By Dave Waterson, CEO, SentryBay
The banking industry is embracing all the benefits that the cloud offers and slowly but surely moving its infrastructure over. The motivations for migrating include greater control of costs, access to reliable, constantly updated and optimised technology and an ability to build competitive advantage.
Alongside this, however, is the risk of exposure to cyberattacks.
The dynamic environment of the cloud removes organisations from total control of their network operations. In many cases, the cloud service provider takes responsibility for, at least, some of the systems and policies which ordinarily would be monitored by the company. Shifting data from secure on-premises networks into the cloud opens opportunities for cyber attackers and makes it easier for data to be leaked, which is why according to IBM nearly half of all data breaches happen in the cloud.
There is also the issue of compliance. A cloud environment typically enables large scale user access, but meeting with regulations such as GDPR, PCI DSS and HIPAA necessitates strict access control. If banks and financial services companies cannot demonstrate full adherence with regulations they are at risk, not just of a data breach, but of hefty fines for non-compliance.
The key to a successful cloud migration is strategic planning. Having a clear picture of the vulnerabilities that may occur as a result of moving data, applications and platforms into the cloud allows banking organisations to put defence mechanisms in position.
Securing endpoints
Perhaps the most obvious place to start is with the devices that will be used to access cloud-based systems. Laptops, corporate PCs, home PCs and smartphones are vulnerable. It takes just one keylogging attempt on an unmanaged laptop that is logging remotely into an online bank account to put that employee at risk of personal theft. It can equally take one malicious screen capture incident to grab the log-in details for the bank’s network and allow a bad actor access to the data of thousands of customers’ bank accounts. These are just two examples of common malware that frequently attack systems that are unprotected.
The rapid shift to remote working followed by hybrid models that allow employees to work in offices or from home have provided greater flexibility for workforces. For banks and financial services organisations however, this has created a huge headache when it comes to managing security. IT teams whose job previously was to monitor and log activity within a secure controlled location, are now expected to monitor the same activity, but across app virtualisation services such as Azure Virtual Desktop and SaaS applications like w365 with no direct visibility of the devices that are being used.
So, for a cloud migration to be successful and risk free, banks must recognise these vulnerabilities and start from that perspective.
Never trust, always verify
In a cloud environment even more than on-premises, the traditional approach to security which presumes that cyber attackers are always on the untrusted side of the network, and trusted users are always on the trusted side, should be put aside in favour of adopting a zero trust approach. This is a model that trusts nobody and assumes that all devices are untrustworthy. It means that access to the system is denied completely until the employee and their device have been verified.
The risk of an attack is now so great, and the belief in zero trust so strong, that the Spiceworks Ziff Davis 2022 State of IT report, carried out among over 1000 technology buyers in North America and Europe, found that 65 percent of companies in Europe were implementing, or planning to implement zero trust security solutions within two years.
The importance of wrapping data & applications
With zero trust in place, banks should turn their attention to building a layered approach to cybersecurity. Internet security, anti-virus software and securing the wireless network with virtual private networking (VPNs) still have an important role to play, but what is needed now as the threat landscape becomes more complex, is dedicated solutions that containerise data and applications securely, so they are wrapped against the threat of cyberattacks particularly from keyloggers, screen capture malware and other forms of cyberattack.
This type of security solution, which protects data entry on all devices, but particularly those that are used to remotely access cloud-based apps is essential to a layered approach and works without needing to identify the malware. It is also scalable, allowing banks and financial services companies to approach security as a continuous process. This is particularly important when it comes to compliance and is fully in line with regulations such as PCI DSS which requires continual reassessment and remediation of problems when personal and payment data is being handled.
Cyber threats have evolved to take advantage of weaknesses in the cloud, and the solutions that organisations use to tackle this pervasive problem also need to evolve. Delivering a mechanism that prevents an attack and which is easy for employees to deploy, wherever they happen to be working, and on whatever device, is a significant way of meeting the challenge.
The message, therefore, for the financial industry as it manages its migration to the cloud is to ensure a layered, integrated suite of security is in place as part of a zero trust approach. This will mitigate attacks and shore up defensive walls enabling them to fully maximise all the advantages that the cloud can bring.