Cybercriminals have taken to heart the answer Willie Sutton gave to why he robbed banks: “Because that’s where the money is.” So it’s no surprise that the financial services sector is a favorite of hackers — and they’re looking for new fronts of attack in the cloud.
As the financial services sector experiences a wave of technological disruption, it is increasingly relying on cloud-based infrastructure to offer more digital services like mobile apps and voice-response banking. And this has raised many security concerns.
During a congressional hearing in December 2019, Treasury Secretary Steven Mnuchin called cloud security a priority for financial regulators.
“We want to make sure that no one financial institution is dependent and could be taken down,” Mnuchin said.
This new openness in financial networks came at a time when organizations worried that hackers have pinned a digital bull’s-eye on them. A survey earlier this year found that nine out of 10 IT professionals feared for the safety of their company’s network in the new connected environments — a fear that the COVID-19 pandemic will have done nothing to assuage. Financial-service professionals were the most worried of all: 89% were not confident about their ability to withstand a breach.
“Many financial services organizations are rightly concerned about security in the cloud because of one main issue: Cloud complexity,” said Matthew Chiodi, Chief Security Officer of Public Cloud at Palo Alto Networks. A recent report on the state of cloud security found the top three challenges for IT professionals when moving workloads to the cloud were the technical complexity (mentioned by 42% of respondents), maintaining comprehensive security (39%) and ensuring compliance (32%).
Financial services organizations are dealing with particularly fragmented cloud environments. Half the financial organizations surveyed had anywhere from six cloud platforms in use to more than a dozen; by comparison, 73% of both energy and industrial companies had five or fewer cloud platforms going at one time.
The Low-Hanging Cloud
It can be hard for IT professionals to get a handle on how cloud environments are configured, especially in complex, closely regulated and highly compartmentalized environments such as financial services.
This opens the door to misconfigurations in the system that can be exploited, and difficulties in visualizing weaknesses and coordinating defenses. A cloud threat report found more than 43% of cloud databases unencrypted, and only 60% of cloud storage services had logging enabled.
The situation has become more complicated with the widespread adoption of infrastructure-as-code (IaC) – the practice of building cloud environments in code and replicating them as necessary, in order to build quickly at scale. DevOps teams make wide use of IaC. However, many security teams are only just beginning to adopt them. If DevOps teams mistakenly create security weaknesses in the templates, those misconfigurations could then potentially be re-created at scale. Research also found almost 200,000 templates in use with high- and medium-security vulnerabilities.
“This is one of the reasons over the past two years attackers have started to focus on the cloud. Due to lower levels of governance and visibility, it has become easier to penetrate,” Chiodi said. “Attackers will always go after the low-hanging fruit. It’s human nature.”
The Growing Cloud
Use of cloud services has expanded exponentially as more legacy financial institutions seek to improve operations and new digital-nature startups launch, such as Ally Bank or insurer Lemonade. Forrester estimates spending on cloud services will reach $236 billion in 2020, up from $178 billion in 2018.
More than half the institutions polled by Forrester are expanding their use of the public cloud, compared to one-fourth in 2017, even as they have significant—and growing—concerns about the security risks. A survey of community banks conducted just before the pandemic found that 70% of local bankers saw security as their top concern, up from 60% two years earlier.
“The world is changing,” Goldman Sachs CEO David Solomon told a crowd of code writers and developers late last year.
Solomon said the bank is using the cloud to transform its operations: “Cloud technology allows us to do our job in a way that’s simple, all the while accounting for the complexity of our industry and helping us ensure that our work is safe, secure and responsible.”
Goldman is among the financial services companies that are considering the creation of their own financial clouds. A memo from CIO Mario Argenti sketched out plans for “a new kind of cloud for financial services.” In late 2019, Bank of America partnered with IBM to launch a “financial services–ready public cloud” with features including automated security and encryption.
“Financial services, in the past, had been kind of dipping their toes in the water,” Chiodi said. “But now they’ve had to get serious about it in order to keep pace with more agile startups.”
