Jun 27 2018

What Credit Unions Need to Know About Cloud Storage Security

Unencrypted data and improperly configured storage buckets are big risk factors for credit unions.

The cloud has become an increasingly attractive platform for data storage across all industries. The financial services industry is no exception. In fact, the financial industry leads the way in cloud service usage, according to a recent report from cybersecurity firm McAfee.

Credit unions, with smaller staffs and fewer resources to devote to IT than big banks, especially stand to benefit from the proven accessibility, affordability, scalability and recoverability that the cloud provides.

Still, no option is risk-free. In the same report, which McAfee released in April, the cybersecurity firm finds that over a quarter of surveyed users of Infrastructure as a Service (Iaas) and Software as a Service (Saas) have been struck by data theft. Given the sensitive personal information held by credit unions, they have an even greater obligation to get things right for their members. Fortunately, there are several steps that credit unions can take to improve their data security and limit their risk when using cloud storage.

SIGN UP: Get more news from the BizTech newsletter in your inbox every two weeks!

Encrypt All Data Stored in the Cloud

Storage provider Nasuni suggests storing only encrypted files. “With the cloud, all data and metadata should be encrypted at the edge, before it leaves your premises,” the company says.

There’s more than one approach to encryption. The credit union membership association CUES recommends that institutions consider virtual machine-level encryption. “This really should be a staple in cloud and virtualized data centers, because it protects your data directly with persistent encryption, rather than the device where the data resides,” the association says.

Nasuni also recommends that organizations ensure they are issued unique credentials for accessing their cloud storage. This precaution creates a virtual wall between their data and that of other cloud customers, eliminating the risk of another user accessing and inadvertently deleting data not their own.

When transferring data to and from the cloud, Nasuni recommends using a secure connection.

“Strictly speaking, encrypted files do not need to be sent over a secure connection — this amounts to double encryption,” the company says. “But it is best to assume the worst and guard against any measure of snooping by only sending and retrieving data over a secure connection.”

Credit Unions Should Scan Storage Buckets Routinely

Properly configuring your cloud storage is another key to keeping data safe; misconfiguration is often implicated in breaches. Google Cloud Platform recommends keeping access to storage buckets limited to specific users or groups of users and ensuring those users have the appropriate level of access. GCP also recommends doing regular scans of buckets for sensitive material and being smart about naming. “You should also avoid naming storage buckets which may contain sensitive data in a way that reveals their contents,” the company says.

Yet proper configuration of storage buckets is likely a more difficult proposition than one might assume. According to a recent article in the Credit Union Times, an HTTPCS survey of 100,000 buckets found that 10 percent were configured to be public. Of the public buckets, 58 percent were publicly readable; one in five were publicly writable, “which could allow hackers to use the public buckets for more attacks, serving or controlling malware at the bucket owner’s expense.”

The price of getting it wrong can be astronomical. Writing for CUInsight in 2017, Kirk Drake, CEO of credit union service organization Ongoing Operations, LLC, estimated that the cost of a breach can be anywhere from $3 to $20,000 per record. Credit unions, often with multiple records per member, can be looking at recoveries that cost hundreds of thousands of dollars, and that figure doesn’t begin to account for the damage to a credit union’s reputation and the loss of member trust.

Credit unions don’t have to go it alone. Credit union service organizations and other technology partners can be tapped to achieve a high degree of security even for credit unions with small IT staffs.

“If they’re not a hundred percent familiar with the space or know what’s going on with it, they should really find a partner with a company that has a lot of cloud experience,” Xerex Bueno, CTO of credit union service organization CUProdigy, tells Credit Union Times.

monsitj/Getty Images

aaa 1