Designing a Zero Trust Architecture for Securing API Gateways in Digital Banking Systems

  • Riama Santy Sitorus Universitas Asa Indonesia, Indonesia
  • B. Junedi Hutagaol Universitas Asa Indonesia, Indonesia
Keywords: Access control; API Gateway; Cyber Security; Digital Banking; Zero Trust Architecture

Abstract

In the era of digital banking transformation, Application Programming Interfaces (APIs) are essential for system integration and customer-facing innovations but also increase exposure to cyber security risks such as credential theft, API abuse, data breaches, and unauthorized access. This research proposes a conceptual Zero Trust Architecture (ZTA) model specifically designed to secure API Gateways in digital banking systems. Adopting a conceptual design methodology comprising literature review, component identification, architectural modelling, standards-based evaluation, and recommendation development the study introduces a framework that integrates core Zero Trust principles. Strong identity verification counters credential misuse, dynamic access control mitigates unauthorized access, encryption protects sensitive financial data, continuous monitoring identifies abnormal traffic, and real-time behavioral analytics prevents API abuse. Each component is mapped to relevant industry standards, ensuring resilience and regulatory compliance. Beyond the conceptual design, the findings highlight practical implications: applying ZTA at the API Gateway strengthens cyber security defenses against modern API threats, supports regulatory readiness, and provides banks with a structured roadmap for secure digital services. The study concludes that the proposed model delivers a comprehensive foundation for secure API communication in digital banking and actionable guidance for future implementation and research.

Downloads

Download data is not yet available.

References

D. Dinçkol, P. Ozcan, and M. Zachariadis, “Regulatory standards and consequences for industry architecture: The case of UK Open Banking,” Res. Policy, vol. 52, no. 6, p. 104760, 2023, doi: 10.1016/j.respol.2023.104760.

P. Hanafizadeh and M. G. Amin, The transformative potential of banking service domains with the emergence of FinTechs, vol. 28, no. 3. Palgrave Macmillan UK, 2023. doi: 10.1057/s41264-022-00161-0.

D. Cota, J. Martins, H. Mamede, and F. Branco, “BHiveSense: An integrated information system architecture for sustainable remote monitoring and management of apiaries based on IoT and microservices,” J. Open Innov. Technol. Mark. Complex., vol. 9, no. 3, 2023, doi: 10.1016/j.joitmc.2023.100110.

B. J. Hutagaol, R. S. Sitorus, and N. Hutagaol, “Identifikasi tingkat kesadaran pengguna mobile banking terhadap ancaman cybercrime,” J. Teknol. Sist. Inf. dan Apl., vol. 7, no. 3, pp. 1043–1054, 2024, doi: 10.32493/jtsi.v7i3.41639.

N. Subramanian and A. Jeyaraj, “Recent security challenges in cloud computing,” Comput. Electr. Eng., vol. 71, no. July 2017, pp. 28–42, 2018, doi: 10.1016/j.compeleceng.2018.06.006.

R. S. Sitorus et al., “Capability-based API gateway technology selection analysis for banking cybersecurity solution using AHP method,” Sinkron: Jurnal dan Penelitian Teknik Informatika, vol. 9, no. 1, pp. 338–347, 2025.

H. Joshi, “Emerging technologies driving zero trust maturity across industries,” IEEE Open J. Comput. Soc., vol. 6, no. January, pp. 25–36, 2025, doi: 10.1109/OJCS.2024.3505056.

T. Fadziso, “Evolution of the cyber security threat: An overview of the scale of cyber threat,” Digitalization & Sustainability Review, vol. 3, no. 1, Sept. 2023, doi: 10.6084/m9.figshare.24189921.v1.

H. Yerramsetty, “Zero Trust Architecture in cloud computing: A paradigm shift in platform engineering security,” World J. Adv. Res. Rev., vol. 6, no. 6, pp. 1–9, 2024.

S. Rose, O. Borchert, S. Mitchell, and S. Connelly, “Zero Trust Architecture NIST Special Publication 800-207,” NIST, 2020, doi: 10.6028/NIST.SP:800-207.

Y. Kusnanto, M. A. Nugroho, and R. Kartadie, “Implementasi Zero Trust Architecture untuk meningkatkan keamanan jaringan: Pendekatan,” JIPI (Jurnal Ilmiah Penelitian dan Pembelajaran Informatika), vol. 9, no. 4, pp. 2357–2364, 2024.

C. Sample, C. Shelton, S. M. Loo, C. Justice, and L. Hornung, “ZTA: Never trust, always verify,” in European Conf. Cyber, pp. 256–262, 2021.

P. V. Bhat, S. Hg, M. Sujith, C. Ca, and B. Suhas, “Zero Trust Architecture (ZTA),” NIST special publication 800, no. 3, pp. 123–130, 2024.

B. F. Rodrigues, “Zero Trust Applied to Digital Banking Platforms,” IET Blockchain, no. June, 2025.

A. K. Bayya, “Cutting-edge practices for securing APIs in FinTech: Implementing adaptive security models and Zero Trust Architecture,” Int. J. Appl. Eng. Technol., no. January, 2025.

R. Chandramouli and Z. Butcher, Guidelines for API Protection for Cloud-Native Systems, no. NIST Special Publication (SP) 800-228 (Draft), National Institute of Standards and Technology, 2025.

H. Omotunde and M. Ahmed, “A comprehensive review of security measures in database systems: Assessing authentication, access control, and beyond,” Mesopotamian J. CyberSecurity, vol. 2023, pp. 115–133, 2023, doi: 10.58496/mjcsc/2023/016.

E. Barker and A. Roginsky, Transitioning the use of cryptographic algorithms and key lengths, no. NIST Special Publication (SP) 800-131A Rev. 2 (Draft), National Institute of Standards and Technology, 2018.

H. Omotunde and M. Ahmed, “A comprehensive review of security measures in database systems: Assessing authentication, access control, and beyond,” Mesopotamian J. CyberSecurity, vol. 2023, pp. 115–133, 2023, doi: 10.58496/mjcsc/2023/016.

Z. Wu, E. Feng, and Z. Zhang, “Temporal-contextual behavioral analytics for proactive cloud security threat detection,” Academia Nexus J., vol. 3, no. 2, 2024.

Published
2025-09-30
Abstract views: 132 times
Download PDF: 87 times
How to Cite
Sitorus, R. S., & Hutagaol, B. J. (2025). Designing a Zero Trust Architecture for Securing API Gateways in Digital Banking Systems. Journal of Information Systems and Informatics, 7(3), 2589-2601. https://doi.org/10.51519/journalisi.v7i3.1219
Section
Articles