If WhatsApp, Signal and other Wickr are frequently talked about in the media, the encrypted messaging sector has other more specialized players, like Symphony (not to be confused with the PHP Symfony framework). This company, founded by the French David Gurlé, offers a secure messaging solution for the banking and financial sectors, sectors subject to significant regulatory constraints.
As Dietmar Fauser, CIO of the company, explains, one of the specificities of Symphony is to offer a tool adapted to this highly regulated framework: “One of the main differences between Symphony and mainstream players like WhatsApp or Signal is the management of encryption keys. We use a multi-tiered encryption model which allows the customer to be responsible for key management ”.
Trust does not exclude control
Symphony customers (mainly merchant banks, investment funds and other players in the financial world) deploy Hardware Security Module type servers in their data centers, responsible for constituting a secure enclave for encryption keys. “For an employee who works on a computer controlled by the bank, it’s pretty transparent. In the background, the Symphony terminal will first connect to the key management tool installed on the bank’s network, and retrieve the encryption key. Once the key is obtained, we connect to the Symphony infrastructure which allows messages to be exchanged, and the messages are stored in secure enclaves, ”explains Dietmar Fauser.
“The principle of this system is to allow the bank to access the contents of the messages exchanged, without Symphony being able to access it”, he indicates. For banks and financial players, it is indeed necessary to have complete control over the messages exchanged by their employees: at the start of 2020, the JP Morgan bank had thus laid off one of its traders, who had communicated with his colleagues using the WhatsApp application. The bank was not in a position to control the content of the messages exchanged in this way, and possibly to transmit the content of the messages to the regulators, as required by the legal framework. Symphony’s niche therefore lies in this difference: providing an encrypted and secure messaging tool, while offering its customers key control and therefore the possibility of decrypting the messages exchanged.
In addition to this aspect, Symphony also tries to stand out by offering interfaces with many tools commonly used in the sector: creation of financial graphics, interface with banking applications, and other extensions more specific to the banking sector. “We also automate a lot of processes related to KYC (Know your Customer) requirements or the arrival of new customers through bots, programmable on our platform. BNP, for example, has developed several dozen chatbots that run on Symphony, aimed at disseminating their financial analyzes to their traders or their clients. “
Telecommuting is a game-changer
The massive use of teleworking caused by the pandemic has been a challenge for Symphony. “In the first few weeks, the only management tool that our clients had to set up teleworking was Symphony. It was interesting: we saw the use of the system quintuple in a few days. This type of variation, in a B to B vertical, is not very common. “But the forced switch to teleworking was also an opportunity to note another trend:” we see more and more banks switching to tools like Office 365. That poses a concern for our strategy, because we meet in competition with generalists like Teams, which does not offer the same level of security, but which the banks accept for some of their users ”.
The observation therefore prompted the company to refocus their development strategy to allow banks to automate and facilitate certain specific tasks for financial players: “we are starting to implement workflow management on the platform. For example, if a bank wants to do a financial exchange, it’s a process that requires a lot of communication and automatic messages, and a lot of emails if something goes wrong. We want to offer a communication platform that supports this workflow for banks ”.
This recourse to automation allows Symphony to differentiate itself from the competition, by offering their customers the possibility of creating automated tools, and other chatbots, adapted to their uses. “I am confident that in the next five years IT will be driven by augmented automation. We will see more and more digital agents and human-machine agents: in some cases, we still need a human to take the hand. With us, we can use these machine-to-machine communications, while still allowing a human to intervene, ”says Dietmar Fauser.
Show white paw
Symphony claims half a million players from the financial world who use its solution. The number of messages exchanged on the platform amounts to more than three million per day, with just over 300,000 daily users. The company has a workforce of 750 people around the world, of which around 400 are dedicated to engineering. “The security function is split between several teams, with different engineers responsible for implementing the security models, all overseen by the Chief Operating Security Officer, who validates the encryption and security models. In all, this must represent a dozen people, ”says Dietmar Fauser.
With such a weight and customers operating in a sensitive sector, Symphony must prove its level of security through multiple audits: “it is indeed something that takes us a lot of time. We are currently working on the SOC 2 audit with Deloitte, and we regularly perform internal pentests. In addition to this, banks have their own compliance directors who periodically check the work of suppliers, sometimes with very strict criteria. Banks have gone mad on these subjects following the 2008 crisis: there are some large banks with a compliance budget exceeding one billion. And the closer we get to trading, the more draconian the criteria become ”.