Companies across the globe are moving to the cloud, but financial institutions have typically been slow to make the transition. While moving to the cloud may seem like an innovative change, financial institutions should also consider the best ways to stay compliant and protect consumer data in the process.
With changing technology, navigating cloud compliance may be confusing for your IT department, so shifting from general compliance to cloud compliance means financial institutions must set up a strong IT security or compliance program. A strong IT security or compliance program encompasses six main areas of protection, including governance and policy, asset management, access control, system development and maintenance, incident responses and business continuity.
Governance and policy
Leading cloud providers maintain standard compliance and security controls as part of their infrastructure. In some cases, the user assumes a certain amount of risk by transferring the security requirements to cloud providers. According to Computer Weekly, “By moving data from your internal storage to someone else's, you are forced to examine closely how that data will be kept, so that you remain compliant with laws and industry regulations.”
Additionally, it is important to understand the cloud’s service level agreement (SLA) and to discuss security processes and policies as part of the due diligence process. Roles and responsibilities for maintaining security will also depend upon the platform, infrastructure and software-as-a-service (SAAS) model selected by the user. This will influence the level of ownership and security responsibility for both the cloud provider and the financial institution.
Proper asset management requires the financial institution to work with the cloud provider to keep a record of what systems are deployed as well as any security level which may be defined for those systems.
Financial institutions can manage the addition of new assets or instances through a change control process. This helps to ensure that necessary changes are made; all changes are documented; services are not disturbed; and resources are utilized effectively.
They should also assign ownership of asset monitoring. For example, assigning agents the task for event log alerts and patching. Monitoring all cloud accounts through the provider’s management console allows the IT department to oversee all activities, such as resource deployment, use tracking and data integration.
To have proper access control, role-based security is vital to remain compliant in the cloud. Having good access control starts with putting processes in place to audit, review and control access based on a least privileged model and role-based access controls.
One option is the “zero-trust network” model. With this model, all networks and devices are treated as untrusted until proven otherwise, and the network’s and device’s health needs to be checked each time a user connects to a protected resource. This approach depends on visibility into whether basic devices and network security standards are met, and it requires the ability to enforce granular policy controls based on the results of the health check.
System development and maintenance
Applying secure configuration standards like the CIS Benchmarks to any cloud-based environment is a great place to start. CIS Hardened Images are pre-configured virtual machines for a variety of platforms and technologies. Using pre-configured secure images saves time over manually hardening a virtual machine.
These tools allow for the deployment of already compliant systems for a variety business purposes, which is especially helpful for banks and credit unions that need to protect a consumer’s most-sensitive data. For those developing software in the cloud, CIS Hardened Images provide convenient security from the start. Once secure configurations are in place, maintenance to prevent “configuration drift” is required to stay in compliance.
It is no surprise that communication is key when there is an incident in the cloud. It is important for the institution and the cloud provider to communicate in order to know which role each of them plays in a security incident, as well as the data that cloud provider can supply. Understanding logging capabilities and access control reporting through the cloud provider is necessary before striking partnerships for this reason.
This response strategy can test the incident response process and ensuring both organizations know how the cloud provider’s supplied data will be used. This strategy should be approved and documented within your organization’s incident response plan.
Consider what will happen if one or more of the systems upon which your organization relies fails. One of the many benefits of using cloud infrastructure is the ability to shift data quickly depending on your needs. Should a natural disaster strike a main office, cloud-based services will be able to run unaffected.
However, financial institutions will want to consider the cloud provider’s resiliency and disaster recovery strategy. What are their guarantees and limitations regarding “up time?” Geographically, where is the data replicated? Is replication included in the plan? Based on this response, porting data to another cloud provider may be part of your organization’s business continuity strategy.
When financial institutions start moving to the cloud, it is important to keep cloud compliance in mind to protect the institution and its customers. This starts with a strong IT security or compliance program focused on the benefits of leveraging cloud-based technology and the importance of maintaining compliance and security.
Ben Fishbune is sales engineer at Xamin, which provides managed IT services for highly regulated and reputation-sensitive companies.
BAI gives financial services leaders confidence in managing compliance and a passion for professional development by providing powerful tools and subject matter expertise you can rely on. Learn more.