What the Government of Barbados Needs to Do to Get Fintech Right

There’s a common misconception that IT governance, risk and control (GRC) professionals like myself impose unreasonable demands on those trying to innovate and deliver human, social and economic benefits to society. But this is the furthest thing from the truth – our role is to ensure that those who are delivering technological solutions understand the risks and impacts associated with their IT platforms, and mitigate them in an adequate, effective, and sustainable manner.

The aforementioned point is key as I will go on to explore the privacy, security, and socio-economic implications of two recent announcements by the Government of Barbados pertaining to the implementation of Blockchain-related technology in the country. In a September 19th article titled ‘E-currency pilot coming’, it was stated that Prime Minister Mia Mottley “did not give details of the planned mobile wallet pilot project or when it would begin but gave the assurance that it would not be done in a reckless manner.” Barbados Today published an article on September 25th which stated ‘BSE to begin crypto-trading’, essentially heralding the decision of the Barbados Stock Exchange to trade in security tokens or crypto assets.

Given my intimate knowledge of privacy and security weaknesses in both the public and private sectors, the PM’s words do not instill in me any great confidence around the robustness of the security controls that will accompany these projects. The implementation of e-currency is a complex undertaking, that if not done correctly, can have a material impact on the country’s already weakened economic position. Security tokens are an extremely nascent solution with a lot of potential, but that doesn’t exempt them from security and privacy deficiencies. As such, I want to delve into some of the key areas that must be addressed before these solutions are widely deployed across our beloved nation.

Contract management and due diligence

Before any contracts are signed to commence these projects, the government must understand where personal data of Barbadian citizens will be stored. To provision users onto these platforms, personal data will need to be collected for AML and KYC purposes such as name, address, phone number, driver’s license, passport details, etc.

If the data is stored outside of Barbados, the privacy of Bajans may not be safeguarded as it will be subject to the laws and regulations of the jurisdiction in which the data resides (meaning that the legislation of a foreign country could permit them access to any and all data kept on Barbadian citizens). This is particularly concerning given the absence of data protection legislation in Barbados that would force any fintech company to ensure that transnational data flows must only occur where the destination country has an adequate legal framework in place to protect the rights of data subjects.

The lack of data protection legislation presents another problem in terms of imposing strict obligations on fintech providers to uphold the rights of data subjects. This includes setting requirements and fines for both data controllers and data processors as it pertains to protecting personal and sensitive data, obtaining consent to share personal/sensitive data, reporting data breaches to government and data subjects, among other rules. Hence, it would be in the best interests of Barbados citizens and foreign nationals if the 2018 Data Protection Bill was enacted into law before the launch of the new platforms.

In an ideal situation, the government should obtain 2-3 references from previous instances where the contracted parties have deployed solutions of this kind for other customers. However, it appears that Barbados will be the first country where the vendor will be deploying a ‘true’ e-currency platform, thus making the need for strong controls even more critical. As it pertains to tokenized securities, similar due diligence must be undertaken to protect our citizens.

The government must ensure that a qualified and independent security professional conducts a site visit to the vendors’ IT facilities to undertake a thorough assessment of their security controls. If this cannot be done, the vendor should be required to furnish government with a signed attestation from an independent and qualified third party that the IT facilities meet all the necessary best practice security requirements (e.g. physical security, grounding and lightning protection, environment monitoring, generators, etc.). Additionally, there should be a “right to audit” clause in the contract that allows the government to turn up at the vendors’ IT facilities at any time to conduct a security assessment.

The vendors’ financial statements should be reviewed by an independent auditing firm such as PwC, EY or Deloitte to ensure that they are in good standing and that they are able to remain going concerns for the foreseeable future. The viability of their business models should also be assessed as ‘feasible’. This would protect the country and its citizens from being left at the mercy of fintech service providers whose platforms enjoy massive uptake and integration into the socio-economic fabric of the country, and then they are quickly no longer in business.

With regards to PwC, EY, Deloitte, and other accounting firms (or any qualified professional services firm as a matter of fact), government should enlist one of them to have experienced IT auditors assigned full-time to both projects. This would ensure that IT governance, risk and control processes are embedded throughout the project lifecycles and don’t become an afterthought.