The Vulnerable Cloud
Difficulties securing cloud environments affect all industries, but the financial services sector is seen as particularly vulnerable. A report from Boston Consulting Group found financial services firms are 300 times more likely to be targeted than other businesses. That concern has pushed finance chief information security officers to step up their spending on cloud security. Forrester noted that the sector is spending the most on cloud security, helping push the cloud security industry to $12.7 billion in size by 2023.
“Cloud security is in its infancy,” said Christopher Porter, CISO of Fannie Mae. “If you’re doing cloud security, you can write your own check. Everybody is moving in this direction.”
Despite the tight regulation of financial services—especially after the 2008 financial crisis—the sector is not fully prepared to fight criminal hackers, experts say. Regulators have not placed very tight controls on financial data or cloud use, and breaches continue to grow in financial services at 13% year-over-year. And they also grew in size: The average cost of a financial services breach rose $1.4 million last year to $13 million.
Cloud services cut both ways—they expose more attack surface to hackers, but at the same time can offer opportunities to leverage tools such as artificial intelligence and automation to protect data from breaches.
Organizations want to avoid millions of vulnerabilities in customer apps running across cloud service providers. But if the tools are not used properly, they may end up creating the opportunity for yet more breaches.
The most common seed for such low-hanging fruit? Misconfigurations, which resulted in nearly 65% of reported breaches. “With the speed of cloud, the speed of something bad happening or a flaw in your environment is so much faster getting across,” Porter said.
A Five-Point Plan
So, what’s to be done? Chiodi suggested a five-point strategy to help organizations get a handle on their cloud operations and make them secure.
The first step is to gain awareness and deep-cloud visibility. Most users rely on several cloud providers, so they require a tool that gives them visibility to all the assets they have on multiple clouds from a single console. Configurations and governance requirements also change over time, so they need a dashboard that can adapt.
The second step requires a mindset change for IT professionals and security teams. Rather than hoping for things to be configured as designed, security teams need to think in terms of what Chiodi calls “antipatterns” — i.e., specific misconfigurations that should never exist in your cloud environment, so they can be automated into nonexistence.
“We spend all that time at the whiteboard, developing these great, beautiful-looking security architectures, and we don’t spend a lot of time thinking about how this could be misconfigured,” Chiodi said. “How do I put guardrails in place to automatically prevent most of that?”
The third step requires setting a cloud security standard. DevOps teams want to move quickly and often without standards, which can introduce risks. Preset security standards provide a framework for them to follow. Standards are the precursor to automation.
The fourth step involves the recruitment and training of staff. Financial services and security organizations need people who know how to code. Security professionals don’t need to understand software engineering end to end, but understanding how software is built in your organization is critical.
There is a real shortage of security professionals who are cloud-savvy, according to Porter, so a company’s security hires may need special training. “Make that training part of their everyday job,” he said.
The fifth step: Embed security practices into the development pipeline. This is about automating your security standards into the code pipeline. “Engineers should be writing code that addresses security from the beginning, but that’s rarely the case,” Chiodi said. “This is why it’s critical to build and integrate security smoke tests from development through deployment.”
A Shared Responsibility
The public cloud depends on a model of shared responsibility that includes institutions and their clients, as well as every technology vendor in the stream, each doing its part to keep the network secure.
“Security cannot build this cloud journey alone,” said Porter. “This is not a case where you can come in from behind and bolt on security on top of it.” Vulnerabilities rise when some part of the chain becomes a weak link, as the Financial Stability Board concluded in its study on cloud security in financial services.
Cloud providers have tried to talk about that shift of responsibility, but the message hasn’t really gotten through. There is an assumption that moving to the cloud means you automatically get security. “That’s just simply not true. You have to build it,” Chiodi emphasized. “People understand that there’s a shared responsibility, but the conceptual piece may actually get lost in implementation.”
The cloud is the future of financial services. But financial services organizations must do security differently in the cloud. It’s the only way they can hope to stop the cyber robbers who are looking for where the money is.