Introduction
The cloud era is well on its way, and the majority of organizations in the financial sector are now realizing that a transition to the cloud could be beneficial to their business. Improved business agility, flexible pricing, and resilient IT-operations are vital contributors to organizations looking to migrate their services to a public cloud solution.
While cloud computing provides many benefits from a business perspective, it also introduces new challenges related to information security. Organizations that previously were solely responsible for protecting their data now share this responsibility with one or more cloud service providers (CSPs). Financial institutions must decide whether or not to move customer data and sensitive workloads into the hands of a third-party and if regulations even allow it. Moving to the cloud involves making important decisions on vendors, architecture, and processes. It requires organizations to acquire new knowledge and make culture changes to adhere to this new way of doing IT. All of these factors impact information security which creates the need for a cloud security strategy.
This report describes what a cloud security strategy is and why it is essential to have one for organizations looking to strengthen the cloud presence. It also includes a short step-by-step description of how companies can build such a strategy. However, the main focus is on the key aspects that financial institutions should include as part of their cloud security strategy and recommendations on how these can be dealt with. While the report’s primary target group is financial institutions in Europe, some of the aspects discussed may be relevant for organizations in other regions and industries.
Cloud security strategy and its importance
The purpose of the cloud security strategy is to ensure that the organization’s security posture is good enough to protect the confidentiality, integrity, and availability of the services and data residing in the cloud. It is a long-term plan that managers and employees can use to understand which direction to move in, future goals, and what it will take to reach them. Having this vision will make it easier to prioritize which capabilities to implement to satisfy the organization’s risk appetite while still supporting business goals.
A lack of cloud security strategy will leave the organization in the dark not knowing if it is protected against relevant threats or compliant with regulatory requirements. Protection and compliance are critical in the financial sector, where organizations handle large amounts of sensitive data. Both threat and regulatory landscapes are constantly changing, and it is crucial that the strategy is not set in stone but instead a dynamic document open to change.
The strategy is also a key mechanism in the prevention of overspending or implementing the wrong security capabilities. For example, an organization could spend a lot of man-hours and resources on reducing some risk that was within their limits of acceptable risk unknowingly because of the lack of strategy.
A survey conducted by the Cloud Security Alliance involving respondents from the financial services sector provides interesting data. Approximately 9 out of 10 of the companies interviewed answered that they were already using public cloud services. Respondents listed contractual issues, regulatory requirements, and technical security control gaps as main concerns for further adoption (Cloud Security Alliance). These concerns further highlight the need for a cloud security strategy and are all topics discussed in this report.
Building the strategy
There is no industry standard or definite right way of structuring a cloud security strategy. An assumption is that many organizations will look at this as part of their overall information security strategy, and it could be useful to build these strategies similarly. Reviewing the guides “Framework for Improving Critical Infrastructure Cybersecurity” (National Institute of Standards and Technology) published by NIST and “Developing an Information Security and Risk Management Strategy” (ISACA) by ISACA gives a sense of how to accomplish this.
The first step in both guides is identifying business objectives and high-level organizational priorities. This is all about becoming business-aware. After completion, there must be conducted an assessment of the current state. This involves identifying what services and data are currently being stored on-premise, in private and public clouds, and how they are being secured today.
Performing a risk assessment is the next step in the process. The risk assessment is also what ENISA recommends financial institutions founding their cloud strategy on, in the report “Secure Use of Cloud Computing in the Finance Sector” (ENISA). This assessment should be part of the overall company risk assessment methodology. However, a survey conducted by the Cloud Security Alliance shows that this is often not the case. Out of their selection of respondents from the financial services sector only 52% answered that they had fully made this integration (Cloud Security Alliance).
Both guides agree that a strategy should contain a target profile or point of arrival. The target profile describes the desired state one is looking to achieve after the completion of the strategy. While having a clear vision of the desired outcome, identify what is missing in a gap analysis based on the current security state. Use this analysis to create the implementation plan. At this stage, it is decided what actions need to be taken to reach the point of arrival. It is possible to create a plan where actions are purely technical, like “Set up a firewall” and “Implement an intrusion detection system”. However, the following section introduces many aspects that highlight the need for a more holistic approach, including processes, change of culture, and legislation.