Another area of due diligence is assessment of the team who will be delivering and supporting the solutions. The government must obtain assurance that the right mix of skills is available to deliver and provide ongoing support for high performance, scalable and secure fintech platforms. Along with the technical positions, key roles that should be in place are Internal Audit (assurance), Privacy (compliance) and Information Security (availability, integrity and confidentiality).

Finally, a software escrow agreement that allows government access to the vendor’s proprietary code in the event they go out of business should be put into place.

Technical architecture

Undertaking a technical architecture assessment is critical to implementing both these projects. Once again, independent and qualified 3rd parties need to look at how the different elements of these platforms will integrate with each other and how they will be secured against cyber-attacks. A number of the questions that the selected fintech service providers need to answer and verify are as follows:

  • How will web and application servers be hardened against attacks?
  • How will database systems be hardened against malicious actors?
  • How will operating systems be hardened and secured from hackers?
  • How will Blockchain nodes be hardened and secured from hackers?
  • How will identity and access management (IAM) be delivered to manage privileged access to these platforms?
  • Will middleware and APIs have built-in authentication mechanisms?
  • Will all data transmitted over public networks be encrypted?
  • What encryption schemes will be used to protect sensitive data in storage?
  • Will network devices such as routers and switches be hardened and utilize strong authentication mechanisms?
  • Will there be separate firewall tiers to isolate and protect servers with higher risk profiles?
  • How will administrators and developers securely access the platforms remotely?
  • How strong will the controls be around disaster recovery/business continuity?
  • Will online or offline wallets be used and how will they be secured (e.g. passwords, passphrases, two-factor authentication, biometrics, etc.)?
  • How are mobile applications designed with security in mind (e.g. storage, communication, authentication, cryptography, etc.)?
  • How are web applications designed with security in mind (e.g. input/data validation, authentication, authorization, storage, communication, cryptography, etc.)?
  • Will private or public Blockchains be used? How will the Blockchain, smart contracts and related elements be secured?
  • If fintech companies are using cloud services, how are issues like multi-tenancy, distributed denial of service (DDoS) attacks, breach notification, malicious insiders, etc. being addressed?
  • How will integration with external systems be secured?

These questions and others need to be satisfactorily answered before these fintech solutions become live. A technical architecture review should be conducted to set a baseline of expectations with regards to the final solution. Bringing trusted, independent cybersecurity experts to the table will ensure that they are no controls gaps in the end-state architecture.

Testing

Testing is one of the best phases in software development to flesh out security issues. Hence, this is where government needs to double down on its due diligence. Below are a couple of questions that government should be asking and receiving answers/evidence for:

  • How are code repositories being used and secured?
  • What processes and tools are used to manage version control and to promote code from testing to live environments? Are these tools fit for purpose?
  • What secure coding standards are being used by developers and what tools are being used to force adherence to these standards?
  • How are static application security testing (SAST) and dynamic application security testing (DAST) being employed?
  • How are source code analyzers being used to detect security weaknesses in both non-compiled and compiled code?
  • Will stress testing be conducted to ensure the system design and resources can support transaction volumes?
  • Are dynamic scanners being used to simulate attacks during the quality assurance (QA) cycle?
  • Have threat modeling and risk assessment been conducted on the end-to-end solutions? Has an independent party verified the results?
  • Does the test environment mimic the production environment as much as possible?
  • Will an independent security architecture review be performed on the system before it goes live? Will all the material weaknesses found be remediated before the solutions go live?
  • Will independent penetration tests (externally looking inwards) and vulnerability scans (internally looking outward) be performed on the system before it goes live? Will all the material weaknesses found be remediated before the solutions go live?
  • What security-related scenarios will be included in user acceptance testing (UAT) or closed user group (CUG) testing (e.g. input/data validation, password quality rules, repudiation, roles-based access controls, path traversal, missing authorization, error handling, privilege elevation, etc.)?
  • What levels of audit logs are generated by the systems? Are audit logs properly secured?

The testing phase provides an opportunity to iron out most of the security issues before the live solution is released to the public. The importance of this stage should not be underestimated, and government must ensure that they are fully engaged and involved throughout.

