As organizations in some parts of the world emerge from the pandemic, efforts to accelerate digital transformation, 5G adoption and IoT expansion are driving new models of innovation and collaboration in the market. At the technological level, ecosystems are becoming increasingly connected through open API architecture models that enable the fluid movement of data over organizational boundaries. And on a personnel level, new labor force models are changing the relationship that organizations have with staff and requiring them to think differently about facilitating collaboration and dealing with a more dynamic workforce. Several data and security implications arise from these emerging models, and a key question we must ask ourselves is: How do we manage and monitor risks originating from these channels?
APIs: The synapses of the digital ecosystem
Data drives innovation in the modern economy, and open architectures and open Application Programmable Interfaces (APIs) are at the heart of this innovation. APIs have become crucial for the future of banking, acting as the bridge that connects organizations to third parties and their broader ecosystems. In the Open Banking era, they’ve helped to create more robust and more dynamic links between banks and customers and have opened the European market to so-called challenger banks. With market competition increasing, APIs are now pivotal to quickly innovate and meet customer demand. Some banks implement APIs to encourage collaborative innovation and data sharing with third-party partners, suppliers, and other businesses. One set of banks developed an API marketplace to collaborate with various stakeholders (including FinTech's) over new online banking concepts, customer data, cards, payments and accounts.
Another method in which banks are leveraging APIs is by decoupling various architectural components to build independent, scalable platforms with greater resiliency. Moving from a point-to-point infrastructure to a more federated model reduces development costs and improves the ability to rationalize applications. It also enables organizations to bring third parties in and out of their architecture with greater flexibility and move data seamlessly through different organizations. Trusted partners in this connected ecosystem are no longer just managed service providers and organizations working with your company. They extend to any parties who intend to connect with your core architecture and databases through open APIs, including external agencies, startups, educational institutes, governments and broader.
Stronger vertical integration
As open API infrastructure becomes more widespread, we’re likely to see a strong vertical integration of the supply chain — opening up a myriad of considerations for ecosystem security governance, with the organization's data environment likely now extending outwards to the nth party. So, how do organizations capture their customer data movement, now that it moves so fluidly through a supply chain? What do data flow diagrams look like in the future? How do organizations keep visibility over their customers’ behavior for fraud prevention and marketing purposes, when intermediated by layers of third-party APIs that act as an air gap? And how does an organization protect its data outside the boundary of its network? Perhaps there’s a role for major cloud providers in this space. Can they help enforce organizations' data classification policies and security controls for data moving between instances of their cloud architecture instances and even other cloud providers?
Monitoring also becomes a new challenge. One of APIs’ core business advantages is the rapid movement of data — how can we maintain that speed, without giving up specific security controls? With APIs, it might be necessary to double down on fast detective controls and incident response measures. It is paramount to consider the end-to-end scenarios of compromise. Developing ecosystem-wide threat models should assume the roles across the ecosystem and the type of access each has to the organization’s assets and data. Partners across the ecosystem will need to understand their role in maintaining security, which could be achieved by extending attack simulations and incident management exercises.
Collaboration in an atomized labor force
We’re in the early stages of the emerging collaborative ecosystem. But as it matures, the boundaries of enterprise systems begin to blur, and digital service delivery becomes a diffused part of a much more complex system of symbiotic components. According to an IDC blog, by 2024, 30% of the G2000 firms will rely on a global, secure, intelligent, highly integrated and collaborative ecosystem that enables enterprises to function as borderless organizations. By 2023, 30% of the workforce will have their own secure portable, private digital work identity, allowing them to access the tools and data they need across business entities.
The collaborative ecosystem changes the workforce’s dynamic, with “Deskless" or "frontline" workers and contractors, who may not have a desk or corporate email address, becoming the newest knowledge worker category. With the rise of the gig economy and other forms of online-enabled freelance and temporary/contractor work, traditional employee/employer relationships are beginning to give way. All workers within the ecosystem can leverage an array of collaborative and communication applications such as Microsoft Teams that enable file storage, editing, video conferencing and messaging, and workflow and content management and CRM systems. These solutions support deep integration that allows stronger permission-based access to an organization’s IT stack.
Adopting zero trust
To govern, manage and secure the ecosystem’s interactions, organizations are beginning to adopt the concept of zero trust — “trust nothing, verify everything.” With this approach, organizations grant access to only confirmed-safe users, systems and processes individually.
Zero trust architecture is an end-to-end approach to enterprise resource and data security that encompasses identity (person and nonperson entities), credentials, access management, operations, endpoints, hosting environments and the interconnecting infrastructure. One of the core requirements for Zero Trust is that the enterprise should inspect and log traffic in its environment to gain maximum visibility as to what data and assets ecosystem partners can access and ultimately identify malicious activity. Organizations will need to identify, assess and manage any risks associated with intercepting, scanning and logging network traffic. Amongst all of this, we need to understand the privacy issues surrounding these data transfers and the consents required to process such data — suddenly, metadata matters more than ever.
We’re witnessing two significant transformations in the way we all innovate and collaborate, powered by some of the simplest digital infrastructure units. Between them, they will fundamentally reshape organizations' interactions with each other and with the global labor force. It’ll require significant shifts in regulatory thinking and may change the way we approach supply chain resilience and digital identity. But if we can standardize our security approach in this digital ecosystem, I believe we’re in for an exciting future, full of remarkable possibilities.
Connect with us
Want to do business with KPMG?
Stay up to date with what matters to you
Gain access to personalized content based on your interests by signing up todaySign up today