Securing critical data in the cloud during this wave of file-less cyber attacks can pose serious security risks when moving from a traditional enterprise data center into a cloud environment. Even in private clouds, financial organizations face intensified risks from having multiple data sets and applications sharing on the same physical services.
Banks, credit unions and other money market firms require massive amounts of multifaceted data for peak business performance, to gain a competitive edge and to meet compliance standards. The cloud provides a reasonable option to manage terabytes of data, email, and integrated communications and collaboration tools.
There are however security measures which can be taken to ensure that data and critical applications are fortified in the cloud. This begins with understanding the current state of cloud computing, the fundamental principles that a financial services organization should follow when it comes to managing cloud risk, and the types of controls needed to protect data and applications in the cloud.
State of the Union
Banks, credit unions and capital markets firms are finding that the cloud is providing a number of business benefits that make it a reasonable technology alternative. For example, financial services firms are boosting technology performance; store, secure and safeguard data; manage and secure email; and support cloud-based communications and collaboration tools. As a result, IT resources can be better managed, assuring customers of a rapid, dependable and protected service experience.
The clouds unlimited capacity can help solve scalability problems and boost efficiency by minimizing IT manpower and keeping hardware and software costs down. Email is a necessary tool for financial services organizations, but frequently distracts IT teams from focusing on core business issues. Utilizing the cloud to manage the offloading, exchange and security of email allows internal IT resources to address more strategic financial servicing issues.
Delivered on a virtualized architecture, cloud based communication and collaboration tools provide anytime or anywhere communication that are necessary in today’s business landscape and customers now demand. All of the aforementioned collaboration options are delivered without compromising security, management or application functionality all while releasing IT staff for other projects.
So where would the concerns or risks be found with such a secure, scalable and uncompromising technology solution in place? An attacker could locate and exploit a weakness in one cloud application to gain entry into other applications on the same physical server. Applications within a cloud are all separated from one another. An attacker would have no way to “jump” from one application to another without first compromising the underlying infrastructure, the hypervisor, which is intended to be uber-secure. Even a super-secure infrastructure can have vulnerabilities and can be exploited, jeopardizing all the applications and data on that hypervisor’s server. So if you have a vulnerability in one of these hypervisors it can put the entire cloud at risk.
In many cloud deployments, the financial institution adopts the notion that the cloud provider is responsible for security. But often this security is limited. It may only be liable for the physical infrastructure and the cloud computing software (for example, the hypervisors and management software). It may not include the security of the guest operating systems, applications, data or other financial institution-controlled data/applications running on the cloud.
In just about all cases, the cloud consumer is responsible for the security of its own applications and data. There is not a shift in the responsibility based on where the cloud may be hosted. The financial institution must ensure that their own cloud workloads have the appropriate security monitoring and incident response action plans so that they are not in a vulnerable state.
To see how CIOTech can help you, click here.