECH USA 2018

Global Kinetic team up again with their security partners and industry leaders Entersekt to make FutureBank a leading digital banking platform with additional payment features

PALO ALTO - April 9 – Global Kinetic will announce at LendIt Fintech USA, the world’s leading event in financial services innovation, that it will be integrating Entersekt’s Connekt functionality into the FutureBank platform. FutureBank’s unique ability to abstract the complexities in legacy core banking systems and customize digital channels through its technology platform helps banks and disruptive FinTech companies work together more efficiently.

The growing digital banking market in the US has become vulnerable as consumers are frustrated by poorly designed mobile apps that often have weak security implementations and limited payment functionality. The FutureBank platform can now offer converged payment acceptance through Connekt.

Entersekt an industry leader in mobile authentication and security and Global Kinetic, the development partner behind FutureBank, are experts in creating mobile and enterprise solutions - particularly for banking systems. Therefore, it is an ideal strategic partnership to innovate and improve FutureBank using the payment services provided by Connekt.

Connekt Functionality

Global Kinetic concluded agreements with Entersekt earlier last year in order to embed their technology into the FutureBank platform allowing it to support out-of-band unique device registration and soft token generation for securing online channels. Connekt leverages this technology for digital commerce enablement and includes features such as HCE wallets for tap to pay, QR-based scanner to enable payments, and 3-D Secure 1.0 and 2.0. FutureBank will now be able to offer these capabilities through the platform that directly integrates with popular core banking systems.

FutureBank is diverse in its capabilities as a digital and API banking platform. Users are able to manage their cards, bank accounts as well as beneficiaries across multiple core banking systems, from one single dashboard - hence the focus on security, authentication and being compliant with regulations.

 Our platform is designed to make it easier for banks to integrate emerging FinTech into their ecosystems.  Having the ability to offer banks a converged payment capability directly from within the FutureBank platform is incredibly valuable to our customers.” said Sergio Barbosa, Chief Information Officer of Global Kinetic.

LendIt Fintech USA, a gathering of more than 6,000 industry professionals in San Francisco, showcases the leaders in innovation across financial services including the digital banking, fintech, blockchain and lending industries.

For more information about FutureBank, visit https://getfuturebank.com/

Coupon code for LendIt:

We would appreciate seeing you at the event and therefore would like to invite you and your colleagues to join us. We have a coupon code to save you 15% off your initial ticket price - see the code below and register at lendit.com/usa:

"FutureBankPlatform15%"

About Global Kinetic

Global Kinetic is a leading software engineering company with a team of over 100 tech-savvy and inspired developers, engineers, designers and creatives.  This group of highly fuelled people work together at Global Kinetic to spearhead and develop brilliant products, including some that seriously disrupt the market. One of the coolest places to work, this company has the nicest people creating amazing apps and products, which they do with flair and sheer professionalism, mixed with a dash of fun.  Steeped in expertise*, they designed and created the world’s first fully immersive gamified children’s mobile banking app in Unity for Standard Bank as one example; in another they designed and developed PayToday, the Venmo for Southern Africa. They’ve built slick and powerful mobile banking experiences for Old Mutual, Bidvest Bank and many more.  They have great offices in Century City, as well as in Palo Alto in the US. For more information, visit www.globalkinetic.com

*Global Kinetic (GK) provides enterprise solution engineering services and have capability across the application stack, predominantly .NET Core, Java or Scala deployed to Azure, AWS or physical infrastructure on the enterprise side, and native or hybrid technologies on the mobile side for Apple, Android and Windows Phone. Global Kinetic are evangelists of agile development methodologies, implementing SCRUM on customer projects and provides professional services around the delivery, quality assurance, test automation, requirements gathering, analysis, UX/UI design and architecture

About LendIt Fintech

LendIt Fintech is a recognized global internet finance industry leader, founded in New York in 2013. Its aim is to gather industry elites to discuss and explore latest trends in the development of international financial technology. LendIt Fintech has become the largest event in financial services innovation as it hosts three annual conferences, LendIt Fintech USA, LendIt Fintech Europe, and Lang Di Fintech, and dozens of complementary online and in-person industry events. LendIt also owns and operates one of the world’s leading industry educational channels, Lend Academy.

For more information, tickets and sponsorship opportunities, please visit www.lendit.com.