Key Security Questions to Ask a Financial Data Aggregation Provider Is the data aggregation partner you re considering following the best practices



Similar documents
Security Controls What Works. Southside Virginia Community College: Security Awareness

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Paxata Security Overview

ACI SELF-SERVICE BANKING

Teradata and Protegrity High-Value Protection for High-Value Data

Using AWS in the context of Australian Privacy Considerations October 2015

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

product flyer Single, full-featured solution flexible, personalized experience Highly extensible and secure

Cloud Security Trust Cisco to Protect Your Data

Healthcare Compliance Solutions

Best Practices for Driving the Fintech Digital Revolution

Enterprise Cloud Backup of Cloud-Based Applications/Platforms

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

IBM Connections Cloud Security

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Recording & Evaluation mobile and fixed platforms for every business. Screen Recording. Integrated Management Platform. Workforce Optimization

Is online backup right for your business? Eight reasons to consider protecting your data with a hybrid backup solution

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Strengthen security with intelligent identity and access management

Endpoint Management and Mobility Solutions from Symantec. Adapting traditional IT operations for new end-user environments

V1.4. Spambrella Continuity SaaS. August 2

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

PROTECTED CLOUDS: Symantec solutions for consuming, building, or extending into the cloud

Enterprise-Grade Security from the Cloud

Security Issues in Cloud Computing

Citrix GoToAssist Service Desk Security

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Own, launch, grow and support your cloud backup and recovery offering

Reference Architecture: Enterprise Security For The Cloud

Accenture and Software as a Service: Moving to the Cloud to Accelerate Business Value for High Performance

Cisco Advanced Services for Network Security

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

PCI Compliance for Cloud Applications

Identifying and Managing Third Party Data Security Risk

Private vs. Public Cloud Solutions

How To Use Windows Small Business Server 2011 Essentials

Reseller Considerations for Choosing an ECM Vendor

How cloud computing can transform your business landscape.

Extreme Networks: A SOLUTION WHITE PAPER

DMZ Gateways: Secret Weapons for Data Security

How Microsoft is taking Privacy by Design to Work. Alan Chan National Technology Officer Microsoft Hong Kong 7 May 2015

Security. Security consulting and Integration: Definition and Deliverables. Introduction

HIPAA/HITECH Compliance Using VMware vcloud Air

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

Secure Data Transmission Solutions for the Management and Control of Big Data

Hedge Funds & the Cloud: The Pros, Cons and Considerations

Securing and protecting the organization s most sensitive data

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

Securing the Service Desk in the Cloud

Fileweave. Large File Transfer. Seamless Microsoft Outlook add-in. Simple drag and drop functionality

Addressing Cloud Computing Security Considerations

BMC s Security Strategy for ITSM in the SaaS Environment

GoodData Corporation Security White Paper

Cloud Computing Governance & Security. Security Risks in the Cloud

How To Buy Nitro Security

Selecting the right cybercrime-prevention solution

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

Cloud Service Brokerage Case Study. Health Insurance Association Launches a Security and Integration Cloud Service Brokerage

Five keys to a more secure data environment

Technical Proposition. Security

Secure and control how your business shares files using Hightail

The Evolving Threat Landscape and New Best Practices for SSL

8 Steps to Holistic Database Security

End-to-End Application Security from the Cloud

Leveraging Symantec CIC and A10 Thunder ADC to Simplify Certificate Management

IBM Software Four steps to a proactive big data security and privacy strategy

VERISIGN DDoS PROTECTION SERVICES CUSTOMER HANDBOOK

Mapping Your Path to the Cloud. A Guide to Getting your Dental Practice Set to Transition to Cloud-Based Practice Management Software.

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

QRadar SIEM 6.3 Datasheet

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

NEC Managed Security Services

Transcription:

Key Security Questions to Ask a Financial Data Aggregation Provider Is the data aggregation partner you re considering following the best practices for security and privacy? Here s how to find out.

TABLE OF CONTENTS Introduction 3 Does Your Provider: Follow Privacy and Security Best Practices? 4 Raise the Bar on Developer Standards? 6 Offer an Ultra Secure Platform? 8 Comply with U.S. Regulations? 10 Comply with International Standards? 12 Monitor and Manage the Risk to Data? 14 Own the Data? Or Do You? 16 Have an Experienced Team? 18 Offer 24/7 Support? 20 Meet Yodlee Interactive: A Proven Certified Data Aggregation Provider 22 Conclusion 23 Copyright 2015 Yodlee, Inc. All rights reserved. Technology protected by one or more U.S. Patents or Patents Pending. Use subject to license terms. May include materials developed by third parties. Yodlee and the Yodlee Logo are trademarks or registered trademarks of Yodlee, Inc. in the U.S. and other countries. All other trademarks mentioned in this document or Website are the property of their respective owners.

