A recent report from the Cloud Security Alliance (CSA) shows that more than half of financial organizations don't...
have a solid or fully developed cloud security strategy, despite the continued migration to cloud. For financial organizations, having a cloud security strategy is critical, and this seems to conflict with the typically strong approach to security seen in the financial industry. What's holding these companies back? What specific needs do financial services firms have for cloud security, and how they can be addressed? What are some key points financial firms should include in a cloud security strategy, and how do these differ from other enterprises when using cloud services?
What financial organizations are worried about
The primary concern for financial organizations regarding the use of cloud computing, and public cloud in particular, is data protection. In the CSA survey, most organizations revealed that they are still fleshing out their cloud security strategy, partially due to security concerns around sensitive data and partially due to the complexity of coordinating internal IT services and applications with external service models in general. Only 18% of respondents indicated that they plan to adopt a "private cloud only" model, however, and 86% of these organizations are doing so primarily due to concerns about security and compliance. Other major concerns include privacy, data retention and destruction, and data residency -- a particular issue for companies operating in the EU.
Cloud needs, wants and desires
Financial organizations are subject to many regulations and compliance mandates, which naturally lead them to be more cautious about provisioning sensitive systems, applications and data into public cloud provider environments that don't meet stringent requirements for security and auditing. In fact, when asked what types of features financial organizations most desired from cloud providers, the overwhelming majority (80%) asserted that cloud providers need improved transparency and auditing controls. This is a sentiment echoed across the industry in general -- determining what controls providers have and how they're maintained remains a significant struggle for most enterprises. Financial organizations also want to see improved data encryption controls, real-time event logging that they can integrate with correlation and log management tools, and remote auditing, forensics, and e-discovery tools and capabilities.
The majority of financial services organizations use application development and testing environments in the cloud, customer relationship management application services, email and content management platforms, as well as cloud storage, human resources, and data analysis and marketing tools. In most of these environments -- SaaS -- the vast majority of security controls are provisioned and maintained by the cloud service providers.
For this reason, financial services firms are pushing heavily for not only better controls, but also for more visibility into the state of those controls on a continuous basis, with 35% going so far as to request physical data center audits. At the heart of this emphasis on controls and auditing is data security -- the biggest concerns these companies have include data confidentiality, data breaches and breach notification, and loss of control and governance over data in a cloud environment.
Given the business drive to move to the cloud, financial firms security teams may be pressured to move resources there before adequate security controls are natively offered by the service providers. If possible, financial organizations should hold out for better security and auditing controls and capabilities, especially if compliance requirements are not guaranteed to be met. Otherwise, leveraging third party security services and cloud-compatible vendor products to bridge the gap may be the only way forward.
Compliance requirements like those for major financial regulations (Gramm-Leach-Bliley Act, FFIEC, PCI DSS and FDIC standards) are a major driver behind much of the emphasis on data security, too. Common security controls emphasized for meeting compliance with financial regulations include malware detection and forensics, auditing permission for data breach incidents, and encryption and tokenization of data with customer control and retention of encryption keys.
While none of these controls differ widely from those desired by other industry segments, financial companies are unlikely to leverage cloud service providers that are unable to guarantee a minimum level of compliance with all of them. Based on the CSA report, there is plenty of room for cloud providers to grow to meet the needs of the financial industry, and the market seems strong and is growing rapidly.
About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He previously worked as CSO at Configuresoft; as CTO at the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. Shackleford currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.
Learn more about financial applications in the cloud