In a recent interaction with Emmanuel Christi Das, Editor, CIOReviewIndia, Murali Nair, President-Banking, Zeta, takes us through a deeper journey across the new age digital banking systems, augmenting the growth of the BSFI sector and predicting its future.

According to you, why BFSI sector should look into the Zero Trust Model for better security measures? State some points on the overall importance of Zero Trust Model. Throw some light into what is it all about?

From a layman's perspective, zero trust model for implementing technological systems basically implies that anyone who tries to enter/use a technology system, will  need to authenticate himself/ herself before being allowed to enter the system. There will be a strict protocol around authentication which is required to be done to access any system and no exceptions are allowed. That in simple terms is the zero-trust model.

Traditionally, Banks basically have looked at security from a perimeter security perspective. If you look at all the legacy Banks in the world, they would simply focus on protecting their banking technology infrastructure from attacks that come from outside. This is analogous to Fortresses in the  old days when the Fortress used to be built to  keep invaders away through the use of moats around the fortress and its high walls. Legacy organizations used to take a similar approach towards security which in technical parlance is called Perimeter Security.

Banks accomplish this by monitoring all the data that comes in and goes out of Banking systems and presume that any activity within the bank system is generally safe. This was the historical/ traditional approach to protecting banking infrastructure given the sensitive nature of customer data and what a breach could potentially lead to.

However, increasingly what has been observed is that this approach actually does not solve for the bad actors within the Bank’s system or inherent vulnerabilities in the software used by the banks. Typically, hackers of the current day and age have penetrated  bank systems and have conducted unauthorized transactions by compromising the vulnerabilities between bank systems and the connections to the network. Hackers usually find a soft target inside the bank either through Phishing or through collusion  with an employee who has been compromised.

What the Zero Trust Model does is that it flips the entire paradigm and forces authentication for all stakeholders, internal and external, who access the system. Given that no one can access the system without authenticating himself/ herself therefore, it is believed that the Zero Trust Model can actually help improve the banking security systems. That is the reason why several Banks are moving towards a Zero Trust Model.

What are the challenges that Banks face and How does the Zero Trust Model solve the problems?

When we generally approach our banking clients, we ask them to look at our model in reference to something that they have been already using. There are three challenges that clients typically face with legacy systems. Therefore, it is extremely important that we understand what those challenges are.

The first is what we call in broad technical terms as Technical Debt. The Bank needs to have discipline in identifying sensitive data across all their systems to apply a graded system of access to the data. Depending on the level of sensitivity of the data, they should divide it into different groups of data to make unauthorized access harder . That is the way systems have to be organized and designed, with the use of  micro-segments to create these islands of data.

However, the problem with legacy systems is that they are not designed to fulfill these micro segmentation requirements, which is the principle foundation of Zero Trust Model. Thus there is considerable technical debt or changes that need to be made to historical code to make it compliant with Zero Trust Models

A system like the one developed by Zeta which is built in the cloud with microservices architecture uses this micro segmentation approach from the ground up. One cannot simply change their legacy systems into Zero Trust Models. One needs to have a system which is built for Zero Trust. Banks in my view have no option but to replace their existing legacy systems which are written in monolithic  languages like Cobol, and implement modern cloud hosted microservice architecture Zero Trust Model in order to succeed in the digital era while ensuring fool-proof  protection of customer data.

The second big thing that I want to talk about is the impact that such a change will have on legacy systems.  Legacy systems are not typically designed to provide access control in a manner required by zero trust models. Therefore they will need to be re-architected to support Zero Trust Models.

Last but not the least is that they have to re-think the entire way DevOps is done to incorporate security into the overall technology and operations processes as well. 

On that note when you said legacy systems - The Banks they need to move from monolithic legacy systems to a new- age microservice architecture systems. What are the innovations in this digital space that needs to be adopted? What are the existing innovations in the market?

The first innovation is based around how the customers are on-boarded by  increasing the focus on the digitization of the entire on-boarding process. The RBI is also kosher  with this idea and now allows  customers to  be able to be on-boarded using Video KYC for instance. The process of opening a Bank account has been brought down from a few days to a few minutes by leveraging digital on-boarding.

The second change that we are seeing is that customers are able to open a new account or relationship with a Bank or Financial Services Company at any time from anywhere. Traditionally Banks would open up at say 10 in the morning to a certain time in the evening, and there was a narrow window in which customers could visit the branch. Suppose a person belongs to a company that works/ is open 6 days a week , then the person pretty much has to take a day's leave to open a bank account for instance or any other customer service to be attended to. But today all has changed. You can open a Bank account on an App. You can even apply for a credit card and personal loans instantaneously.

If you think about it, fundamentally digital native apps like Google Pay have ushered in a new wave of UI and UX. And, they offer customers a whole new world where they can access their account, access their payment activities, make, receive payments, earn reward points on the mobile phone without having to move an inch.

