Financial services companies are big adopters of the cloud. According to a survey by Google Cloud and Harris Poll, 83% of financial services companies are using the public cloud in some form. A Cloud Security Alliance report found similar high adoption rates, with 91% of banking and finance respondents using cloud services or planning to in the next 6-9 months.
Rich in benefits, the cloud can help the financial and banking sector improve its customer deliverables, break down internal silos, reduce costs, drive innovation – and even enhance security. New and exciting financial domains like fintech and insurtech have become possible thanks to cloudification and an out-of-the-box approach to tech infrastructure, platforms and services. Cloud, says Deloitte in an article on how banking will look in 2030, is “redefining the ‘art of possible.’”
However, the sun doesn’t always shine in the cloud: Financial services are the industry that cyber attackers hit up the most. In 2021 the Financial Services Information Sharing and Analysis Center (FS-ISAC) raised its threat level three times compared to once a year in the past. Year 2022 is expected to be worse, with ransomware, supply chain attacks and digital vulnerabilities the most prominent threats. The main actors? Gangs and nation-state attackers seeking to infiltrate an organization, cause destruction and steal PII like credit card or bank account numbers.
To truly enjoy the benefits of the cloud, financial institutions are obliged – in fact, required by regulatory demands – to invest in cloud security. But how?
Cloud Environment Security Challenges for Financial Services Organizations
Financial services organizations face challenges that make it essential to not approach cloud security as an afterthought – or as a simple extension of on-prem security efforts.
The financial industry possesses large amounts of confidential customer information. To protect customers (and institutions), the industry is heavily-regulated, with many complex frameworks and guidelines to adhere to. In addition, the fragmented nature of the financial regulatory bodies makes reviews and approvals hard to attain.
According to the Google and Harris Poll financial services survey, more than a third (38%) of on-premises respondents reported that they were not using cloud services due to the immense investment of resources required for the regulatory approval process. This process includes ensuring that the security and compliance of cloud services meets the regulators’ demands. Other organizations use the cloud selectively; they do not expose core, or missions-critical, systems and databases to the cloud.
Cloud Security Expertise Shortage
Recent widespread, including remote work driven, digital transformation across all industries has increased the need for cloud security professionals, creating heavy demand for employees proficient in AWS, GCP, Azure, Kubernetes and more. Today, many organizations, including financial, are struggling with filling these positions, which are essential to properly building, maintaining, innovating and securing a cloud environment. If an organization does have its own in-house DevOps, DevSecOps or cloud security professionals, these individuals often need to manage a wide scope of responsibilities – a reality that can de facto decrease their ability to be proficient in, let alone reasonably handle, each one.
The lack of available talent has security implications: without experienced people overseeing cloud security and ensuring the effective handling of vulnerabilities and threats, organizations are at risk of poor security hygiene, which can lead to a data breach. When it comes to financial institutions, the stakes are especially high: within the crosshairs of bad actors, the implications for customers, reputation and the bottom line can be especially harsh.
As expected in such a regulated industry, a recent IDC survey found compliance monitoring and security governance tied for first place as top concerns among 65% of banking respondents.
The Cloud Security Shared Responsibility Model
The “shared responsibility” model is a cloud security framework defined by cloud providers that determines which cloud components are the cloud provider’s responsibility for securing and which are the customer’s. While intended to provide clarity, the model is often confusing, especially for professionals taking their first steps in cloud security.
Cloud providers are working hard to provide services that address security needs, making different native tools available for protecting workflows, resources and data from unauthorized access, misconfigurations and other threats. But this abundance is part of the problem, with customers uncertain as to which tools to prioritize and spend time on operationalizing to best meet their needs.
Also, each cloud provider’s security toolset is unique to that cloud. This not only means that financial organizations need to train themselves in the unique capabilities and responsibilities associated with each provider but that any cloud security coverage achieved using native tools will not serve across their multicloud environment.
Rapid Cloud Adoption
Financial institutions are fully aware of the benefits of the cloud, and also understand they need to cloudify quickly to not stay behind. The result is a rapid acceleration of cloud adoption among financial institutions. Yet, adoption that is too quick can result in implementation that brings risk to data and the cloud environment if lacking in best practices when it comes to maintenance, operations and security. For example, failure to adequately monitor or resolve misconfigurations, or granting seemingly harmless excessive permissions can cause undue risk.