INTRODUCTION As a financial services developer, you re in high demand. However, to create powerful, innovative apps, you need access to robust and accurate financial data, which means you need to identify and partner with the best financial data aggregation provider possible. Financial applications by their very nature access sensitive personal and financial consumer data. Since your business is responsible for developing and providing the financial application, the security of your customers personally identifiable information is your responsibility to manage. In this ebook, we ll focus on the crucial security aspect of data aggregation and outline key questions to help you identify an established partner with solid security, privacy, risk management, and compliance technologies and procedures behind their application programming interfaces (APIs). As a startup, or a small business owner, ultimately you re responsible for the compliance of your customer data. But standing on the shoulders of trusted providers gets you a long way. Fritz Robbins, CTO of Personal Capital Copyright 2015 Yodlee, Inc. All rights reserved. 3

DOES YOUR PROVIDER: Follow Privacy and Security Best Practices?

Without cutting edge security and risk management protocols in place from the start, managing the physical, electronic, and procedural safeguards that protect consumers financial data from unauthorized access or misuse is next to impossible. That s why you ll want to ask the right questions to ensure that your data aggregation provider follows industry best practice guidelines in the design and implementation of their network security environment. QUESTIONS TO ASK Does the provider offer separate production, staging, development, corporate, and specialty networks, with access control devices between each zone? Do they further segment networks within each zone to apply granular security and audit controls appropriate to each function? Copyright 2015 Yodlee, Inc. All rights reserved. 5

DOES YOUR PROVIDER: Raise the Bar on Developer Standards? DEVELOPER STANDARDS

It s important for your data aggregation partner to maintain high developer standards, including a certification program for those leveraging their data and resources. You ll also want to choose a data aggregation provider that fully supports open authentication protocol for authorization and authentication of consumers who want to interface with social media and other apps. QUESTION TO ASK Does the provider fully support open authentication protocol for authorization and authentication of consumers who want to interface with Facebook Apps, Yahoo! Widgets, Google Gadgets, and Apple Apps? Copyright 2015 Yodlee, Inc. All rights reserved. 7

DOES YOUR PROVIDER: Offer an Ultra Secure Platform?

As the engine that will power your app, any data aggregation platform you re considering should be comprised of a set of infrastructure components that intelligently and securely aggregate, cleanse, augment, and store consumer data. Ask questions to ensure the platform has the security features that you need and the privacy and data protection your consumers require. QUESTIONS TO ASK Are the communication channels encrypted for all browsers, mobile, and tablets, and is the aggregation provider collecting their data over encrypted channels? Does the provider have APIs that minimize the amount of sensitive data available on a consumer s mobile device and make the provider responsible for handling data encryption? Does the provider offer a Defense-in-Depth layered approach to network and data security consisting of redundant firewalls, efficiently managed certificates and DNS, and a hardened architecture across the entire environment that they manage and control? Copyright 2015 Yodlee, Inc. All rights reserved. 9

DOES YOUR PROVIDER: Comply with U.S. Regulations?

In the U.S., financial institutions, such as banks and brokerages, are heavily regulated to ensure the safety and soundness of their operations. Financial data aggregation providers that touch bank data are also supervised and regularly examined by the government to ensure they comply with the Gramm-Leach-Bliley Act (GLBA) and other similar regulations. Make sure your data aggregation provider can support you in your compliance obligations and in their own obligations as well. QUESTIONS TO ASK Is the platform compliant with security and privacy requirements in the U.S.? Is the provider willing to enter into contractual obligations with you and your regulatory bodies? Is the provider a technology service provider under U.S. banking laws? If not, how do you know if they are allowed to access banking data? Is the provider PCI-DSS compliant? If not, how do you know if they are allowed to access credit card data? Copyright 2015 Yodlee, Inc. All rights reserved. 11

DOES YOUR PROVIDER: Comply with International Standards?

As your solution grows, you may attract customers in other countries, which means there are additional laws and regulations to contend with. If offering your solution in another country is even a remote possibility, or if you re accessing data from other regions, you ll want to ask your financial data aggregation provider if they re equipped to handle security and privacy requirements outside the U.S. If the data is handled offshore, international security laws may apply regardless. QUESTIONS TO ASK Does the provider comply with international requirements such as the European Union Safe Harbor, EU Member States, or Asia Pacific Economic Cooperation Cross Border Rules for data transfer privacy? Does your provider engage with sub-contractors and cloud service providers to handle development, support, or disaster recovery outside of the country? Copyright 2015 Yodlee, Inc. All rights reserved. 13

DOES YOUR PROVIDER: Monitor and Manage the Risk to Data?

