Security Considerations for Financial Firms Moving to the Cloud

Cloud

Introduction

Have you ever heard the phrase “the cloud is just someone else’s computer”?

While this may have once been the whole story, modern cloud technology has become a sophisticated system of hardware and software resources that not only provide a place to run your apps, but also a wide variety of physical and virtual hardware and software services, all of which IT professionals can easily manage through APIs and simple user interfaces.

Today, Amazon Web Services , the world’s leading cloud provider, has more than 150 different services that allow developers to set up complicated infrastructure and applications within minutes. Many of these, including hardware provisioning, load balancing, and firewall configuration used to require weeks of time, tens of thousands of dollars, and highly-trained employees to deploy and maintain.

But time and cost savings aren’t the only benefits that come with using the cloud. Cloud providers like AWS, Google Cloud Platform, and Microsoft Azure offer on-demand scalability, the ability to outsource hardware management to world class professionals, highly available application-level services, access to supercomputers, and large support teams that are well-versed in devops and infrastructure.

While the cloud has been a boon for many organizations, not every company has been quick to integrate it into their operations. Security, regulatory, and confidentiality concerns frequently cause organizations in the finance space to be especially wary of leveraging cloud services for any key areas of their business.

Challenges to Using the Cloud for Financial Services

Despite the numerous benefits that come from using the cloud, many IT executives in finance are concerned with storing data and running core workflows on hardware that they don’t own and operate. Financial firms are tightly regulated, and need to proceed slowly and meticulously when considering technologies that may affect data confidentiality, loss of control, and data access. These executives worry that a loss of direct control of their core infrastructure could result in the increased likelihood of a security incident.

Fortunately for them, they still maintain control over a large portion of the most common vulnerabilities in IT, regardless of whether they run their core applications on the cloud or on their own hardware. Generally speaking, attacks on physical infrastructure are some of the least likely cause of a data breach. Human error, usually in the form of weak and stolen credentials from phishing attempts or social engineering, are frequently the more likely reason for an incident. Outside of human error, application or infrastructure misconfigurations, such as open ports, backdoors, or unnecessarily elevated permissions are the next most likely catalysts for security breaches. 

By using the cloud, IT executives can focus on implementing and strengthening the same controls they would use for on premise applications and configurations, while leaving the complicated management of physical hardware to the world’s largest and best data center organizations.

Managing Applications Regardless of the Underlying Infrastructure

With the proper approach, IT executives can approach cloud-based security in much the same way as they approach security for on-premise applications. In fact, the biggest cloud providers have created highly secure APIs to manage infrastructure programmatically, sometimes making it even easier to implement best practices.

The following controls are simply some of the many ways that IT professionals can safeguard their operations, regardless of whether they use the cloud or their own hardware:

  • Training and personnel: As mentioned above, human error is responsible for a large portion of security breaches, so IT professionals should continue programs to educate staff on the importance of security, which includes the use of multifactor authentication, the need to be vigilant and wary of emails that may be part of a phishing campaign, and password management.

  • Application security: IT executives must continue to enforce application level security and ensure their developers are aware of the most common vulnerabilities. They should insist that developers use well-known, open source security libraries rather than creating their own scripts, enforce strong password requirements for custom-developed applications, and ensure that new applications are able to properly apply permissions where they are most needed within their interfaces. Applications should pull environment variables from in-memory systems, rather than hardcoding them or transferring them via less secure methods.

  • Standard system and access controls: Organizations that already maintain strong system and access controls can continue to do so with applications on the cloud. Those organizations that separate employees who develop applications from employees who deploy applications can continue to maintain this separation when using the cloud. Organizations should enforce least access policies for all employees to minimize the impact of a breach if one were to occur, or to minimize the threat from internal bad actors. Employees that need access to hardware should use strong public/private keys.

  • Strong infrastructure configuration: Organizations should configure their networks using a policy of least access. Only necessary ports should be made open. Backend services should be placed in private subnets that are only available to upstream or downstream services, rather than accept connections from all IP addresses. SSL and TLS should be used whenever possible.

By applying these, and similar, standard controls, IT executives are able to maintain a similar security profile on cloud-operated infrastructure as compared to owned and operated hardware. Moreover, executives can actually simplify many of their security-related processes by leveraging sophisticated service offerings that cloud companies already provide, which include many of the following areas:

  • Encryption: With a single click, cloud providers allow IT professionals to encrypt data at rest or in transit.

  • Automatic or optional updates to managed services: Again, using a very simple interface, IT professionals can configure services, such as databases or instance hosts, to apply security patches and upgrades on demand or automatically.

  • Logging and monitoring: Cloud providers make it easy to route logs from an entire organization to a single location, and make search and analysis of those logs extremely easy. Similarly, cloud providers have a wide variety of monitoring options built in to every level of infrastructure that they provide, easing the burden on company administrators to implement third party solutions.

  • Protecting against DDoS and similar attacks: Cloud providers now have built in services to protect your infrastructure against DDoS, making it significantly easier to recover from a targeted attack on your organization.

  • Ease of configuration for new machines: Cloud providers make it easy to configure security groups, firewalls, and other items, even if an old machine goes offline and a new machine is created, regardless of its IP. By using named groups and pre-configured settings, a new machine can be added to a standard security profile within minutes.

Conclusion

The cloud, as we know it today, has been around for over a decade. Today’s most sophisticated technical organizations are now managing multi-continent, highly redundant facilities that make it easy to deliver and deploy technologies. While there are valid concerns around using new technologies, many of those have been mitigated. By implementing standard security practices, financial organizations can continue to maintain a strong security profile, and as they work with new vendors, these organizations should look for providers that maintain similar security standards, much like we do at Apteo.

Shanif Dhanani is the co-founder & CEO of Apteo. Prior to Apteo, Shanif was the lead engineer and head of analytics at TapCommerce, a NYC-based ad tech startup which was acquired by Twitter. He has a passion for all things data and analytics, loves adventure traveling, and generally loves living in New York City.

LET'S GET STARTED

Learn More About How We Help Businesses Use Data Better

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.