Cloud

How Financial Institutions Can Avoid Making Key Security Mistakes in the Cloud

FIs continue to make common errors when faced with security challenges in the cloud - what steps can they take to prevent them?

Doug Bonderud

Doug Bonderud is an award-winning writer capable of bridging the gap between complex and conversational across technology, innovation and the human condition.

Financial services firms historically have been reluctant to make the leap to the cloud. While industry disruptors such as fintech firms and cryptocurrency platforms readily adopted a cloud-first mindset, more traditional enterprises often lean on more familiar, in-house processes to handle essential operations.

One of the biggest concerns about making the move? Security. Tasked with protecting both their own data and the financial information of customers, banks and credit unions worried about potential compliance and compromise risk in the cloud — until they had no choice.

Confronted with the reality of work-from-home and hybrid banking operations, financial institutions (FIs) went all-in on the cloud. The hurdle? These security challenges haven’t gone away; if anything, overall risk has risen as cloud services become the norm. In practice, this means banks are still making key security mistakes. Here’s how they can stop.

Common Security Mistakes Made by FIs in the Cloud

According to Josh Hamit, senior vice president and CIO at Altra Federal Credit Union and member of the ISACA Emerging Trends Working Group, “financial institutions face many of the same security challenges as other industries when it comes to shifting our workloads into the cloud. Nevertheless, the risk tends to be that cloud administration requires a certain level of knowledge and hands-on experience in order to avoid the pitfalls that we read about in the news.”

In practice, three security mistakes are common for FIs:

Misconfigured systems. The rapid shift to cloud has led many financial firms to prioritize speed over security, in turn leading to initial system misconfigurations that persist even as cloud environments expand, effectively opening the door for attackers.

Unmonitored cloud solutions. “The reality is that most FIs have a larger cloud footprint than they even realize,” says Hamit, “often by extension of many third-party partners that host their solutions in the cloud, whether that's in the vendor’s own private cloud or running in AWS or Azure.” The result is a lack of visibility, which can lead to security compromise.

Regulatory uncertainty. Hamit highlights a recent Google survey that found 78 percent of FI respondents citing regulatory uncertainty as a barrier to public cloud adoption. The result speaks to an ongoing conflict between the need for cloud solutions and hesitancy around full adoption, which can create blind spots within the organization that attackers may exploit.

Click the banner below to unlock exclusive cloud content when you register as an Insider.

How Can FIs Craft an Effective Framework for Cloud Security?

Hamit notes that in many cases, cloud solutions may outpace traditional security solutions. “More often than not,” he says, “cloud providers offer security controls that may even surpass what is feasible or practical in a traditional on-premises environment.”

This provides a solid starting point for FIs making the move, and Hamit offers some advice on how to best apply cloud security solutions to existing frameworks. “There’s no need to re-create the wheel when it comes to crafting a framework for cloud security,” he says. “There is a wealth of authoritative resources available online that can readily assist an organization that might be looking for a place to start. For example, the Cloud Security Alliance has a number of guides and frameworks crowdsourced by experts that can help to assess cloud security, assist with appropriate selection of controls, and aid an organization in delineating responsibilities between the customer and cloud providers.”

He also points to the need for trained and experienced staff. “Organizations should strongly consider investing in training for staff,” he says. “Trying to figure things out on the fly is never a good idea, especially when there are potentially serious security ramifications. Many cloud providers offer training programs and on-demand courses that are excellent for cloud specific platforms. For a more holistic view of foundational cloud computing principles that have broader application, ISACA offers a Cloud Fundamentals certificate program that teaches and validates a learner’s comprehension of essential skills.”

LEARN MORE: Find out how cloud security posture management can help banks protect their data.

What Tools Can Be Included in This Cloud Security Framework?

First up are solutions that help eliminate manual processes. “Automating repeatable tasks can improve cloud security posture by eliminating manual touchpoints that lead to human error,” says Hamit. “Using tools like Azure Automation will ensure that infrastructure in the cloud conforms to defined standards and simplifies ongoing management, enabling IT staff to spend time on more impactful tasks.”

He also highlights the role of built-in cloud tools offered by providers. “Even in SaaS environments, cloud providers often provide integrated tools that IT and information security can leverage to take some of the guesswork out,” he says. “For example, Microsoft Secure Score provides a score, as the name suggests, that gives the organization a view into its security posture in Microsoft 365, along with specific recommendations across a multitude of risk vectors. Another popular SaaS platform, ServiceNow, offers a similar capability in its Instance Security Center, where an organization can view important security events and monitor its Daily Compliance Score relative to instance hardening guidelines and best practices.”

When it comes to making the cloud move and securing key resources, Hamit puts it simply: “Going all-in when it comes to cloud shouldn’t be the time when organizations are evaluating cloud security. It should be treated like any other risk when evaluating vendors and understanding the implications to security architecture and data flows.”

Getty Images/ Thinkhubstudio