By: Kristin Manogue, Product Marketing Manager, Cloud Security Posture Management, at Check Point Software Technologies
While the Financial Services industry is embracing cloud services, there are still growing concerns reflected in this recent survey. Given the enormously wide variety of technologies, architectures, and approaches to deploying and managing technology within the cloud landscape, visibility is a constant issue. Data flows are uncertain, and regulatory impacts are unclear. Furthermore, security leaders must ensure that the adoption of any new approach does not introduce new risks and threats to essential data and systems.
We will cover five key areas that are very relevant to most financial services businesses — five topics an organisation must “get right” for almost any cloud-related project.
The decision to work with a “cloud solution” rarely involves just a single vendor or application. Moving to the cloud typically means integrating your legacy systems into cloud-hosted systems, sometimes across multiple environments — all while protecting your data and providing security to public-facing components.
Today, mixed environments have become common, leaving traditional security measures for private, public, and hybrid cloud deployments less valid. For instance, many systems take on hyper-hybrid approaches that involve creative architectures to maximise confidentiality and availability. Public-facing systems are placed on Software-as-a-Service (SaaS) environments across multiple public providers for redundancy with their backend (core) functions hosted in private data centers.
Additionally, many companies are using tools and capabilities with different deployment models (e.g., IaaS and PaaS providers), resulting in mixed cloud environments within a system’s development or administrative lifecycle phases. The result is that few systems reside on only one platform in a single data centre — a new reality that security, compliance, and risk management must all address.
The traditional security triad of Confidentiality, Integrity, and Availability are now significantly more complex when having to address a multi-cloud architecture. For instance, when it comes to data protection, you may need to comply with various country-specific regulations if your system is in multiple physical locations. Up-time availability of services in a multi-cloud environment can also be difficult. Finally, ensuring the integrity of your systems with multiple vendors can require retooling to address underlying technical limitations.
A complex cloud architecture does not negate traditional security measures, such as encryption, identity and access management, backup, and monitoring. But it does often complicate mitigations like single sign-on authentication and physical security controls. Additionally, system boundaries can be difficult to draw, making understanding data flow all the more important when it comes to regulatory compliance. Finally, risk management, which is the basis for most compliance assessments, must be able to address complex multi-cloud environments.
Regulations define the working environment of a financial services organisation, and the successful adoption of cloud solutions must be able to meet evolving compliance requirements. Many cloud vendors are acutely aware of this and supply dashboards and reporting to help organisations adhere to various compliance controls. However, as many organisations have discovered, a cloud provider’s compliance features do not ensure compliance. This disconnect is often the result of a competing focus between the cloud provider (looking to provide a consistent platform for multiple customers) and your organisation (trying to use the cloud within the constraints of your compliance program).
Financial firms are likely already familiar with various regulations, such as AICPA-SOC2, Payment Card Industry (PCI-DSS), the EU’s GDPR, and California’s CCPA. All of these require audited compliance with technical controls that govern, for example, data processing, security, and vendor management. It is important that the cloud vendor you select to monitor your environment ensures your cloud infrastructure and applications adhere to the most recent version of a compliance requirement — it is even better if you can customise rulesets and policies.
Along with the financial industry’s acceptance of cloud services, there has also been a rise in the use of DevOps methodology, with the advantages of this approach heralded as a means to improve the velocity of application releases and updates.
DevSecOps introduces the integration of security into the “pipeline” process to build >test> release> deploy>operate and monitor code and infrastructure in a rapid manner. The pipeline steps can measurably improve speed, as well as efficiency and compliance if done well.
If your organisation is not yet following the DevSecOps approach, the first step is to recognise that it takes time to implement. Here are some common best practices:
- Examine your current processes for application development and infrastructure updates and releases. For coding, the traditional development lifecycle should be moved to shorter sprints with a greater emphasis on building security requirements into the requirements phase. For infrastructure, automate the build and release process, including patch updates and security testing.
- Move quality assurance and vulnerability testing earlier in the release cycle. This will help reduce the instances of failed releases because of unexpected changes to integrated libraries, patches, or updates.
- Ensure that compliance requirements are built into the requirements for development and infrastructure automation when possible. This will provide better assurance that updates do not cause a system to fall out of compliance.
- Practice and improve the pipeline process continuously to better integrate the DevSecOps approach into your corporate culture and improve resource effectiveness and system resilience.
While the value of the DevOps approach is appealing due to its high velocity and automation, there must be great care taken with its design and engineering. A pipeline that can apply a change to the codebase and move it into production with a single click assumes that the automation has correctly vetted the code for vulnerabilities and ensured that the code does not use or deploy unsafe features and functions; it also assumes that the integration with other code will not break the system through some previously unrecognised inconsistency. A verification process is required that “slows” the pipeline enough to catch issues, threats, and errors and to confirm that the system remains functional, acceptable, and compliant.
Controls and Visibility
While migrating to the cloud is good for business, the operational impact of using cloud resources is a challenge. Cloud vendors have a wide range of technical sophistication and associated tooling for administration and management; however, the operational impact of dissimilar tools and functionality can make compliance management a real challenge.
Today’s SecOps teams need tools to address this new complexity — to administer cloud environments, reduce technical and security challenges, and meet compliance requirements.
Products like CloudGuard provide a means to address security, compliance, and visibility for multiple cloud environments, helping to secure workloads across sites and maintain a secure posture across your entire infrastructure. Importantly, CloudGuard provides features to assist initiatives such as DevSecOps and automation, which facilitate efficient production operations. With CloudGuard, security engineers and compliance staff can perform governance activities across multi-cloud assets and services, including visualising and assessing your security posture, detecting misconfigurations, and enforcing security best practices and compliance frameworks.
Additionally, compliance reporting on specific technical controls is made easier via tools that are multi-cloud-aware and can assist with internal compliance program requirements by tracking specific security configurations. By using a security product like CloudGuard, a financial services firm can improve visibility across its cloud investment and protect against cloud security threats.
Many Financial Services organisations are using modern web-based applications that compile various data types, making them a prime target for hackers. Additionally, web-based applications introduce an entirely new set of security considerations, including the use of multiple APIs to provide important functions such as communications, encryption and encryption management, and strong authentication.
In a traditional network infrastructure, application security largely depended on the network it ran on, with access control, data backups, and rollouts controlled within the enterprise. But for cloud-oriented businesses, the model must change. Networks are no longer run on a single operating system with static points. Cloud applications are designed to run without the assumption of traditional network security. Cloud mechanisms such as virtual load balancing, virtual firewalls, and a host of other conceptual devices present architectural complexity and greater risks to application security.
Organisations thus have to embrace a new type of application development that builds security awareness directly into applications and provides granular access to the application while also contextually protecting it against attacks. By leveraging AI, CloudGuard can also maintain application security even with dynamic deployment processes.
The financial industry has come a long way in embracing cloud services. The challenge for firms is to properly understand the considerations required to not only move to the cloud but to also prevent threats and maintain compliance all while being agile in today’s world. The five areas we discussed provides your organisation with a guideline for what must be examined when assessing and implementing these new technologies so that you can properly ensure both security and compliance while also realising the long-term value.