Designing a Zero Trust Architecture for Securing API Gateways in Digital Banking Systems

Authors

  • Riama Santy Sitorus Universitas Asa Indonesia, Indonesia
  • B. Junedi Hutagaol Universitas Asa Indonesia, Indonesia
Pages Icon

DOI:

https://doi.org/10.51519/journalisi.v7i3.1219

Keywords:

Access control; API Gateway; Cyber Security; Digital Banking; Zero Trust Architecture

Abstract

In the era of digital banking transformation, Application Programming Interfaces (APIs) are essential for system integration and customer-facing innovations but also increase exposure to cyber security risks such as credential theft, API abuse, data breaches, and unauthorized access. This research proposes a conceptual Zero Trust Architecture (ZTA) model specifically designed to secure API Gateways in digital banking systems. Adopting a conceptual design methodology comprising literature review, component identification, architectural modelling, standards-based evaluation, and recommendation development the study introduces a framework that integrates core Zero Trust principles. Strong identity verification counters credential misuse, dynamic access control mitigates unauthorized access, encryption protects sensitive financial data, continuous monitoring identifies abnormal traffic, and real-time behavioral analytics prevents API abuse. Each component is mapped to relevant industry standards, ensuring resilience and regulatory compliance. Beyond the conceptual design, the findings highlight practical implications: applying ZTA at the API Gateway strengthens cyber security defenses against modern API threats, supports regulatory readiness, and provides banks with a structured roadmap for secure digital services. The study concludes that the proposed model delivers a comprehensive foundation for secure API communication in digital banking and actionable guidance for future implementation and research.

Downloads

Download data is not yet available.

References

D. Dinçkol, P. Ozcan, and M. Zachariadis, “Regulatory standards and consequences for industry architecture: The case of UK Open Banking,” Res. Policy, vol. 52, no. 6, p. 104760, 2023, doi: 10.1016/j.respol.2023.104760.

P. Hanafizadeh and M. G. Amin, The transformative potential of banking service domains with the emergence of FinTechs, vol. 28, no. 3. Palgrave Macmillan UK, 2023. doi: 10.1057/s41264-022-00161-0.

D. Cota, J. Martins, H. Mamede, and F. Branco, “BHiveSense: An integrated information system architecture for sustainable remote monitoring and management of apiaries based on IoT and microservices,” J. Open Innov. Technol. Mark. Complex., vol. 9, no. 3, 2023, doi: 10.1016/j.joitmc.2023.100110.

B. J. Hutagaol, R. S. Sitorus, and N. Hutagaol, “Identifikasi tingkat kesadaran pengguna mobile banking terhadap ancaman cybercrime,” J. Teknol. Sist. Inf. dan Apl., vol. 7, no. 3, pp. 1043–1054, 2024, doi: 10.32493/jtsi.v7i3.41639.

N. Subramanian and A. Jeyaraj, “Recent security challenges in cloud computing,” Comput. Electr. Eng., vol. 71, no. July 2017, pp. 28–42, 2018, doi: 10.1016/j.compeleceng.2018.06.006.

R. S. Sitorus et al., “Capability-based API gateway technology selection analysis for banking cybersecurity solution using AHP method,” Sinkron: Jurnal dan Penelitian Teknik Informatika, vol. 9, no. 1, pp. 338–347, 2025.

H. Joshi, “Emerging technologies driving zero trust maturity across industries,” IEEE Open J. Comput. Soc., vol. 6, no. January, pp. 25–36, 2025, doi: 10.1109/OJCS.2024.3505056.

T. Fadziso, “Evolution of the cyber security threat: An overview of the scale of cyber threat,” Digitalization & Sustainability Review, vol. 3, no. 1, Sept. 2023, doi: 10.6084/m9.figshare.24189921.v1.

H. Yerramsetty, “Zero Trust Architecture in cloud computing: A paradigm shift in platform engineering security,” World J. Adv. Res. Rev., vol. 6, no. 6, pp. 1–9, 2024.