Another important trend we see is the Gamification of all these aspects.  At Zeta we are focussed on  designing our products; to have superior UI and UX and we believe that gamification of some of the banking processes is important in making sure that digital native customers are engaged.

The last thing I would like to point out is that innovations are  changing the way customers are being serviced. Most banks now provide an interactive chat bot that can answer most of the queries. These innovations are typically delivered on the back of a modern digital banking stack and most Banks are now looking to move away from their traditional banking software to be able to launch these new age digital features, and that is where Zeta comes in with its entire product range including what we call Tachyon which is our end-to -end processing system. TACHYON has a card management system, a switch and our own authentication server. All these features are made available through APIs and SDK’s for any bank or Fintech to be ready to launch a modern banking experience for a customer.

When we talk about risk-based authentication here How is this particular Banking system better compared to other systems?

This is again the next generation of development in  authentication systems. To give you a brief idea of what risk-based authentication is, it balances the need to improve shopping experiences online while providing robust mechanisms for managing frauds.

Today, all of us are aware of the fact that when we do an e-commerce transaction in India, we use this mandatory two factor authentication or an OTP which is delivered for each transaction to the card holder.  They then  need to enter the OTP  to authenticate the transaction. This  is the traditional model that we follow which is called two factor authentication methodology. While this method has been successful in reducing fraud to a great extent, fraudsters are now catching up and we are seeing rising cases of social engineering frauds where fraudsters can gain access to the mobile device on which OTPs are delivered. Therefore, negating the security of such methods. 

Risk based authentication in contrast relies on data points to determine the risk of a transaction. Data points such as how the customer uses the mobile phone, what kind of a mobile phone device is he/she generally using, how hard does he press the screen while making entries, what telephone network are they using etc. are used along with information about the  merchant. All of these factors are combined to determine the risk of a transaction.

For instance, a person owns an iPhone and has been doing banking transactions with the iPhone he/she owns.  Suddenly there is a transaction made via another model of phone. In such a scenario the risk authentication system will ask the bank to challenge the transaction by requesting the user to provide two more authentication information by asking a couple of additional authentication questions.

Risk based Authentication systems use many more parameters than a traditional OTP based system.  The advantage is that the experience of payment itself is frictionless, since the customer implicitly provides the data points in the background without being actively involved in the process. In contrast, today when the OTP gets delivered on the SMS. The user has to get out of the site, look at the 6-digit number and then come back and authenticate using it. All this can be sort of avoided if we use risk-based authentication systems.

Coming from a broader perspective, Most of the Banks are migrating to cloud-based computing and cloud-based security. What are the advantages that cloud computing brings forth to Banking sector?

Banks are in the process of making the transition. Banking in my view is the last industry to make the move towards cloud based, cloud computing or cloud hosted solutions for their software needs simply because Banks historically had this entire notion of having on premise deployment of technology systems. They thought that it was the safest way to ensure customer data confidentiality and being in control of the situation, but now that is changing .

The advantage of cloud hosted systems is the scalability it offers. Just to give you an example Zeta recently demonstrated 1 million transactions per second on one of our ACS systems. That  is actually more than all the transactions processed by Mastercard, VISA and Rupay combined. The reason we demonstrated with such a high number is to show the power of cloud computing.

This kind of scale  is impossible to achieve in the legacy world. To do transactions of a  similar scale one would need to spend millions of dollars just to buy the hardware to support transactions of such massive frequency. With cloud hosted systems we can utilize the capacity and reduce the capacity on demand.

The second aspect is cost optimization. The infrastructure costs and security costs are now shared between many entities, and the advantage that you have   is that the total cost of ownership of software and infrastructure  reduces significantly for banks.

Banks are therefore moving to a digital only model globally, leveraging cloud to offer systematic processes and being able to quickly adapt to organizational and market changes.

In the next 5 to 10 years I would say that all banks will move to cloud hosted systems.

As the President of one of the fastest growing Fintech companies in India - What are your predictions in terms of the innovations that the Banking sector is going to get in the years to come?

In my view the first thing that is going to happen is that there is going to be a huge focus on providing fantastic UI and UX which combines a little bit of gamification to make the consumer experience of banking or financial services far more exciting and fun filled than it used to be.

Historically people want to have more customer involvement with payment apps. Increasingly you will find that UI and UX will play a very significant role in driving this.

The second thing that will happen is that more and more power will be given to the customer in terms of their ability to control what they want to see and what they want to do. More transparency and openness of how the information is represented will empower  consumers.

The third development is going to be innovative technology like contactless payment. Contactless payments are becoming more and more prevalent, especially because of customer’s need to reduce social contact in financial transactions post the Covid pandemic. Other forms of contactless payments  like facial recognition-based payments, the idea of voice-based authentication payment are some of the many interesting developments coming up in the near future