Securing cloud platforms in the financial services sector
Organisations in the financial services sector are faced with a unique set of challenges when it comes to IT security. They need to store large amounts of sensitive personal data in a secure manner yet face more stringent regulations than firms in other industries.
These challenges become particularly acute when cost and productivity demands push an organisation to use cloud platforms. While such platforms deliver significant advantages in terms of infrastructure security, they also create new security challenges – particularly around data access, credential compromise, and malware.
What’s more, the visibility and audit capabilities required for compliance with local and regional finserv regulations are not as readily served by traditional firewalls and endpoint security tools.
The pros and cons of the cloud
A key benefit of cloud is the lower operational cost and improved flexibility. Rather than having to establish and maintain on-premises infrastructure, cloud platforms are kept up-to-date, are readily accessible, and are scalable.
Improved flexibility occurs because where businesses are able to adapt as requirements change. This means in-house systems do not have to be designed to cope with future demands. Instead, the cloud platform can provide extra storage and processing capabilities ‘on demand’.
Despite these advantages, many are still wary of the cloud because of significant gaps around visibility and control over cloud data. For example, without adequate security measures in place, staff might use unsanctioned cloud resources without the knowledge of the IT department.
Organisations that don’t know where data is being stored struggle to manage that data. This is particularly important in the financial sector because of the aforementioned strict regulatory requirements around data residency, ownership, and security.
A different approach to security
The strategy of centralised security at the device and network level – in other words having firewalls and endpoint agents in place – no longer works in an environment where many critical systems are moving to the cloud.
Once data shifts beyond the firewall and employees begin to access that data from uncontrolled, unmanaged devices, a new approach is required because privacy-conscious users are often reluctant to allow agents on their personal devices.
To overcome these challenges, many financial services firms are adopting a technology termed a cloud access security broker (CASB). A CASB offers many benefits, among them:
- Comprehensive security
- Regulatory compliance
- Rapid deployment
The first step in securing a cloud environment is adoption of discovery tools. IT can only secure services if they are aware of those services, aware of the relative risk each application poses, and empowered with tools to control data moving into these apps. At their core, these ‘Shadow IT Discovery’ services provide a way for IT managers to know exactly where data is going once it has left the organisation.
Security is also important after upload. An organisation should have the ability to identify sensitive data in the cloud and take action to protect that data where necessary. Capabilities like contextual access controls and data loss prevention (DLP) can help to classify and secure sensitive and regulated information.
In the financial services space, mobile security is also a critical component of a complete security strategy. Given the growth of BYOD and widespread use of managed mobile devices, a data-centric approach to security, wherein IT focuses on data protection as opposed to solely on device security, can be incredibly effective.
2. Regulatory compliance
Because the financial sector is among the most heavily regulated, cloud compliance is critical and dictates the processes and capabilities every organisation must have in place. Chief among these requirements is data protection.
Data protection in the cloud requires a deep level of control than can be achieved with granular data access policies as well as encryption. For structured data, encryption might include sensitive fields such as credit card numbers or personally identifiable information (PII).
When selecting security tools, a balance has to be struck between strength and usability. Industry-standard tools are recommended as they enable interoperability with systems that provide visibility and added control over cloud data.
To provide a further layer of security, any encryption keys should be held locally to reduce the chance of them falling into the wrong hands.
3. Rapid deployment
Unlike traditional security solutions, select CASBs are deployed in the cloud which removes the need to install and manage agents on client devices. As well as simplifying the rollout, it ensures the performance of endpoints is not constrained.
This approach also ensures employee privacy as there is no impact on personal data held on the device. Only corporate data falls under the purview of the organisation.
By selecting a CASB that offers this complete set of features and functions, a financial services organisation can be confident it has in place the technology required to maintain effective security of data in the cloud.
Article by Bitglass vice president of sales for Asia Pacific and Japan, David Shephard.