Deployment and ongoing support

Deployment and ongoing support will be integral to delivering a truly disruptive fintech solution to the citizens of Barbados. Of course, the first step is deploying the exact system configuration that was thoroughly assessed and remediated during the architecture and testing phases. This can’t be emphasized enough – You don’t want to deploy a system full of security vulnerabilities. That being said, there are a number of questions relevant to supporting the environment on an ongoing basis:

  • What processes will be in place for identity and access management? How will day-to-day access for normal users and super users of the systems be managed (e.g. granting, revoking, and updating access)?
  • How will secure configurations be maintained throughout the system lifecycles (e.g. mobile security, desktop hardening, server hardening, switch and router hardening, etc.)?
  • What processes/solutions will be in place for managing system vulnerabilities?
  • What processes/solutions will be in place for managing system upgrades and patches?
  • What processes/solutions will be in place for making changes to production systems?
  • How will production systems be monitored for performance issues, normal and privileged account usage, network intrusions, unauthorized file changes, access to restricted systems, etc.?
  • How will malware be addressed on production systems (e.g. cloud services, virtual machines, nodes, clients, mobiles, etc.)?
  • How will security awareness for end-users of the systems be addressed (especially given that the intention is for the mobile wallet to be deployed widely to the public)?
  • What processes and systems will be in place for disaster recovery/business continuity?
  • How will government ensure that the right legal framework is in place to protect the country and its citizens (e.g. anti-money laundering, taxation, consumer protection, privacy, critical infrastructure protection, etc.)?
  • Who will be supporting the production systems on an ongoing basis – government or the fintech companies? Will there be sufficient knowledge transfer to government personnel if they are tasked with ongoing support and maintenance?
  • Has there been detailed assessment of ongoing costs? Will these costs be borne by the fintech provider or government? If by the fintech provider, what’s the business model that will be in place to sustain their operation in a profitable manner? If by the government, are the right staff in place to support and maintain the platform? Will the overall cost burden undertaken by government be sustainable (especially given the country’s existing financial situation)?

Monitoring and evaluation

For any system implementation to be truly successful, there must be a plan for realization of the benefits articulated at the beginning of the project. Here are some of the key questions to be answered:

  • What does success look like?
  • How will success be measured?
  • Will success metrics be shared with the public (they should be when taking into consideration the levels of risk and investment in these projects)?
  • Are the projects delivered on time and within budget?
  • Have technical objectives been achieved?
  • Have financial objectives been achieved?
  • Are socio-economic benefits being realized by the population?
  • Have human behaviors changed in terms of the use of mobile payments?
  • Has the Barbados Stock Exchange (BSE) become more liquid? Has there been a significant uptick in foreign direct investment (FDI) via the BSE? Are we seeing more security tokens being traded on the BSE?
  • Are there less underbanked or unbanked individuals in the country? Have financial inclusion statistics improved? Is the common man less burdened by the cost of banking? Is it now easier to send money overseas (money transfers) or send money back to Barbados (remittances)?
  • Has government reduced the costs of funding the fiat monetary system?
  • Have the substantial risks associated with correspondent bank de-risking been mitigated?

These questions and more need to be answered once the systems go live. More importantly, a benefits realization/monitoring & evaluation (M&E) plan needs to be in place up front. The government and its fintech partner should not be deciding what needs to be achieved and measured once the systems go live – these benefits should be stated up front to convey the value proposition and return on investment (ROI) for the systems, and to support the level of investment and risks undertaken.

Conclusion

These projects represent significant benefits for the country. Conversely, they also represent significant risks. I am not against technology; I have spent the last 10 years of my life committed to facilitating the use of ICTs for development (ICT4D) in emerging economies. However, I am of the firm belief that citizens have a right to know exactly what their leaders are getting them into (i.e. openness and transparency are of utmost importance). It is my hope that government will engage in a more transparent process as it pertains to the planned implementations of Blockchain and distributed ledger technologies (DLT). Moreover, if fintech is being done, it needs to be done RIGHT. One of the most basic, yet important, tenets of information systems auditing is “TRUST, BUT VERIFY”. All of the questions I have posed deserve answers. Not only answers, but verifiable evidence. Government is not known for strong expertise in IT law, policy and regulation; systems development; and cybersecurity. This is why the citizenry of Barbados cannot be expected to abide by only trust as it pertains to the implementation of Blockchain technologies across the country. The potential benefits, and the risks, are way too high!

