Implementations of Cloud Security within the Banking Industry

Prompt: You should prepare a new idea on how one of the following technologies – Cloud – could be applied to benefit Banking

My Response: 'I didn't feel like editing' Cloud for Banking During the pandemic we have seen a massive shift in the way individuals live their lives and take care of their needs. Everything from work to shopping to investing has moved online and financial institutions needed to move digitally more aggressively. Banks need to start putting strategies in place now to help prepare for consumer expectations, emerging technology and alternative business models. Cloud computing is moving to the forefront as a chief focus. It is needed for banks and other financial service firms to store data and applications and have access to advanced software applications via the internet.

The banking of 2030 will look very different from today and I think our Senior Managing Director and Banking Lead Mike Abbot says it best when he noted “Over time, the cloud revolution will make the digital revolution look small.” We can see that overall banks have adapted to around 8% migration towards the cloud, but that is really just dipping their toes in the water.

Okay so now that we understand the importance of cloud computing and the need for banking industries to start scaling their adaptations of this emerging technology, how do we do that? So in this slide I will talk about a new application banking industries can use in order to increase their business growth and security. The journey towards cloud is going to be different for each organization because they need to weigh their options with private public or hybrid Cloud options. From our previous slide one notable section that I see that has not been adapted with cloud in mind is security services and the cloud. The Banking industry has not yet adapted to using the cloud as a way to upscale their security infrastructure. One of the biggest challenges banking Industries are facing is security breaches. Being able to utilize the capabilities of the cloud, already made infrastructure around security and expertise of security specialists in conjunction would be a monumental shift in the way businesses and organizations use security to protect consumer information.

The reason that cloud security is different from other components of cloud computing is the fact that is shared responsibility between the cloud provider and the customer. There are basically three categories of responsibilities in the Shared Responsibility Model: responsibilities that are always the provider’s, responsibilities that are always the customer’s, and responsibilities that vary depending on the service model: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS), such as cloud email.

The customer in this case the banking organization's security responsibilities include managing users and their access privileges (identity and access management), the safeguarding of cloud accounts from unauthorized access, the encryption and protection of cloud-based data assets, and managing its security posture (compliance).

The security responsibilities that are always the provider’s are related to the safeguarding of the infrastructure itself, as well as access to, patching, and configuration of the physical hosts and the physical network on which the computer instances run and the storage and other resources reside.

It is important to note that it is not about scaling down the security infrastructure currently in place for banking Industries instead it is more about not having to focus on all aspects of security and really tightening security resources to more specific things. Basically this new application of cloud computing is trying to get away from stretching banking industries security resources thin and instead focus on what really does matter.

Data security concerns are top of mind for bank leaders. An important part of understanding the cloud is considering how an enterprise’s current infrastructure and capabilities may be limiting its ability to detect and address new risks and vulnerabilities—and how cloud technology can help. Security is different in the cloud because of the tools that are native to each cloud provider’s environment and the fact that cloud providers typically take responsibility for the security of the lower-level infrastructure layers. The shared security responsibility between cloud providers and the clients they host changes how organizations should anticipate and prepare for security risks.

Multi Cloud Security therefore is another layer that banking industries must take. There are foundational steps and assumptions we need to be aware of, first we have to make sure it's not assumed that the perimeter around getting into a network is impermeable. We can’t assume we have this high trust high integrity network, because everything within the network becomes compromised when the network has been breached. Second, also mitigating internal threats, individuals in the network shouldn’t just have access to features within the network, so therefore it’s this Zero Trust/low trust networking. Once we do that we can start implementing strategies to help encrypt information, have access control, auditing who has access to credentials, and make sure information is given out on a need to know basis. This is how a multi cloud security can help with implementing this because what becomes essential is the ability to segment traffic, we have security groups in Amazon we have virtual networks in azure. This of course brings about the challenge of having services that are not able to communicate with others. So for instance our virtual networks would not know anything about our security groups and vice versa. This however does bring about the opportunity to figure out how to enforce that access of who is allowed to communicate with who. It gets a little nuanced and we start moving away from the traditional use of IP addresses to have access to certain groups, we would now take a more modern logical approach using identity. For example web servers are allowed to talk to our databases, or API is allowed to talk to our web server. Basically the services that are identified as web servers are allowed to talk to the service that is identified as a database. This is where that cloud shared responsibility model comes into play with customers or our banking organizations to be responsible for managing users and their access privileges (identity and access management).

This is opportunistic because it is scalable and it really doesn't matter how many servers there are, it is still allowed to talk to whatever assigned group. This is really cost effective and will help limit spending and increase banking security. With an IP based approach any rewriting or translation of the IP brakes are security controls.

So specifically with data protection, with traditional security our our web servers for example was very likely to being written and sent to the database unencrypted, because again going back to our security assumption of where its assumed that our perimeter is keeping the bad guys out and we're assuming everyone who works for us is trusted, so it was okay that we wrote unencrypted data to the database, but what if I don't trust my database operator, maybe they represent an inside threat they could potentially read information out of the database or an attacker might find their way onto my network all of a sudden protecting the integrity of the data is essential. All that data should be encrypted, it is not enough just to get access to my database and be able to read the data you must also be able to break my encryption algorithm or get access to my underline encryption keys to be able to decrypt that data. That is why it's crucial to have more barriers to make it more difficult to leak data. These of course are not new challenges, the change however is how we approach this and that is why multi cloud security is needed. Traditional tools lead to static infrastructure, they are designed to operate in a world where we operate in a private data center and are IP based. Like for instance firewalls their way of management is IP which is difficult to manage. With a more dynamic world where we expect infrastructure to come and go where we use containers, a much smaller unit of management we need a different approach. With IP it’ll just become too painful. Instead focus on sort of service identity.

Adding these layers in the security infrastructure within banking organizations adaptation to cloud is the best way to go. Banks top concerns are security breaches. It is the industry that needs to be most cautious about data and the access to information. The devops tool terraform is a great example of what can be done. Terraform has a dynamic multi cloud strategy that can help transform banking organizations from traditional to Multi Cloud Security.

The problem is using multi cloud settings that have dynamic scale and a lot of variability effectively with an IP based management.

Challenges: The cost and effort to migrate workloads to the cloud may be a major concern for financial institutions contemplating executing cloud strategies. Cost and time to market are key factors when companies are seeking to leverage business-building technologies such as advanced data analytics and machine learning. External cloud providers offer these and other capabilities that can shorten development time versus building capabilities in-house.

Enhance companies’ overall resilience to respond more quickly—physical outages, disruption, etc. Moving from companies’ data center but gaining ability to replicate data and app services across more than a single data center or region.

Matta's blog

Matta's blog

Implementations of Cloud Security within the Banking Industry