Financial crime compliance operations leaders are adopting AI-driven solutions to streamline operations, gain massive efficiency, and mitigate risk . But how secure are these AI-driven solutions?
To clarify just how secure the leading AI-driven solutions for automating FinCrime compliance are, we sat down with our CTO, Peter Cousins, to discuss the most critical security considerations addressed by WorkFusion’s systems and solutions. Peter also explained how banking customers participate in the security process with WorkFusion.
You can also watch the video interview with Peter Cousins, WorkFusion’s Chief Technology Officer.
The Many Uses of Encryption
Q: Do you encrypt the data you use and/or provide for customers?
A: We encrypt data and other information at every level. So, that means we encrypt at the disc level, the resource manager level, at the database or the object store, and at the finer-grain levels when data and other items are more sensitive. For example, with bank accounts and social security numbers, we would encrypt those columns in the database. For a particularly sensitive document, we would encrypt that document (or sections of it) within the object store.
Q: Do you encrypt data for customers who use your cloud-based solutions?
A: Yes, we include the use of virtual FIPS compliant HSM. ‘FIPS’ stands for the Federal Information Processing Standard, and ‘HSM’ means Hardware Security Module. So, a virtual FIPS compliant HSM server offers the security advantages of a traditional HSM with the flexibility and scalability of virtualization.
Q: Are communications protected, too?
A: Any communication within the system is encrypted with the latest, highest security versions of all the standards. That’s how information at rest and information in transit are secured.
Q: I know this is a loaded question, but how is the overall information environment secured?
A: So, number one, it’s done by integrating with the single sign-on of the banks in question. If it’s within the WorkFusion environment and it’s a virtual private cloud that we own and operate on behalf of a WorkFusion customer, very few people have access to such an environment. Only people with a strict need to access it are permitted, and that’s only from our cloud operations team. These environments are protected with data leakage controls to make sure that no one can download data outside of these environments. The data never moves outside of the cloud environment that’s been approved by the customer. So it never changes data jurisdictions.
Also, you’re never going to have U.S. data going to the EU or vice versa. If a customer sets up a data center in those environments, the data is never leaving the customer’s virtual private cloud. If any data needs to be looked at in production, that only happens with the supervision and approval of the WorkFusion customer. As you can see, we take the employee access controls very seriously, and the system is secure by design.
Securing the Software
Q: Environments are evolving fast with AI. So, how do you keep software safe as you continue to develop and advance it?
A: At every stage of the software development lifecycle, we check for security. So, we have actual code scans that run every time a developer checks in code. It scans for any sign that a security vulnerability may have been introduced by that developer’s code change. We force those changes to be made or for a second pair of eyes to agree that it was a false positive. And when any such alerts are created during the development stage of the lifecycle, we run scans for vulnerable components and make sure that any discovered vulnerable components are upgraded before the next software release.
If there’s a particularly severe component vulnerability—such as the industrywide Log4j vulnerability that appeared a couple years ago—we will create emergency patch releases to address it.
Q: How do you balance new features with security?
A: We don’t allow for feature development because we take security issues as seriously as our customers do in the production environment. We also, of course, have additional static scans and penetration tests that are done with every second digit software release, and any such vulnerabilities are immediately mitigated or fixed. Also, we escalate the severity for our service level agreements for any issue that has to do with security.
Network Security and Access Management
Q: What about network security?
A: We have the kind of network edge protection that you would expect—intrusion detection, firewalls behind the scenes, routing and load balancing on our side connected with VPNs to customer premises when that’s required. So, it’s always an encrypted tunnel connecting the two institutions. We also support using IP whitelisting and mutual certificate authentication so that we know any communications—both within WorkFusion and between WorkFusion and a customer are always secure.
Q: How do you handle access management?
A: The entire environment maintains all secrets or other security tokens in a separate area, referred to as a Vault. This allows secrets to be maintained without any WorkFusion personnel ever becoming aware of them. So, the customer can register their own shared secrets, for example, within the WorkFusion Vault and only the customer has ever seen those. It’s a one-way route into the vault, and the product will use it at runtime to be able to connect to the customer system. Additionally, all of our own internal credentials are similarly managed with this type of vault environment. For SSO (single sign-on), we use Key Cloak. Key Cloak is both a SAML and an OpenID Connect API gateway, which allows us to integrate with the authentication provider at the bank. This is important because, when the bank’s employees need to use our environment, they’re using the credentials that they use for their own in-house systems, and WorkFusion never has to maintain those credentials.
Another important note on access. When user accounts are revoked on the bank’s side, they will no longer have access to WorkFusion because their job role changed or they left the company. Closing that gap is an important part of what we do with access management. Everything in the system has different kinds of roles, and those roles can be managed in a fine-grained way or in a group-based way. Moreover, the group-based controls that we have can be mapped to groups within the customer identity provider so that you don’t have to manage fine-grained roles and permissions. On the WorkFusion side, you can tie it to the group administration within the bank if you choose to do it that way.
Q: Can customers perform their own testing in the WorkFusion environment?
A: Yes, customers do participate within our environment to test it, to make sure that it meets their needs and that it’s following their standards and practices. So, it’s a secondary validation that we’ve got everything right according to what the customer has told us.
Customers are also free to do their own security penetration tests on our environments. That said, we like to coordinate with them and not necessarily do it within a production environment, or if we do it in a production environment, we prefer to do it during ‘off hours.’ Sometimes penetration tests risk being disruptive in the performance of an environment if you’re not extremely careful. So we do our own penetration testing and we share those reports with customers so that they don’t necessarily have to do their own penetration test. Still, they’re free to do it if they like. That is really the sum total of customer security responsibilities. The rest we take care of ourselves.
Q: How can a potential customer, CIO or CISO learn more details about this?
A: We have put together a comprehensive two-hour slideshow which we present to CIOs and CISOs to delve into the security measures we have in place. For less technical audiences, have also have a much more condensed version. Prospective customers like to see this version as a litmus test to prove that what I described herein is accurate and verifiable.
For more information about WorkFusion’s AI Agents, please request a demo.
ai agents,Banking & Financial Services,BSA/AML compliance,FinCrime,Secure AI,WorkFusion Platform