After years of controversy on the issue, it is well proven that cloud environments can be as or even more secure than on-premises environments. But that can only happen when cloud security is implemented correctly – and embraced by all an organization’s security stakeholders.
The IDC survey found that financial sector executives were among those least satisfied with their cloud security and 62% of banking respondents said their organizations had identified situations in which their sensitive data has been exposed in the cloud. Regarding key threats to their cloud infrastructure, nearly 69% reported inadequate IAM security such as excessive permissions and privileged identities, 56% reported security misconfigurations and 55% reported lack of visibility into cloud resources.
Cloud Security Deployment Considerations
To address the challenges mentioned above, proper cloud security deployment is advised. Implementing cloud security correctly can increase security and reduce risks. To do so, it is recommended to take the following considerations into account:
Determine Your Security Requirements
When planning how to secure your cloud infrastructure start by understanding that cloud security requires a wholly different mindset from on-prem security. Accept that your shared responsibility involves protecting your cloud-based data, and that the new perimeter is human and non-human identities, including external, with permissions to access it. Do the research to understand the unique risks of the cloud, the kinds of threats that can take the greatest toll, and regulator requirements. The OneSpan report noted that key 2022 updates in banking and security compliance regulations were in cybersecurity, digital identity and data protection. The cloud security solutions you deploy need to be able to address and help your organization stay on top of such changing requirements.
Choosing the Right Security Tools and Vendors
The cybersecurity solutions industry is blooming. While this active market provides many options for organizations to choose from, too many options can be paralyzing. Too many point solutions will add to your team’s workload and in the worst case deplete your budget only to never be used. Look for solutions that cover multiple use cases you need and gaps you have. For example, if you have a talent shortage, choose tools that are easy to use, involve little training, offer lots of automation and come with good customer support. Be sure to take a solution for a test ride, getting beyond the sales pitch to see what it can do for your needs.
Cloud Security Operationalization
Build your cloud security strategy around getting immediate and visible value. Fast operationalization can help overcome internal challenges like siloed departments, lack of security expertise or a doubting leadership. We recommend four main steps:
- Choose solutions that answer your needs and are flexible
- Educate your users
- Integrate the solution with your workflow processes for the most far reaching value
- Use the solution to evangelize internally, getting all on board around cloud security
Cloud Security Use Cases for Financial Services
Effective cloud security is essential for key financial services use cases:
Regulations like PCI-DSS, CCPA, GDPR, SOX and others require certain security controls, data handling processes and implementing processes and monitoring capabilities. Financial institutions needing to adhere to these standards must be able to analyze their cloud infrastructure and configurations with rigor to ensure compliance. A cloud security solution can help with this. A cloud security solution with Cloud Security Posture Management (CSPM) capabilities offers continuous misconfiguration and compliance monitoring designed to spot configurations risk and compliance gaps in cloud environments.
Financial organizations need visibility into their cloud assets inventory, the state of their cloud security and how their solutions are managing and remediating risk. Such visibility provides control and enables improving security while helping address challenges like shared responsibility. As organizations deploy multi-cloud infrastructure, gaining governance over all components becomes even more challenging. A comprehensive cloud security solution can help deliver the necessary granular, contextual visibility into all components and activities.
As financial institutions get acquainted with the new cloud terrain, cloud security can help map out and prioritize the new risks and suggest solutions for their remediation. This includes risks related to sensitive data, vulnerable workloads, network exposure, third parties and more. Automated monitoring and analysis of access risk is essential to enabling organizations to improve governance of their cloud infrastructure environment. A cloud security solution with Cloud Identity Entitlements Management (CIEM) capabilities can help financial services organizations continuously monitor and auto-remediate access risk.
What’s Next for Financial Institutions?
The transition to the cloud provides financial institutions with an infrastructure growth machine that offers new agility, speed, efficiency and resiliency. Your organization’s cloud security must protect and keep pace with that amazing growth machine – and needs to be built and implemented strategically, not as an afterthought. By deploying a solution that automates compliance and security needs while giving deep visibility and context, and ease of use, financial institutions can surmount reduce risk to their cloud and data while enjoying the innovative and many other benefits of cloud adoption.
*** This is a Security Bloggers Network syndicated blog from Ermetic authored by Ermetic Team. Read the original post at: https://ermetic.com/blog/cloud/cloud-and-data-security-for-financial-services/