In November 2019, the European Banking Authority (EBA) released guidelines for security risk management in Information and Communication Technology (ICT) systems. Since then, the central banks of member states have been busy codifying those guidelines into local laws and regulations, with the result that most of Europe now has harmonized standards for managing the impact of disruptions to key technology systems.
While most of the guidelines are process-related, there are a few key sections that delve into recommended investments for financial institutions across Europe to secure their critical ICT infrastructure.
In section 3.7.1, the guidelines specifically call for the “redundancy of certain critical components to prevent disruptions caused by events impacting those components.” The goal of these redundant critical components is to reduce the recovery time objective (RTO) of any incident - that is, to minimize the impact of an outage on banking customers and the technologies they rely on.
Where things get a little vague is in the definition of “critical components.” In the end, isn’t every piece of technology that connects banking customers with their accounts “critical” by definition? This is where the EBA recommends that financial institutions conduct an impact analysis to prioritize protection levels for different systems. As part of that analysis, the EBA recommends testing “a range of different scenarios…including extreme but plausible ones to which it might be exposed, including a cyber-attack scenario.”
DNS as Critical Infrastructure
As the connection point between any financial institution and its customers, the Domain Name System (DNS) plays a vital role in resilience. Even when all of an institution’s core banking systems are up and running, if there’s no way to access those systems through a customer-facing website, the bank is “offline” for all intents and purposes.
Applying the EBA’s “range of scenarios” to DNS, there are many different ways that a financial institution’s website could suddenly find itself unavailable:
DDoS attack: Distributed Denial of Service (DDoS) attacks are a common threat to every website, but financial institutions are a particularly juicy target. The threat posed by DDoS attacks is particularly daunting if an institution runs its own authoritative DNS infrastructure, but even an under-resourced third-party authoritative DNS provider could pose a risk if the attack is large enough.
Misconfigurations: Mistakes happen. Sometimes a simple “fat finger” error can redirect traffic to a dead end. Sometimes a configuration that looks fine in a test environment doesn’t actually work in production. Protecting against these honest mistakes is just as important as protecting against nefarious actors.
Deprecated performance: Just because a website is answering queries doesn’t mean that it’s answering them efficiently or effectively. Speed matters a great deal in certain financial transactions. Fractions of a second matter. The risk of deprecated performance from a single offline server can be just as impactful to some customers as a full website outage.
DNS is far too important a “critical component” to leave unprotected. The stakes in the financial services industry are too high to put any connection to customers at risk. Adding a resilient, redundant layer to authoritative DNS is a must-have for any financial institution.
Recognizing the critical nature of DNS, the banking industry has moved to add its own DNS resilience requirements on top of those set by the EBA. The .bank domain, which is owned and operated by the American Bankers Association (ABA) and the Bank Policy Institute (BPI), requires the use of DNSSEC and strong cryptographic algorithms.
Benefits of NS1 Managed DNS for Financial Institutions
The unique features of NS1 Managed DNS give financial institutions worldwide the tools they need to manage risk and comply with regulatory requirements like the EBA guidelines and requirements for .bank domains.
Dedicated DNS: NS1 offers a physically and logically separated DNS network just for your business. This is the ultimate in resilient, redundant authoritative DNS. The failover mechanism is seamless, automated, and easy to manage, reducing your RTO for any DNS outage or service deprecation to near zero.
DNS Insights: NS1 goes well beyond the canned logs, and basic data feeds that other authoritative DNS providers offer. Our DNS Insights feature provides an impressive breadth and depth of information on the traffic flowing through your network, so you can identify the source of misconfigurations and NXDOMAIN responses, spot the early indicators of a DDoS attack, and prevent accidental exposure of internal assets.
Traffic steering: NS1 offers the widest range of options for traffic steering in the industry, from simple geolocation-based options to sophisticated logic based on real user metric (RUM) data. With NS1’s automated traffic steering logic, you can automatically divert traffic around outages to avoid service deprecations and maintain maximum performance levels even when crises hit.
DNSSEC: NS1 is a strong proponent of DNSSEC, offering security extensions on all domains under its management. Every NS1 feature (including Dedicated DNS and traffic steering) is compatible with DNSSEC.
Learn more about NS1 Managed DNS.