To ensure your app has consistent, secure access to quality data for your customers, all data sources, data quality, and data operations must be monitored constantly. If a data source becomes unavailable, specialized operations personnel should be on hand to solve the problem. A sophisticated, proactive monitoring and debugging infrastructure that addresses data source, data quality issues, and data availability quickly and without compromising the security and privacy of consumer data is essential. QUESTIONS TO ASK Who s responsible for vulnerability management? Who s responsible for patching and resiliency? Who s watching the traffic to manage operational and security concerns? How has the provider handled data breaches in the past? Copyright 2015 Yodlee, Inc. All rights reserved. 15

DOES YOUR PROVIDER: Own the Data? Or Do You?

Before you sign the contract, make sure you understand who owns the data and who can use the data, since ultimately, as the data controller, you re obligated to your customers to make sure the data is used appropriately. If it s not clearly spelled out in the contract or defined in the service level agreements with liability and repercussions for non-compliance, then it s in your best interest to look elsewhere. QUESTIONS TO ASK Does your contract clearly define who owns the customer data? What rights do you have to the data in order to maintain it? What access do you have to the data? Do you have direct access via the provider s APIs to carry out your consumers wishes? What rights does the aggregation provider have to use that data for their own purposes? Copyright 2015 Yodlee, Inc. All rights reserved. 17

DOES YOUR PROVIDER: Have an Experienced Team?

Your data aggregation partner should have your full and complete trust. Don t be afraid to ask them about their experience and their relationships with financial institutions. Also, check into their general reputation in the industry through peers, forums, and industry news. The right data aggregation partner has nothing to hide. QUESTIONS TO ASK How many years has the provider been in the business? Which certifications have they earned? Going through the process of earning certifications such as the ISO/IEC 27000 family of standards and PCI-DSS demonstrates a strong focus on security that other providers may lack. Does the provider have a relationship with financial institutions? Can they answer your questions in terms of storing data, security credentials, etc.? Will the provider offer guidance if you need it? Copyright 2015 Yodlee, Inc. All rights reserved. 19

DOES YOUR PROVIDER: Offer 24/7 Support?

Validating a provider s security standards doesn t end when you sign the papers. Making sure your standards align is an ongoing process that requires consistent check-ins, validation, 24/7 support and scalable customer support programs that grow as you do. QUESTIONS TO ASK Will your provider constantly be there to monitor connections with banks and provide support 24/7? Will your provider schedule regular site audits to insure your system integrations run smoothly? Will they continue to be there over the long term? Copyright 2015 Yodlee, Inc. All rights reserved. 21

Meet Yodlee Interactive: A Proven Certified Data Aggregation Provider When you partner with Yodlee Interactive to build next-generation digital financial apps, you ll benefit from streamlined access to data, payments, and extensive digital security. The Yodlee Interactive financial cloud offers one of the most robust financial data platforms in the world. It delivers bank-level security, encryption, risk management, and APIs enabling flexible, innovative, and multi-channel distribution solutions. With more than 16 years experience integrating into the largest banks in the world, security is in Yodlee Interactive s DNA. Yodlee is the leading provider of digital financial services in the industry and leverages financial data from over 14,000 global sources. As a pioneer in bringing SaaS applications to the financial services industry, and an FFIEC supervised Technology Service Provider, Yodlee Interactive has extensive experience in meeting the highest standards in data security, privacy, and regulatory compliance. Copyright 2015 Yodlee, Inc. All rights reserved. 22

CONCLUSION Aggregation-based technology is powering exciting digital financial solutions that are changing the way people interact with their personal finances. These solutions can help you create more personalized financial experiences and empower customers against fraud with transaction analyzing and alerting tools. To develop the powerful financial applications that consumers want, you need a best-of-breed financial data aggregation provider one with a secure, scalable data infrastructure that safely brings together disparate, personal financial information from all over the web. The best way to find this trusted partner is to ask the right questions. Copyright 2015 Yodlee, Inc. All rights reserved. 23

HOW CAN I LEARN MORE? Download the white paper How to Choose an Aggregation Platform View the webinar How to Choose a Financial Data Platform and Aggregation API ABOUT YODLEE INTERACTIVE Built on the foundation of Yodlee s 16 years of aggregated consumer financial data, Yodlee Interactive empowers visionary entrepreneurs, partners, and developers to build the next generation of disruptive and innovative FinDat (financial data) solutions using the award-winning Yodlee platform. Yodlee Interactive is focused on making the Yodlee platform available everywhere that value can be created by entrepreneurs, partners, and developers to build digital financial apps and services. As the architects of a new digital ecosystem, Yodlee Interactive optimizes the wisdom of the financial technology crowd to create, catalyze, and distribute innovations faster through an open and secure data API. Used by hundreds of companies, both small and large, Yodlee Interactive is the horsepower behind today s coolest and most personalized digital experiences. For more information, visit: yodleeinteractive.com Copyright 2015 Yodlee, Inc. All rights reserved. 10/15 Yodlee 129 24