This post was originally published on The New Stack.
The workloads that financial services companies deploy in the cloud aren’t fundamentally different in most cases from those deployed in other industries. Finance businesses use the same types of cloud services, the same application architectures, the same monitoring and observability tools, and so on.
Yet from a security perspective, financial services companies face unique challenges in the cloud. Due to the special compliance and data privacy requirements that they need to meet, these companies must address special security considerations that don’t apply in other industries.
This article details the top four such considerations that apply uniquely to financial services businesses. It also explains how finance companies can take advantage of the cloud while keeping its attendant security challenges in check.
1. Applying Compliance Rules to the Cloud
Many financial services businesses are subject to special regulations, such as the payment card PCI DSS, that require specific security controls to protect applications and data. However, most of these frameworks were designed before the widespread adoption of cloud computing (PCI DSS dates to 2006, for example), and they don’t define exactly how to protect workloads in the cloud. Interpreting the rules and applying them to cloud environments is an exercise that regulators leave to individual businesses.
That means that achieving compliance in financial services requires the ability to translate security regulations that were conceived in the pre-cloud era into a cloud security strategy. To address this challenge, engineers need a deep understanding of both financial compliance rules and the security architectures and tools available in the cloud. This is one way in which financial services are different from most other industries, where compliance rules are less strict or were designed with the cloud in mind.
2. Securing Cloud Data
Part of the reason why applying compliance rules to the cloud can be challenging is that in the cloud, there are often multiple ways to achieve the same basic goal – and each approach carries different security risks.
Case in point: data storage. In the cloud, you can store data in an object storage service, a database or a virtual file system attached to a VM. Each type of cloud data storage solution is subject to different types of risks; for instance, insecure access controls are arguably the biggest threat to sensitive information within object storage, while malware is more of an issue with file systems that are accessible from VMs.
This means that financial services companies, which usually face strict requirements related to securing data, can’t depend on generic data security strategies in the cloud. They must instead develop nuanced data security methodologies tailored to their specific cloud data architectures and services.
3. Deploying Security Tools Efficiently
A financial service business’s cloud environment might include dozens of user accounts, hundreds of workloads and tens of thousands of individual permissions configurations across all of them. In an environment of this size and complexity, deploying security tools to each resource manually is simply not feasible. It would take too long, and the fact that cloud resources are constantly changing would mean that some resources are likely to be overlooked.
For that reason, financial services companies that rely heavily on the cloud should leverage agentless security. Agentless security makes it possible to secure cloud workloads in an efficient, scalable way that doesn’t require teams to deploy traditional security software on every resource they need to protect. In a large-scale cloud environment, agentless security is the only way to ensure that teams can operate efficiently and that no workloads fall through the cracks.
4. Unifying Legacy Security with Cloud Security
Another special security challenge that some financial services businesses face is the need to secure both legacy environments – such as the mainframe infrastructures that large banks and insurance companies continue to use – and modern cloud environments at the same time. This is challenging because the security tools and methodologies for each type of environment are quite different.
This is another reason to take advantage of strategies like agentless security in the cloud. The easier and more efficient it is to secure cloud workloads, the more resources finance businesses can invest in protecting legacy environments, which often require more attention and effort.
To put this another way, streamlining cloud security means enhancing security for legacy workloads, too – a critical advantage for any financial services organization that still runs some workloads on legacy infrastructure, even though it has moved others to the cloud.
Conclusion: The Future of Cloud Security for Financial Service Companies
Securing cloud environments and workloads is challenging for any type of business. But financial services organizations have it especially tough due to challenges like complex regulations and strict data security requirements.
The good news is that it’s possible to work through these challenges. By focusing on efficiency, scalability, and comprehensiveness within cloud security operations, financial services businesses can stay on top of complex security threats, no matter which cloud architectures or services they use.
Learn more about the cloud security challenges that impact financial services organizations today by downloading the Orca Security “State of Public Cloud Security Report, Financial Services Edition” report. Or, read about how a major bank solved its data security challenges in the cloud and how a fintech business conquered compliance challenges.