S. Rose, O. Borchert, S. Mitchell, and S. Connelly, “Zero Trust Architecture NIST Special Publication 800-207,” NIST, 2020, doi: 10.6028/NIST.SP:800-207.

Y. Kusnanto, M. A. Nugroho, and R. Kartadie, “Implementasi Zero Trust Architecture untuk meningkatkan keamanan jaringan: Pendekatan,” JIPI (Jurnal Ilmiah Penelitian dan Pembelajaran Informatika), vol. 9, no. 4, pp. 2357–2364, 2024.

C. Sample, C. Shelton, S. M. Loo, C. Justice, and L. Hornung, “ZTA: Never trust, always verify,” in European Conf. Cyber, pp. 256–262, 2021.

P. V. Bhat, S. Hg, M. Sujith, C. Ca, and B. Suhas, “Zero Trust Architecture (ZTA),” NIST special publication 800, no. 3, pp. 123–130, 2024.

B. F. Rodrigues, “Zero Trust Applied to Digital Banking Platforms,” IET Blockchain, no. June, 2025.

A. K. Bayya, “Cutting-edge practices for securing APIs in FinTech: Implementing adaptive security models and Zero Trust Architecture,” Int. J. Appl. Eng. Technol., no. January, 2025.

R. Chandramouli and Z. Butcher, Guidelines for API Protection for Cloud-Native Systems, no. NIST Special Publication (SP) 800-228 (Draft), National Institute of Standards and Technology, 2025.

H. Omotunde and M. Ahmed, “A comprehensive review of security measures in database systems: Assessing authentication, access control, and beyond,” Mesopotamian J. CyberSecurity, vol. 2023, pp. 115–133, 2023, doi: 10.58496/mjcsc/2023/016.

E. Barker and A. Roginsky, Transitioning the use of cryptographic algorithms and key lengths, no. NIST Special Publication (SP) 800-131A Rev. 2 (Draft), National Institute of Standards and Technology, 2018.

H. Omotunde and M. Ahmed, “A comprehensive review of security measures in database systems: Assessing authentication, access control, and beyond,” Mesopotamian J. CyberSecurity, vol. 2023, pp. 115–133, 2023, doi: 10.58496/mjcsc/2023/016.

Z. Wu, E. Feng, and Z. Zhang, “Temporal-contextual behavioral analytics for proactive cloud security threat detection,” Academia Nexus J., vol. 3, no. 2, 2024.

Downloads

Published

2025-09-30

Issue

Vol. 7 No. 3 (2025): September

Section

Articles

License

Authors Declaration

  1. The Authors certify that they have read, understood, and agreed to the Journal of Information Systems and Informatics (JournalISI) submission guidelines, policies, and submission declaration. The submission has been prepared using the provided template.
  2. The Authors certify that all authors have approved the publication of this manuscript and that there is no conflict of interest.
  3. The Authors confirm that the manuscript is their original work, has not received prior publication, is not under consideration for publication elsewhere, and has not been previously published.
  4. The Authors confirm that all authors listed on the title page have contributed significantly to the work, have read the manuscript, attest to the validity and legitimacy of the data and its interpretation, and agree to its submission.
  5. The Authors confirm that the manuscript is not copied from or plagiarized from any other published work.
  6. The Authors declare that the manuscript will not be submitted for publication in any other journal or magazine until a decision is made by the journal editors.
  7. If the manuscript is finally accepted for publication, the Authors confirm that they will either proceed with publication immediately or withdraw the manuscript in accordance with the journal’s withdrawal policies.
  8. The Authors agree that, upon publication of the manuscript in this journal, they transfer copyright or assign exclusive rights to the publisher, including commercial rights

How to Cite

[1]
R. S. Sitorus and B. J. Hutagaol, “Designing a Zero Trust Architecture for Securing API Gateways in Digital Banking Systems”, journalisi, vol. 7, no. 3, pp. 2589–2601, Sep. 2025, doi: 10.51519/journalisi.v7i3.1219.

Most read articles by the same author(s)