More and more enterprises across multiple industries are adopting cloud computing. What was once an innovative concept is now a technological mainstay that organisations everywhere rely on, and ultimately need to trust. Cloud is predicted to make up 14 percent of the total global enterprise IT spending market in 2024, according to Gartner, up from 9 percent in 2020.
Public cloud adoption in the financial services sector has been slower, largely because security-conscious banks and institutions have complex risk and compliance requirements that come with being in such a heavily regulated industry. They have traditionally relied on legacy systems built up over decades, making them reluctant to implement major changes in their technology infrastructure. Many organisations have taken the first step by adopting cloud-based solutions such as CRM platforms, HR systems or expense tools that all store sensitive data yet are perceived to present lower risk than full cloud adoption.
But in recent years, the industry’s attitude towards cloud and the potential risk has been shifting with several of the world’s largest banks embracing cloud strategies, including JP Morgan Chase, Capital One, BNP Paribas, Lloyds, Deutsche Bank and Bank of America. Plus, recent research by Celent reveals 19 of the top 20 US banks have announced public cloud initiatives.
Despite this trend, there are still common misconceptions around cloud security that are hindering financial institutions’ ability to understand the benefits of moving to cloud. Enterprises and executives that can effectively negate these misconceptions will derive most value from their transition.
A longstanding fallacy is that setting up and controlling security in a bank’s own data centre is far superior to cloud-based security measures. But today, security of public cloud infrastructure should no longer be a barrier to adoption. All major cloud service providers (CSPs) have prioritised security and made significant investments over recent years. Any major CSP’s business model will be built on world-leading security, with billions invested in cloud security measures and in recruiting top cybersecurity experts.
As CSPs continually develop new tools and solutions to maintain cloud security, there is a shift towards banks also being responsible for security. This is mainly due to nearly all public cloud breaches being driven by enterprises’ insecure configurations, rather than issues caused by the CSP. Gartner predicts that by 2025, 99 percent of cloud security failures will be the customer’s fault.
This brings us to another misconception whereby institutions think that once their data has been moved to the cloud, their CSP will manage all their security requirements. One of the main security-related issues for banks is determining who is responsible for data security. In fact, it’s a shared responsibility.
When you implement a cloud solution, both your institution and your service provider will be tasked with certain aspects of cloud security. Put simply, your CSP’s remit is to protect the systems their solution is housed on, while your enterprise must ensure only safe data is processed through the cloud solution. These separate areas of responsibility will be covered in your provider’s service level agreement (SLA).
The third misconception is that an institution’s existing security tools will integrate with the cloud. You shouldn’t automatically assume your institution’s legacy security tools will be able to handle ongoing security for your cloud operations. While there are some on-premises security tools that support integration with cloud solutions, you will most likely need to add new security tools to your infrastructure on a frequent basis. Such tools will either be native security solutions provided by your CSP or third-party installations.
Biggest hurdles to security
Along with the misconceptions outlined above, there is another set of key security challenges. These hurdles must be navigated by all banks looking to capitalise on the speed and agility of the public cloud.
The first one is misconfiguration of cloud security settings – a leading cause of cloud data breaches – which frequently occurs when an institution’s cloud security posture management strategy is not fit for purpose. Cloud infrastructure is designed to be easy to use, making it easy to share data, but this in turn makes it difficult to ensure data is only accessible to authorised people.
In addition, cloud-based enterprises do not have full visibility and control of their infrastructure. They rely on security controls provided by their CSP to configure and secure their deployments. If your organisation is unfamiliar with securing cloud infrastructure and has multi-cloud deployments with various security protocols from different vendors, misconfigurations and security oversights can occur, leaving your cloud resources exposed to attackers.
Unauthorised access is another major hurdle. Cloud-based deployments occur outside the network perimeter and are directly accessible from the public internet. Of course, this is great in terms of enabling access for employees and customers, but it also makes it easier for an attacker to gain access to your cloud-based resources. Incorrectly configured security or compromised credentials may enable an attacker to gain direct access without your organisation’s knowledge.
Potential issues may also be caused by insecure application programming interfaces (APIs). These APIs are usually delivered by CSPs and tend to be well-documented, making them easily accessible for enterprises. But issues may arise if your institution has not properly secured these interfaces – the documentation for the customer can be exploited by cybercriminals to find ways to access and exfiltrate sensitive data from your cloud environment.
Account hijacking is one of the most serious cloud security issues for organisations that depend on the cloud for core business functions. A cybercriminal with an employee’s credentials may be able to access sensitive data, while compromised customer credentials may relinquish full control of the customer’s online account. Insider threats are also a key challenge. Potential malicious insiders already have authorised access to your network and some of the sensitive resources residing there. Plus, detection of malicious insiders can be more difficult on the cloud because of your organisation’s lack of control over the infrastructure.
Trust but verify
During the Cold War, President Reagan repeatedly used the phrase “trust but verify” when describing US relations with the Soviet Union. The same principle can be applied to cloud computing.
Trust but verify is an approach that financial institutions can adopt to evaluate CSPs and ensure cloud security capabilities are matched to their requirements. The key premise of this concept is that even when you trust a CSP, that trust is not enough. You must verify that your trust is based on fact. In other words, consider information reliable, but perform additional research to verify.
To verify a CSP, you can ask for credible content that proves their services will do what they say they will do. This content should be authoritative as well as credible and may take the form of testimonials, eBooks, webinars, or case studies.
Face-to-face product or service demos are also a great way to verify that a CSP is right for your organisation, giving you the opportunity to ask questions pertaining to your organisation’s unique security requirements. Most importantly, these insights into the CSP’s security capabilities must be relevant and valuable to your institution.
Key elements of public cloud security that banks need to trust but verify include the CSP’s capabilities for monitoring and defining security requirements, specifically around regulatory needs. Banks should also evaluate and consider the scope of their CSP’s cybersecurity tools, especially for identification, hardware security and data privacy. It’s worth bearing in mind that these functions can be established as services and each public CSP will have a different set of capabilities.
Additional cloud security tools
Data security should always be front of mind for banking and finance executives, especially in the cloud. Remember, you cannot expect your CSP to do all the hard work, their remit only stretches so far. The onus is equally on you to monitor and secure your own infrastructure.
Which is why so many financial institutions are reaching out to access public cloud security and compliance solutions. With the right tools in place, leading banks are benefiting from continuous, always-on monitoring and assessment of their cloud security and compliance posture, giving them visibility across all their IT assets and enabling rapid remediation of potential threats.
If you don’t have the capabilities and resources to continually monitor and optimise cloud security inhouse, additional security tools delivered by experts with a wealth of industry knowledge will provide the peace of mind your institution demands.