ICT PULSE: Cyber Threats and Security in the Caribbean 2016 Update – Interview with Niel Harper

cyber security

ICT Pulse: Niel, it has been two years since our last Expert Insights Series, give us a quick recap of what have been the most prevalent incidents in Barbados and/or in the Caribbean region since 2014?

Niel Harper: Over the last 2 years, various government web sites in Barbados have been compromised and defaced by hackers. Websites included the Barbados Government Information Service (BGIS), Barbados Stock Exchange (BSE), Barbados Revenue Authority (BRA), Royal Barbados Police Force, and the Barbados Supreme Court, to name a few. Private websites such as the Barbados Advocate were hacked as well. There are still no data protection laws in the country, so due to absence of mandatory breach notifications, the few reported incidents are only the tip of the iceberg.

The prevalence of ATM skimming attacks have also increased. However, because the marketplace is dominated by mostly Canadian banks, Sarbanes-Oxley regulatory requirements have led to stronger controls, and many of the skimming attacks have resulted in arrests.

In the wider Caribbean, there have been similar trends of government websites being compromised. A number of organizations in St. Vincent, Grenada, St. Kitts & Nevis and other countries have been subject to malicious online attacks. One of the major commonalities across the region is that organizations with limited resources and untrained personnel have been the targets of successful attacks. This is a key reason why capacity building is critical to improving the region’s overall cyber response capabilities.

ICTP: How has the threat landscape changed over the past two years? Are there any particular areas of concern that you have for Caribbean organizations?

NH: The smartphone footprint continues to grow and with it the attack surface of mobile devices. That being said, many device manufacturers are focusing their efforts on enhanced security as a product differentiator. Still, end user education is necessary as an additional layer of protection against malicious threats.

Given the increased hardening of operating systems and applications, attackers are focusing on areas lower down the ‘stack’ such as BIOS, firmware, and graphics chipsets. Controls such as boot security, trusted execution, and active memory protecting are making these attacks more difficult, but I expect these types of threat vectors to increase.

Newer technologies such as IoT (Internet of Things), M2M (machine-to-machine) communication, Network Functions Virtualization (NFV), and Software Defined Networks (SDN) are growing in terms of their deployment base. But this also introduces significant challenges in terms of security: single points of failure, open source software, and complexity. The fact that commonly used items such as televisions, refrigerators, and even automobiles, are now accessible through the Internet has vastly changed the threat landscape, and should force manufacturers and end users alike to focus more on cybersecurity.

The explosion of cloud computing, the increasing popularity of crypto-currencies, and the emergence of mobile payments (e.g. Apple Pay, Google Wallet, etc.) are also areas for concern with regard to an expanding threat surface.

All of these areas are of particular concerns for Caribbean organizations, especially those who are seeking to be on the cutting edge.

ICTP: At the CARICOM/regional level, there has been a growing awareness of cybercrime and cybersecurity, and continued calls by leaders that something be done. In your opinion, has there been any improvement in the cybersecurity-associated resources or support structures in Barbados, and/or perhaps regionally? What might still be missing?

NH: I don’t want to be the harbinger of doom, but from all accounts, there is still not enough of an urgency or commitment being demonstrated by regional leaders as it pertains to cyber security. Most all CARICOM countries have no national cyber security strategy (NCSS) or centralized function/organization that is tasked with cyber incident response. While many countries have some legislation in place in terms of computer misuse, there are material deficiencies with regards to procedural law, legal interception, and computer forensic evidence collection. There continues to be wide scale delays in implementing data protection and privacy legislation (include responsible disclosure). Mechanisms in the private and public sectors for cyber defense coordination are virtually non-existent. Cyber security awareness is frighteningly low, and governments have not generally diverted sufficient resources to the development of national cyber security education. As a result, there is limited trust in key economic drivers such as the use of online services, e-government, and e-commerce. The aforementioned issues exist in Barbados as well as across the wider Caribbean.

