FinServ Compliance: Top 5 Considerations to Securing Your Cloud Infrastructure

291

Author: Kristin Manogue, Product Marketing Manager, Cloud Security Posture Management

Cloud service providers have expanded their offerings into industry-specific domains. AWS Financial Services and Azure for Financial Services are good examples of how cloud players are trying to entice industries to move more essential business functions to cloud platforms for enhanced security and growth.


While the Financial Services industry is embracing cloud services, there are still growing concerns reflected in this recent survey. Given the enormously wide variety of technologies, architectures, and approaches to deploying and managing technology within the cloud landscape, visibility is a constant issue. Data flows are uncertain, and regulatory impacts are unclear. Furthermore, security leaders must ensure that the adoption of any new approach does not introduce new risks and threats to essential data and systems.

In this post, we will cover five key areas that are very relevant to most financial services businesses—five topics an organization must “get right” for almost any cloud-related project.

Multi-Cloud Deployments

The decision to work with a “cloud solution” rarely involves just a single vendor or application. Moving to the cloud typically means integrating your legacy systems into cloud-hosted systems, sometimes across multiple environments—all while protecting your data and providing security to public-facing components.

Today, mixed environments have become common, leaving traditional security measures for private, public, and hybrid cloud deployments less valid. For instance, many systems take on hyper-hybrid approaches that involve creative architectures to maximize confidentiality and availability. Public-facing systems are placed on SaaS environments across multiple public providers for redundancy with their backend (core) functions hosted in private data centers.

Additionally, many companies are using tools and capabilities with different deployment models (e.g., IaaS and PaaS providers), resulting in mixed cloud environments within a system’s development or administrative lifecycle phases. The result is that few systems reside on only one platform in a single data center—a new reality that security, compliance, and risk management must all address.

The traditional security triad of Confidentiality, Integrity, and Availability are now significantly more complex when having to address a multi-cloud architecture. For instance, when it comes to data protection, you may need to comply with various country-specific regulations if your system is in multiple physical locations. Up-time availability of services in a multi-cloud environment can also be difficult. Finally, ensuring the integrity of your systems with multiple vendors can require retooling to address underlying technical limitations.

A complex cloud architecture does not negate traditional security measures, such as encryption, identity and access management, backup, and monitoring. But it does often complicate mitigations like single sign-on authentication and physical security controls. Additionally, system boundaries can be difficult to draw, making understanding data flow all the more important when it comes to regulatory compliance. Finally, risk management, which is the basis for most compliance assessments, must be able to address complex multi-cloud environments.

Compliance

Regulations define the working environment of a financial services organization, and the successful adoption of cloud solutions must be able to meet evolving compliance requirements. Many cloud vendors are acutely aware of this and supply dashboards and reporting to help organizations adhere to various compliance controls. However, as many organizations have discovered, a cloud provider’s compliance features do not ensure compliance. This disconnect is often the result of a competing focus between the cloud provider (looking to provide a consistent platform for multiple customers) and your organization (trying to use the cloud within the constraints of your compliance program).

Financial firms are likely already familiar with various regulations, such as AICPA-SOC2Payment Card Industry (PCI-DSS), the EU’s GDPR, and California’s CCPA. All of these require audited compliance with technical controls that govern, for example, data processing, security, and vendor management. It is important that the cloud vendor you select to monitor your environment ensures your cloud infrastructure and applications adhere to the most recent version of a compliance requirement—it is even better if you can customize rulesets and policies.

DevSecOps

Along with the financial industry’s acceptance of cloud services, there has also been a rise in the use of DevOps methodology, with the advantages of this approach heralded as a means to improve the velocity of application releases and updates.

DevSecOps introduces the integration of security into the “pipeline” process to build >test> release> deploy>operate and monitor code and infrastructure in a rapid manner. The pipeline steps can measurably improve speed, as well as efficiency and compliance if done well.

If your organization is not yet following the DevSecOps approach, the first step is to recognize that it takes time to implement. Here are some common best practices:

  • Examine your current processes for application development and infrastructure updates and releases. For coding, the traditional development lifecycle should be moved to shorter sprints with a greater emphasis on building security requirements into the requirements phase. For infrastructure, automate the build and release process, including patch updates and security testing.
  • Move quality assurance and vulnerability testing earlier in the release cycle. This will help reduce the instances of failed releases because of unexpected changes to integrated libraries, patches, or updates.
  • Ensure that compliance requirements are built into the requirements for development and infrastructure automation when possible. This will provide better assurance that updates do not cause a system to fall out of compliance.
  • Practice and improve the pipeline process continuously to better integrate the DevSecOps approach into your corporate culture and improve resource effectiveness and system resilience.

While the value of the DevOps approach is appealing due to its high velocity and automation, there must be great care taken with its design and engineering. A pipeline that can apply a change to the codebase and move it into production with a single click assumes that the automation has correctly vetted the code for vulnerabilities and ensured that the code does not use or deploy unsafe features and functions; it also assumes that the integration with other code will not break the system through some previously unrecognized inconsistency. A verification process is required that “slows” the pipeline enough to catch issues, threats, and errors and to confirm that the system remains functional, acceptable, and compliant.

Controls and Visibility

While migrating to the cloud is good for business, the operational impact of using cloud resources is a challenge. Cloud vendors have a wide range of technical sophistication and associated tooling for administration and management; however, the operational impact of dissimilar tools and functionality can make compliance management a real challenge.

Today’s SecOps teams need tools to address this new complexity—to administer cloud environments, reduce technical and security challenges, and meet compliance requirements.

Products like CloudGuard provide a means to address security, compliance, and visibility for multiple cloud environments, helping to secure workloads across sites and maintain a secure posture across your entire infrastructure. Importantly, CloudGuard provides features to assist initiatives such as DevSecOps and automation, which facilitate efficient production operations. With CloudGuard, security engineers and compliance staff can perform governance activities across multi-cloud assets and services, including visualizing and assessing your security posture, detecting misconfigurations, and enforcing security best practices and compliance frameworks.

Additionally, compliance reporting on specific technical controls is made easier via tools that are multi-cloud-aware and can assist with internal compliance program requirements by tracking specific security configurations. By using a security product like CloudGuard, a financial services firm can improve visibility across its cloud investment and protect against cloud security threats.

Application Security

Many Financial Services organizations are using modern web-based applications that compile various data types, making them a prime target for hackers. Additionally, web-based applications introduce an entirely new set of security considerations, including the use of multiple APIs to provide important functions such as communications, encryption and encryption management, and strong authentication.

In a traditional network infrastructure, application security largely depended on the network it ran on, with access control, data backups, and rollouts controlled within the enterprise. But for cloud-oriented businesses, the model must change. Networks are no longer run on a single operating system with static points. Cloud applications are designed to run without the assumption of traditional network security. Cloud mechanisms such as virtual load balancing, virtual firewalls, and a host of other conceptual devices present architectural complexity and greater risks to application security.

Organizations thus have to embrace a new type of application development that builds security awareness directly into applications and provides granular access to the application while also contextually protecting it against attacks. By leveraging AI, CloudGuard can also maintain application security even with dynamic deployment processes.