Many companies in financial services are moving to the public cloud to simplify IT infrastructure, reduce costs, innovate faster, and scale more quickly. However, before being able to capitalize on the benefits of the public cloud, some may have to change the way they manage security.
A survey released last year by the fintech company Finastra found that the primary driver pushing financial services firms to the public cloud is the need to “focus on digital enabling technologies to provide a highly relevant customer experience, attract customers, build customer loyalty, and wallet share whilst improving business efficiencies.”
However, when asked about their motivations for moving to the cloud, innovation (17%) was only the third-highest ranked answer given by a cross-section of financial institutions—the first two being to simplify existing IT infrastructure (42%) and reduce costs (20%).
The fact that such a high percentage of companies wanted to simplify existing IT infrastructure demonstrates the complexity of the financial services market. Yet the public cloud can also be a complex environment in which it is easy to overlook certain areas of cloud security.
Innovation without limits—data without perimeter firewalls
While it is understandable that larger organizations may want to keep up with the more agile new kids on the block, the strategic decision to move financial services to the public cloud doesn’t come without its issues—not least that, in the cloud, there are no perimeter firewalls to protect data.
A lack of perimeter firewalls doesn’t guarantee a data breach, but it does increase the risk that vulnerabilities are exploited—particularly as malicious actors increasingly use vulnerability scanning software to find such misconfigurations.
In fact, many of the most severe data breaches start with the exploitation of misconfigured cloud infrastructure that provides access to data. In many cases, these risks can be avoided with four simple-to-implement best practices—total visibility, continuous verification, auto-remediation, and app-centric cloud governance. Here’s a brief explanation of each:
Total visibility
In the cloud, responsibility for security is shared by the Cloud Service Provider and the customer depending on the level of abstraction. The only way for companies to get visibility into cloud activity below the level of abstraction is to implement an agent-based cloud monitoring solution.
Continuous verification
Total visibility is necessary for continuous verification—a process through which a cloud monitoring solution continuously monitors compliance with configuration policies and alerts security teams to misconfigurations. It is also ideal to build a verification process into the development pipeline.
Auto-remediation
Rather than simply alert security teams to a misconfiguration, a cloud monitoring solution with auto-remediation capabilities can be configured to close down the server or fix vulnerabilities once they are identified. Either action reduces the window of opportunity for a malicious actor.
App-centric cloud governance
App-centric cloud governance prevents an intruder moving laterally through a network in the event that they are able to exploit a vulnerability before it is discovered and fixed. Less complex than east-west firewalls, app-centric cloud governance is an effective way to protect against data breaches.
Is your business moving financial services to the public cloud?
If your business is moving financial services to the public cloud from an on-premises infrastructure, it is likely you are used to having total visibility of your network and are familiar with on-premises network monitoring tools. In the cloud, visibility into how infrastructure is configured is a common challenge, but it is critical in order to troubleshoot issues when they arise.
The cloud can also be a complex environment to manage due to the speed at which resources can be deployed, and the fact that any user with access to a credit card can deploy them. Consequently you need to establish solid cloud governance policies and a means of enforcing them before moving financial services infrastructure to the public cloud.