Aspects of Cloud Security
Organizations have traditionally hosted services and stored data in their own data center. This means they have been responsible for maintaining physical hardware and the software running on it. Securing their digital infrastructure was always part of this responsibility. Over the years, many security professionals have gotten experienced in creating security strategies for these types of environments. Securing an organization’s IT environment in the cloud is something different however, and introduces many new issues and challenges. This section describes aspects that are important to consider for organizations building their cloud security strategy.
Shared responsibility
When an organization starts using a service in a public cloud they share the responsibility of securing that service with the cloud service provider. How that responsibility is divided between them depends on multiple factors like the particular service, the provider, and the service type. Service types are used to describe how much of the architecture stack the organization controls. It is common to divide the model into three parts: Software as a service (SaaS), Platform as a service (PaaS) and Infrastructure as a service (IaaS).
Software as a service is software that the service provider offers over the internet. This type of service leaves the organization with very little security responsibility as the provider controls the underlying technology stack. It is important to remember that little responsibility does not mean no responsibility. Users of SaaS services have to secure their data and control who accesses it. Examples of such services are Dropbox and Gmail. In platform as a service organizations are given a platform to host their applications and services. The cloud provider is responsible for securing the technology that supports the platform, like the operating system, virtual machine and network. Users must secure their applications, their data and access. Infrastructure as a service hands a large portion of the responsibility over to the customer. The service provider will handle and secure the underlying infrastructure, while the customer must secure their virtual machines, virtual networks, operating systems and more.
This topic must be addressed in the cloud security strategy. Identify what service types are going to be used and what responsibility comes with it. Be sure not to put too much trust in the provider. The “Cloud Adoption and Risk Report” (McAfee) states that 69% of their respondents said they trusted the cloud providers to keep their data secure. Recall that even in “Software as a service” customers are responsible for securing their data. How the responsibility is shared may be different at every cloud provider. Information on the responsibility relationship between customer and provider can be found in contracts, service level agreements, and public documentation.
Complying with regulations
Moving data and services to the cloud also introduce challenges from a legal perspective. Considering the regulatory requirements is a must when organizations create plans to secure their cloud environment. Financial institutions in Europe have to comply with both general and industry-specific regulations. Most organizations in the financial sector are handling sensitive information, and many times personal data. Organizations that are in the European Union or collecting personal data on subjects within the EU have to comply with the General Data Protection Regulation (GDPR). This affects the way organizations may use cloud computing in numerous ways.
General Data Protection Regulation
GDPR clearly defines a set of rights for the subjects of data collection. The individual has the right to be informed about what data is collected about them, how long it is stored for, and correct or delete it (European Commission). There are also clear guiding principles for where data should be stored and processed and the level at which it should be secured.
Controlling how long data is stored becomes a challenge when cloud providers store customer data in multiple regions with different jurisdictions, all having data retention requirements. Organizations should specify their need for retention and make a choice of service providers based on that. Suppose the purpose of data collection only allows for a retention period of 6 months, but the cloud provider only offers a minimum of 12. In that case, the organization should look to store data elsewhere.
To ensure compliance, organizations have to control their data, which should be addressed in detail in the contract between the organization and the cloud service provider. According to “McAfee Cloud Adoption and Risk Report” (McAfee), fewer than half of cloud service providers state that the customer is the owner of the uploaded data, and only 13% of them say they delete customer data immediately on termination of service.
Many cloud providers operate with data centers in multiple regions and different countries. The location of where the data is stored is not always specified. According to GDPR, organizations should store and process data within the EU’s borders and the European economic area. Data can be transferred outside the borders, but that requires the processing company to prove an “adequate level of protection” (European Commission)
GDPR also includes fundamental principles and guidelines for information security. Article 5(1)(f) says “Personal data shall be: processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).” Organizations must ensure that they will be able to implement sufficient security measures to comply with this statement. In the case of a breach, it must be possible to document that appropriate protection was in place considering both the organization’s risk and circumstances.
