Designed to Fail

Lou Senko, SVP and CIO, Q2

Lou Senko, SVP and CIO, Q2

An aging notion claims security requirements add unavoidable friction to the code-to-customer delivery cycle. Some accept the friction, suggesting that slower movement and added processes will produces a far customer experiences.

However, security doesn’t have to add friction, and deceleration isn’t inevitable. If we can trust our security and testing, avoid issues early, and implement fixes sooner, we can accelerate. It’s a matter of proactively reducing risk, employing robust security solutions, and intelligent testing simultaneously. With a multilayered approach, each layer is designed to fail, while the overall strategy still provides exceptional security.

This article explores the evolution of Q2’s security posture from a technical standpoint, illustrating the benefits to our customers’ IT teams that can be applied as industry best practices.

Security Through Layers

Q2’s ever-increasing market presence and rapid technology adoption has seen our attack surface expand at logarithmic rates. Our hosting footprint includes environments in the public cloud and large colocation datacenters. Q2’s platform is used by one-in-ten domestic online banking users and one-third of the top 100 domestic banks. 18 million platform users move nearly $1.5 trillion through 450 digital branches annually. This scale underscores the importance of a layered approach to threats.

"The goal of security is to tolerate certain kinds of risk while mitigating the rest; with this in mind, Q2 has merged security and operations, since everyone who touches production shares the responsibility of ensuring and maintaining security"

To add complexity, we’re defending against threats that are both internal and external. Some significant numbers:

- Over 8,000 breaches occur yearly; 35% by insiders; and nearly half accidental.

- Software vulnerabilities have increased 22% over the last year.

- Phishing attacks have increased 300%, DDoS attacks by 200%.

- Cyberattacks against the financial sector increased by 238% since the COVID-19 pandemic began.

- Ransomware represents a prevalent technical threat targeting employees; 46% of attacks are from a new variant, and 59% of victims employ up-to-date security. New ransomware strains exfiltrate the data first, forcing victims to pay a ransom to unlock their environment and prevent stolen data from being exposed.

Security Through Solutions

The goal of security is to tolerate certain kinds of risk while mitigating the rest; with this in mind, Q2 has merged security and operations, since everyone who touches production shares the responsibility of ensuring and maintaining security. Q2 has since executed against a purposeful roadmap for maturing our capabilities:

- Q2’s security team has established itself as a leader across 450 FIs’ security, compliance, risk, and fraud teams. We evolved Q2’s security engineering and tools team, adding Application Security functions to the resulting DevSecOps team. We added Security Incident Response functions, a Security Operations Center, a fraud assist team, and security architecture with an insider threat and threat-intelligence platform.

- Q2 implemented respected industry frameworks, elevating our posture. Not only did this help us apply a new tool, it helped us better define the problem/control statement.

- A continuously refined technology stack adopts innovative, leading solutions, including encoding and blockchain technologies, third-party service augmentation, and threat-mitigation tools.

Security Through Architecture

One of Q2’s newer strategic solutions is the adoption of zero-trust implementation, where every access request and session is authenticated separately. In this approach, what’s inside the network is treated no differently than what’s outside, and we design each level to fail without compromising overall protection.

Zero-trust implementation starts with access tied to Q2 employee roles, authentication, and the application of minimal security. Identifying the user and applying their role-based security doesn’t grant them access to anything other than the opportunity to authenticate against something they want to access. Rigorous evaluation and standards for employee access are agreed upon by internal stakeholders and regularly reviewed.

A Q2 employee’s standard access covers corporate domain network login access, Single-Sign-On (SSO) access to email, personal and shared group drives, email distribution lists, collaboration suites, and the default application access for the role (which shouldn’t be confused with the actual application role access). They can only use a Q2-managed device to access the network. Once logged into a hosting environment, Q2’s use of Privileged Access Management requires employees to request assets.

Additionally, all Q2 laptops have encrypted drives, additional security features, and virtual desktop policies. What’s more, a new SASE network solution moves security to the edge, allowing us to include the entire connection under our security posture.

What’s more, improved security, performance, scaling, and future-proofing allows data to flow dynamically in ways that presage a future that may look more like a pay-as-you-use service where bytes are protected and flows are inspected.

An essential piece of Q2’s zero-trust architecture sees data leveraged in a way that protects all surrounding layers through the sophisticated use of tokenization, encoding, and blockchain technology. All sensitive data is removed and randomly encoded and fragmented into pieces scattered and stored across multiple blockchains. The actual data itself is never stored in a usable form and is meaningless until“ re-hydrated” for use.

Zero-trust is a significant project to tackle, but the benefits are far-reaching, create a solid foundation to build on, and should allay fears that you’re one failure of a layer away from disaster. This approach not only improves your security posture but positions you to keep pace with truly disruptive and bleeding-edge technologies.

Weekly Brief

Top 10 Tech Solution Companies for Retail Banking – 2020

Read Also

Advancing from Artificial Intelligence to Artificial Enlightenment

Advancing from Artificial Intelligence to Artificial Enlightenment

Vanessa Colella, Chief Innovation Officer, Citi, Head of Citi Ventures & Head of Citi Productivity
The New Face of Mobile: Yes, It Should Have a Face

The New Face of Mobile: Yes, It Should Have a Face

Kathy Strasser, Chief Operating Officer of IncredibleBank
Digitization Before and After a Global Pandemic

Digitization Before and After a Global Pandemic

Rush Blevins, Chief Information Officer, Flagship Credit Acceptance
Designed to Fail

Designed to Fail

Lou Senko, SVP and CIO, Q2
Business Advocacy Through Risk Acceptance

Business Advocacy Through Risk Acceptance

Brenden Smith, Chief Information Security Officer at FirstBank