Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 PM
Connect Directly

BBVA CISOs Give Tips For Securing 'Digital Bank'

At RSA conference today, CISOs at the multinational financial organization describe security strategy.

RSA CONFERENCE -- San Francisco -- Eight years ago multinational banking group BBVA first decided to enable customers to do 100 percent of their banking activity remotely and from any device. No easy feat for a bank that has 51 million customers, 110,000 employees, and €650 billion (approximately $696 billion) in assets. Today, Juan Francisco Losa, CISO of BBVA's Digital Bank and Santiago Moral, Global CISO for BBVA, explained the security strategy for this "global digital bank."

The main challenges, as Moral described them, are that they have customers using applications that are not developed or managed by the bank, that the bank's data no longer resided within the bank's datacenter, and that the software development lifecycle had entirely changed to become more agile.

When the infrastructure is no longer under the organization's control, said Losa, "the architectural design to address security has to be infrastructure-independent."

BBVA is trying to take advantage of new identity and access management tools. The authentication method can adapt to best suit the channel and the device, as long as it is "at least as reliable as 'traditional' mechanisms," Losa said.

What if something goes wrong? Losa also said that BBVA has a "panic button," to react quickly to an emergency -- for example, activating a requirement for a second factor of authentication on the fly, if fraudulent activity increases through a particular vector. Losa says this was a job for BBVA's internal developers, not the third party.

Regardless of who's going to do the development work, the important thing, the speakers said, was that they need to develop and deploy updates as often and as quickly as necessary, even if that's within a time frame of just one week. How can they do that without sacrificing security?

Part of the solution, says Losa, is to automate testing as much as possible, but another has to do with people, not technology. The way to work without knowing the complete functional analysis, he says, is by being part of a collaborative security dev ops team. "Start making security decisions in a decentralized way," said Losa.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/22/2015 | 8:55:34 AM
On the fly
Having the ability to enable 2 factor authentication on the fly is fantastic. For security to work you need a healthy balance between user acceptance and security principles. Only having to authenticate one time allows for an ease of use principle while still maintaining basic security. Enabling the second factor in time of need while explaining to the end user why this is occuring will increase user confidence in the system. As well as employing heavier security principles as needed.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...