Industry-specific regulations
European companies in the financial sector are regulated by their national authorities and by the European System of Financial Supervision. They are, depending on their offered services, subject to supervision by either the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), or the European Insurance and Occupational Pensions Authority (EIOPA). All of these consider cloud computing as outsourcing from a legal perspective and have published individual guiding principles on the subject.
Because of their similarities, reviewing ESMAs publication “Guidelines on outsourcing to cloud service providers” (ESMA) gives a good sense of all three reports’ content. The guidelines are divided into nine parts that should help companies identify and manage risks associated with the outsourcing. Briefly summarized, they include:
- Guiding on what to consider when assessing risk and suitability of CSP
- What to include in the contract with the CSP
- Minimum security requirements
- Exit strategies
- Access and audit rights
- How and when to notify supervisory authorities
Infrastructure and access control
Securing cloud infrastructure is similar in many ways to securing on-premise networks. While the CSP takes care of the physical servers and network, customers have to secure the virtual equivalents. This means implementing traditional security measures like firewalls, vulnerability management, activity monitoring, micro-segmentation, and access control.
Cloud computing eases the process and cost of creating networks because they are defined in software rather than hardware. This lets customers create small, isolated zones for every workload, often referred to as micro-segmentation. This way of structuring a network limits blast radius and prevents lateral movement by restricting communication between segments. Micro-segmentation is an important part of the zero-trust concept.
Zero-trust is a security strategy based on the idea that you should not trust anyone, and assume that any of your applications and identities could already be compromised. Access to resources is limited on a need-to-know basis, and employees are only given the least amount of privileges necessary to do their job. Continues authentication and role-based access control is also required to achieve this.
DevSecOps and culture change
Cloud computing lets developers provision virtual infrastructure components through writing code, a practice called Infrastructure-as-code. Developers that were previously only responsible for writing application code now have to perform tasks belonging to infrastructure operators and these two roles start to blend into each other. This combination of development and it-operations and the practices that follow is often referred to as DevOps.
Both building and deploying infrastructure and applications is a big responsibility. To make sure security is handled appropriately and by design a practice called “security as code” can be leveraged. This involves tracking code changes, building security tests, and enforcing policies from the beginning of the development process. In this approach security is left-shifted into earlier development stages rather than being applied at the end of the software development cycle. This integration of security into the DevOps practices is defined as DevSecOps, according to Gartner (Gartner).
Being able to adopt DevSecOps in the organization requires a cultural shift. Traditionally development, operations, and security have been siloed departments isolated from each other and only involved with specific stages of the development lifecycle. This is not the case in DevSecOps, where teams consist of members from all departments. Together they share the responsibility of developing software that is secure by design. Security team members might be assigned more security-specific tasks, but all members must adopt the security mindset.
To be successful, members must accept their new responsibility and have the necessary knowledge and competence. CSAs report on “Cloud usage in the financial services sector” says that only one of the respondents claimed not to have a cloud security skill gap in their organization, while 75% of the remainders planned to address this by training their employees (Cloud Security Alliance).
Conclusion
Organizations in the financial services sector have started to sense the benefits that cloud computing can provide. While the majority of companies have made their first move into the cloud, many see concerns such as contractual issues, regulatory requirements, and technical security control gaps as blockers for further adoption. This report proposes creating a holistic cloud security strategy to describe how the organization will address such issues and achieve its desired cloud security posture.
Cloud computing introduces new aspects and challenges from a security perspective. Organizations now share a security responsibility with the cloud security provider. The report puts weight on the importance of knowing exactly where that line of responsibility lies. Financial institutions in Europe must also be aware that the use of cloud computing is viewed as outsourcing from a legal perspective. They must comply with their own nation’s regulations, guidelines by the European System of Financial Supervision and GDPR. To deal with cloud infrastructure security and rapid software development, one might look to trends such as Zero-trust and DevSecOps. The key here is to have employees with the right competencies. However, research suggests that there is currently a cloud security skill gap in the financial sector.
Cloud computing provides several benefits from a business perspective. Even though it introduces new security challenges, it might end up improving companies’ overall security posture in the future. The key to achieving this for organizations is defining direction and goals in a cloud security strategy.