We’re available from 9 am to 6 pm on weekdays. Contact Us.
Securing non-production environments for banking applications

Positive Thinking Company presents a use case of securing non-production environments for banking applications.

Key challenges

For many organizations, data leakage is one of the main risks they are confronted with, if not the most serious.

For financial institutions, however, concerns around data leakage take on a whole new dimension. In addition to being barred from the market, breaches of data privacy or consumer protection laws can result in legal fees, lawsuits and damage a company’s reputation and long-term financial health.

Financial regulators therefore rely on numerous regulations to protect and secure end-user banking data.

In the Swiss context, the accredited regulator “FINMA” has raised the risk posed by the amount of sensitive data present in non-production environments that can be called “first-level” environments: sandbox, development, integration, etc.

The latter are often less secure than environments closer to production because they are more conducive to innovation, which, by definition, one does not want to constrain.

However, if a single piece of data does not pose a major risk, a mass of exposed data can raise operational risks for a bank in the event of potential data leaks. In order to reduce the exposure of banks to this risk, the regulator therefore wants to limit the number of exposed direct or indirect Client Identifying Data (CID).

In the context of our client, these environments were already secured at the level of direct CID (personal data, addresses, etc.). The mission consisted in anonymizing “indirect CID” such as references to sensitive data, or toxic combinations.

In order to meet these requirements, the project was structured in two phases: a first phase of analysis aimed at assessing the situation, finding answers to the issues raised and conceptualizing a solution, and a second phase of implementation of the chosen solution.