ICTP: Are you observing any real evidence of a greater willingness among organizations to take cyber/network security more seriously? How is that awareness (or lack thereof) being manifested?

NH: To be quite honest, the organizations that take cyber/network security are mostly the ones in heavily regulated industries such as financial services (mostly North American banks). Because of the high financial, operational, reputation, and regulatory risks, they are pretty much forced to apply concerted efforts to improving their security posture. Their entire status as a going concern is dependent on this. What I am seeing in other organizations is a lackadaisical approach to cyber security. Most organizations don’t have roles such as Chief Security Officer, Head of IT Risk, or IT Auditor. The expectation is that the Network Administrator should be a security specialist (a clear violation in terms of segregation of duties). Additionally, cyber/network security is not even a topic in many executive committee meetings or at the Board level.

ICTP: Have you observed any changes in end-user behavior? Do you think IT staff have done enough sensitization to bring about behavioral change in their users?

NH: Security awareness is not a common practice in many organizations in developed and developing countries. A bevy of industry surveys have highlighted that a large percentage of companies do not even have security awareness programmes in place. In the 2016 Cybersecurity Report published by the OAS and IDB, security awareness was cited as a major deficiency in the majority of CARICOM states. Hence, my belief is that there is still much work to be done in terms of positively altering the risky behaviors of end users.

ICTP: As you are aware, there has been considerable concern and discussion about ransomware. If there is one thing people should know about this threat, what would that be? Can organizations recover their network data that has been corrupted by ransomware? What would be your best advice to minimize the effect of ransomware?

NH: The one thing people should know about ransomware is that it is highly unlikely that they will be allowed to pay in fiat currencies (attackers are requesting payment in Bitcoin more and more). When I speak to my customers about recovering from ransomware, my primary advice is that they have an effective data backup and recovery scheme in place. The best way to recover from ransomware variants such as TeslaCrypt, Cryptowall or Cryptlocker is to ensure that you have recent copies of your data backed up to tape or disk (and encrypted if at all possible). I also advise them to deploy hardened desktops and servers, as well as ensure that all applications have recent patches applied.

ICTP: Finally, are there any key areas businesses should be investing their network security/IT dollars this year?

NH: I would say that the best investment as it pertains to cyber/network security is in highly trained staff. A top-tier cyber security specialist will have the necessary knowledge and experience to adequately and effectively secure computing environments to best mitigate risk exposures from online threats.

The original interview can be found on the ICT Pulse website at: http://bit.ly/1T9iMQv

Navigating the cloud: SMEs and cloud services

Cloud-Computing-cap
More and more small businesses are migrating to the cloud and reaping significant benefits like never before. With cloud services, small businesses no longer need to install physical infrastructure like e-mail servers and storage systems, or purchase software applications with exorbitant annual license fees. The “on-demand” availability of cloud solutions means seamless and simple collaboration with customers, business partners, and staff members using nothing more than a web browser. Cloud services also provide entrepreneurs and home-based businesses with access to advanced technology without the requirement to hire a full-time IT specialist.

But what exactly is this “cloud”?

Cloud computing is an overarching term which encompasses a number of different categories. Software-as-a-Service (SaaS) is where a particular application or service is provided to a business or individual as a subscription. Google Drive, QuickBooks Online Plus, and BaseCamp are all popular examples of SaaS.

Using Platform-as-a-Service (PaaS), businesses are provided with a platform on which they can build, install, and maintain customized apps, databases and integrated business unit services. Widely used PaaS include Windows Azure, SharePoint Online, and Google App Engine.

Infrastructure-as-a-Service (IaaS) allows businesses to outsource infrastructure in the form of virtual resources. Components include servers, storage, networking and more. IaaS providers include Rackspace, HP Converged Infrastructure, and Amazon Web Services.

Most small businesses generally don’t need much more than SaaS to meet their operational needs. SaaS provides them with the capabilities to deliver a myriad of IT services that would otherwise be expensive and resource intensive to administer as localized, on-site solutions.

It must however be emphasized that cloud services bring with them a number of security, stability, and data control issues. That is why it is critically important that small businesses stay informed and strictly require that cloud providers furnish them with detailed business continuity plans and security controls to remediate outages and protect sensitive data.

