Designed to fail

This content is provided by our sponsor, and neither is written by nor provides endorsement from ICBA.

By Lou Senko, SVP and CIO, Q2

An aging notion claims security requirements add unavoidable friction to the code-to-customer delivery cycle. But security doesn’t have to add friction, and deceleration isn’t inevitable. We can accelerate by reducing risk proactively, employing robust security solutions, and employing intelligent testing simultaneously. With a multilayered approach, each layer is designed to fail while the overall strategy still provides exceptional security.

Security Through Layers

Q2’s growing market presence and rapid technology adoption has seen our attack surface expand at logarithmic rates. Our hosting footprint includes environments in the public cloud and large colocation datacenters. 18 million platform users move nearly $1.5 trillion through 450 digital branches annually. This scale underscores the importance of a layered approach to internal and external threats.

Security Through Solutions

The goal of security is to tolerate certain kinds of risk while mitigating the rest; with this in mind, Q2 has merged security and operations, since everyone who touches production shares the responsibility of ensuring and maintaining security. Q2 has since executed against a purposeful roadmap for maturing our capabilities:

  • Q2’s security team has established itself as a leader across 450 FIs’ security, compliance, risk, and fraud teams.
  • Q2 has implemented respected industry frameworks, elevating our posture.
  • A continuously refined technology stack adopts innovative, leading solutions, including encoding and blockchain technologies, third-party service augmentation, and threat-mitigation tools.

Security through architecture

One of Q2’s newer strategic solutions is zero-trust implementation, where every access request and session is authenticated separately. What’s inside the network is treated no differently than what’s outside, and each layer is designed to fail without compromising overall protection.

Zero-trust implementation starts with access tied to Q2 employee roles, authentication, and the application of minimal security. Identifying the user and applying their role-based security only grants the opportunity to authenticate against something they want to access. Rigorous evaluation and employee-access standards are set by internal stakeholders and regularly reviewed.

Q2 employees can only use a Q2-managed device to access the network. Once logged into a hosting environment, employees must request assets.

Additionally, all Q2 laptops have encrypted drives, additional security features, and virtual desktop policies. What’s more, a new SASE network solution moves security to the edge, allowing us to include the entire connection under our security posture.

An essential piece of Q2’s zero-trust architecture sees data leveraged in a way that protects all surrounding layers through the sophisticated use of tokenization, encoding, and blockchain technology. All sensitive data is removed and randomly encoded and fragmented into pieces scattered and stored across multiple blockchains. The actual data itself is never stored in a usable form and is meaningless until “re-hydrated” for use.

Zero-trust is a significant project to tackle, but the benefits are far-reaching, create a solid foundation to build on, and should allay fears that you’re one failure of a layer away from disaster. This approach not only improves your security posture but positions you to keep pace with truly disruptive and bleeding-edge technologies.

Discover more.