Designing a Zero Trust Architecture for Securing API Gateways in Digital Banking Systems
Abstract
In the era of digital banking transformation, Application Programming Interfaces (APIs) are essential for system integration and customer-facing innovations but also increase exposure to cyber security risks such as credential theft, API abuse, data breaches, and unauthorized access. This research proposes a conceptual Zero Trust Architecture (ZTA) model specifically designed to secure API Gateways in digital banking systems. Adopting a conceptual design methodology comprising literature review, component identification, architectural modelling, standards-based evaluation, and recommendation development the study introduces a framework that integrates core Zero Trust principles. Strong identity verification counters credential misuse, dynamic access control mitigates unauthorized access, encryption protects sensitive financial data, continuous monitoring identifies abnormal traffic, and real-time behavioral analytics prevents API abuse. Each component is mapped to relevant industry standards, ensuring resilience and regulatory compliance. Beyond the conceptual design, the findings highlight practical implications: applying ZTA at the API Gateway strengthens cyber security defenses against modern API threats, supports regulatory readiness, and provides banks with a structured roadmap for secure digital services. The study concludes that the proposed model delivers a comprehensive foundation for secure API communication in digital banking and actionable guidance for future implementation and research.
Downloads
References
D. Dinçkol, P. Ozcan, and M. Zachariadis, “Regulatory standards and consequences for industry architecture: The case of UK Open Banking,” Res. Policy, vol. 52, no. 6, p. 104760, 2023, doi: 10.1016/j.respol.2023.104760.
P. Hanafizadeh and M. G. Amin, The transformative potential of banking service domains with the emergence of FinTechs, vol. 28, no. 3. Palgrave Macmillan UK, 2023. doi: 10.1057/s41264-022-00161-0.
D. Cota, J. Martins, H. Mamede, and F. Branco, “BHiveSense: An integrated information system architecture for sustainable remote monitoring and management of apiaries based on IoT and microservices,” J. Open Innov. Technol. Mark. Complex., vol. 9, no. 3, 2023, doi: 10.1016/j.joitmc.2023.100110.
B. J. Hutagaol, R. S. Sitorus, and N. Hutagaol, “Identifikasi tingkat kesadaran pengguna mobile banking terhadap ancaman cybercrime,” J. Teknol. Sist. Inf. dan Apl., vol. 7, no. 3, pp. 1043–1054, 2024, doi: 10.32493/jtsi.v7i3.41639.
N. Subramanian and A. Jeyaraj, “Recent security challenges in cloud computing,” Comput. Electr. Eng., vol. 71, no. July 2017, pp. 28–42, 2018, doi: 10.1016/j.compeleceng.2018.06.006.
R. S. Sitorus et al., “Capability-based API gateway technology selection analysis for banking cybersecurity solution using AHP method,” Sinkron: Jurnal dan Penelitian Teknik Informatika, vol. 9, no. 1, pp. 338–347, 2025.
H. Joshi, “Emerging technologies driving zero trust maturity across industries,” IEEE Open J. Comput. Soc., vol. 6, no. January, pp. 25–36, 2025, doi: 10.1109/OJCS.2024.3505056.
T. Fadziso, “Evolution of the cyber security threat: An overview of the scale of cyber threat,” Digitalization & Sustainability Review, vol. 3, no. 1, Sept. 2023, doi: 10.6084/m9.figshare.24189921.v1.
H. Yerramsetty, “Zero Trust Architecture in cloud computing: A paradigm shift in platform engineering security,” World J. Adv. Res. Rev., vol. 6, no. 6, pp. 1–9, 2024.
S. Rose, O. Borchert, S. Mitchell, and S. Connelly, “Zero Trust Architecture NIST Special Publication 800-207,” NIST, 2020, doi: 10.6028/NIST.SP:800-207.
Y. Kusnanto, M. A. Nugroho, and R. Kartadie, “Implementasi Zero Trust Architecture untuk meningkatkan keamanan jaringan: Pendekatan,” JIPI (Jurnal Ilmiah Penelitian dan Pembelajaran Informatika), vol. 9, no. 4, pp. 2357–2364, 2024.
C. Sample, C. Shelton, S. M. Loo, C. Justice, and L. Hornung, “ZTA: Never trust, always verify,” in European Conf. Cyber, pp. 256–262, 2021.
P. V. Bhat, S. Hg, M. Sujith, C. Ca, and B. Suhas, “Zero Trust Architecture (ZTA),” NIST special publication 800, no. 3, pp. 123–130, 2024.
B. F. Rodrigues, “Zero Trust Applied to Digital Banking Platforms,” IET Blockchain, no. June, 2025.
A. K. Bayya, “Cutting-edge practices for securing APIs in FinTech: Implementing adaptive security models and Zero Trust Architecture,” Int. J. Appl. Eng. Technol., no. January, 2025.
R. Chandramouli and Z. Butcher, Guidelines for API Protection for Cloud-Native Systems, no. NIST Special Publication (SP) 800-228 (Draft), National Institute of Standards and Technology, 2025.
H. Omotunde and M. Ahmed, “A comprehensive review of security measures in database systems: Assessing authentication, access control, and beyond,” Mesopotamian J. CyberSecurity, vol. 2023, pp. 115–133, 2023, doi: 10.58496/mjcsc/2023/016.
E. Barker and A. Roginsky, Transitioning the use of cryptographic algorithms and key lengths, no. NIST Special Publication (SP) 800-131A Rev. 2 (Draft), National Institute of Standards and Technology, 2018.
H. Omotunde and M. Ahmed, “A comprehensive review of security measures in database systems: Assessing authentication, access control, and beyond,” Mesopotamian J. CyberSecurity, vol. 2023, pp. 115–133, 2023, doi: 10.58496/mjcsc/2023/016.
Z. Wu, E. Feng, and Z. Zhang, “Temporal-contextual behavioral analytics for proactive cloud security threat detection,” Academia Nexus J., vol. 3, no. 2, 2024.


Copyright (c) 2025 Journal of Information Systems and Informatics

This work is licensed under a Creative Commons Attribution 4.0 International License.
- I certify that I have read, understand and agreed to the Journal of Information Systems and Informatics (Journal-ISI) submission guidelines, policies and submission declaration. Submission already using the provided template.
- I certify that all authors have approved the publication of this and there is no conflict of interest.
- I confirm that the manuscript is the authors' original work and the manuscript has not received prior publication and is not under consideration for publication elsewhere and has not been previously published.
- I confirm that all authors listed on the title page have contributed significantly to the work, have read the manuscript, attest to the validity and legitimacy of the data and its interpretation, and agree to its submission.
- I confirm that the paper now submitted is not copied or plagiarized version of some other published work.
- I declare that I shall not submit the paper for publication in any other Journal or Magazine till the decision is made by journal editors.
- If the paper is finally accepted by the journal for publication, I confirm that I will either publish the paper immediately or withdraw it according to withdrawal policies
- I Agree that the paper published by this journal, I transfer copyright or assign exclusive rights to the publisher (including commercial rights)