What to do when your cloud brings the rain?

There are a plethora of reasons why cloud computing is popular. It gives small businesses the technology that enables them to be lean, agile, and competitive. But as is quite evident, trusting your information assets to a single entity whose equipment is stored in a centralized location, means that you’re extremely vulnerable to whatever outages, security compromises, or natural disasters that they are exposed to.

So what are small business owners to do? Here are some recommendations that can allow you to better manage the risks associated with cloud providers.

Fine Tune Your SLA: Service level agreements (SLA) should codify the exact parameters and minimum levels of service required by the business, as well as compensation when those service levels are not met. It should assert the ownership of the business’ data stored on the cloud platform, and outline all rights to retaining ownership. It should include the infrastructure and security standards to be adhered to, along with a right to audit for compliance. It should also specify the cost and rights around continuing/discontinuing use of the cloud service.

Keep Critical Data Local: Decide which business processes require maximum uptime, and keep them on-site. Avoiding the cloud totally for specific mission-critical applications, small businesses can minimize data unavailability as well as security and privacy issues. Most definitely some businesses have regulatory requirements to meet, and this ought to be a key consideration when deciding not to ship your data offshore.

Two-Factor Authentication: More and more providers are offering two-factor authentication (2FA) as a means of securing access to cloud services. Two-factor authentication adds a second layer of authentication to user logon credentials. When you have to enter only your username and one password, that’s considered as single-factor authentication. 2FA mandates that users have 2 out of 3 types of credentials before access to cloud resources are granted.

Deploy A Hybrid Configuration: Maintaining a hybrid implementation of cloud and local services is a best practice approach for protecting company data. Replication or archiving solutions often deliver a service with both a local appliance at the customer’s premises and cloud storage too. This type of on-premise-to-cloud replication strategy ensures that you have local copies of the data you transmit to the cloud. Actively seek out cloud providers that can configure this kind of scenario.

Availability, integrity and confidentiality issues will always exist when using IT systems. And when a business employs cloud-based computing, these challenges are even more pronounced. Be extremely meticulous when searching for cloud providers, and question them about their security controls and disaster recovery options. Even though you outsource the processing of your business data; there’s no reason why you should lose control.

The Real Privacy Problem

As more and more corporations and governments collect and analyze ever increasing amounts of data about our lives and our activities, it’s appealing to react by creating more privacy-related legislation or arrangements that pay individuals for use of their personal data sets. Instead, this article by Evgeny Morozov (the author of The Net Delusion: The Dark Side of Internet Freedom) suggests that what is needed is a civic-minded response, because democracy is at risk.

http://tinyurl.com/kszqg4k

Locked Up for Linking? US Journalist Faces Prosecution

I have watched with great interest the developments over the course of the last 3-6 months as it pertains to widespread surveillance of Internet users by government agencies. While the NSA surveillance program has been the most publicized, there are reasons to believe that China, India, Pakistan, Russia, Australia and others are conducting similar activities.

One of the things that concerns me most is the double talk coming from most of these countries about “promoting the values and importance of online privacy in the context of basic human rights”. A bad precedent has been set. Let’s just accept this as the reality of things. And unfortunately, this precedent is eating away at some of the basic precepts of Internet growth — trust, openness and user-focused development.

And as you can see from this article, the government actions over the last couple of months has opened a Pandora’s Box in terms of the individual’s right to information, freedom of the press, personal privacy, etc. The implications for the future of the Internet are grave. Let’s just hope that the system is as resilient to political and ideological threats as it is to technological ones.

http://tinyurl.com/pldvwuw

SnapChat Allows You to Send Messages and Photos that Quickly Disappear

A sore point for many as it pertains to the big data phenomenon is the fact that the notion of privacy is pretty much just that… a notion. We no longer have any control over our personal data that is aggregated and archived whenever we fill out online forms, post our pics on the web, chat with friends or tweet updates on our lives. Enter Snapchat; a mobile phone app that allows you to send messages and photos that disappear quickly into the ‘ether’. I wonder if there’s a sustainable business model for an application like this, especially given the present Internet culture?

http://www.technologyreview.com/featuredstory/513731/temporary-social-media/