Forecast for the cloud: Five questions before you weather a security storm
Migrating to a cloud solution isn’t new, revolutionary or innovative. At this point, many enterprises do it for a variety of reasons—enhanced strategy, flexibility, productivity and cost-savings among them. When workloads move from onsite storage from an online cloud, such benefits soon manifest themselves.
But if your institution is contemplating the cloud leap, it’s difficult to ignore the malware attacks, from WannaCry to Petya, without concern. Make no mistake: Determining the correct path with your cloud strategy and solution is critical. Before moving forward with a cloud initiative, several considerations need to enter the picture to protect your data.
The atmosphere up there: Categories of cloud offerings
As the cloud matured, several different options emerged that offer varying levels of control, flexibility and management—along with different data security considerations and deployment types to suit almost any need. More common and early models include Enterprise File Sync and Share (EFSS) and Infrastructure as a Service (IaaS).
In the EFSS space, more than 140 cloud providers offer diverse features and benefits. Yet hesitancy to adapt these technologies results from the loss of control over data security.
With IaaS, “leaders” in the Gartner Magic Quadrant dominate: Amazon Web Services and Microsoft Azure. Cloud services providers (of which Amazon is one) share a responsibility model that leaves customers ultimately responsible for their data’s security within the cloud.
Likewise, financial services organizations must take ownership of cloud-based data security for a number of reasons such as possible threats from hackers, government agencies or privileged insiders. They must also conform to data protection requirements found in places such as:
- The Payment Card Industry Data Security Standard (PCI DSS), which increases controls around cardholder data to reduce credit card fraud.
- The Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to explain information-sharing practices to their customers and safeguard sensitive data.
- The Sarbanes-Oxley Act (SOX), which dictates how publicly traded companies manage auditors, financial reporting, executive responsibility and internal controls.
As you evaluate your different options and strategize your move to the cloud, ask yourself: Which things should you keep on your radar so you can successfully soar? Consider these five crucial security-related questions:
1. What drives your cloud migration?
Evaluate the factors that led your financial institution to consider the big move. Are they strictly technological? Related to cost? Speed? Collaboration? Some of the above? All of the above?
While this overarching question seems almost immaterial, it will impact your success more than you might imagine. If you don’t understand your drivers, you’ll struggle to determine priorities and needs for your security strategy.
2. Have you contemplated and completed the cloud security checklist?
Reflect on these variables before you take on the cloud:
- Data Classification: Do you know what data you need to or wish to protect? Are different controls needed?
- Identity and access controls: What do you have now? What will you need?
- Regulations and compliance: Do you understand your compliance needs? Are you prepared to comply, audit and report?
- Data security model: Do you have one solution in place? Or many? If more than one, will they work together?
- Executive buy-in: Are all of your executives on board with what’s needed? Are they ready to champion data security for your organization?
3. How have new data security regulations shaped the cloud?
As you look to move data to the cloud—data you must protect to meet compliance regulations—you’ll face additional pressure as you migrate. But it doesn’t have to be hard. Many of the larger regulatory agencies and standards boards are amending documentation to assist cloud services providers (CSPs) and customers on specific cloud needs.
4. What considerations come with a shared responsibility model?
For financial institutions, a shared security responsibility model—where the CSP and the bank split responsibility for data security—represents a large shift from traditional models. Adjusting to this model requires careful consideration for how to address security.
Who is responsible for which security components? That depends on the cloud service model you use, but ultimately it will be a shared paradigm. That means the CSP is responsible for the security of the cloud itself, while the financial institution remains accountable for the security of its cloud-hosted data.
5. Which best practices reduce data security risks in the cloud?
This requires four fundamental actions:
- Identify your encryption and key management solution. Encryption is a necessity. It’s particularly important to ensure no one outside the enterprise controls encryption.
- Establish and apply identity and access control policies.
- Track your data.
- Train all users on policies.
Financial institutions stand out as high-priority targets for cybercrime due to the monetary gain at stake. Thus data protection must become high priority as well. Banks that fail employ strict data security measures face severe consequences–including the lost trust of customers and business partners, or violation of local, regional or worldwide regulations.
When your financial institution addresses these five questions and implements sound responses, you will find yourself well positioned to take off for the cloud in confidence. Security matters. The cloud has obvious benefits. Taken together, smart pre-flight safety checks will give you the wisdom and wings you need to fly.
Want more Banking Strategies? Sign up for our free newsletter!
As chief operating officer at WinMagic, Mark Hickman oversees direct and channel sales, marketing, professional services, and global business development. Prior to joining WinMagic, he held senior sales management positions with Computer Associates (CA), BEA Systems Inc., and RightNow Technologies.