web analytics

Banking Tech Forecast: Cloudy, With a Chance of Cyber Risk – Source: www.govinfosecurity.com

banking-tech-forecast:-cloudy,-with-a-chance-of-cyber-risk-–-source:-wwwgovinfosecurity.com
Rate this post

Source: www.govinfosecurity.com – Author: 1

3rd Party Risk Management
,
Cloud Security
,
Governance & Risk Management

Cloud Adoption in Financial Services has Soared – as Has Security Risk

Rashmi Ramesh (rashmiramesh_) •
July 4, 2023    

Banking Tech Forecast: Cloudy, With a Chance of Cyber Risk
Source: Shutterstock

Nearly all financial services companies in the United States use some form of cloud computing, with more than half of them facing compromises last year, according to payments and cloud security experts. The infamous Capital One breach, and other attacks such as the ones on Wiseasy and AvidXchange in recent years demonstrate the vulnerability of cloud environments.

See Also: Live Webinar | Reclaim Control over Your Secrets – The Secret Sauce to Secrets Security

While cloud security is a challenge across industries, organizations in the financial services sector face unique impediments due to special regulatory, data security and privacy considerations that don’t apply to most industries.

Financial institutions hold large amounts of sensitive information, so they need to constantly adapt their protections and create unique computing requirements, said Linda Betz, acting CISO at Financial Services Information Sharing and Analysis Center. They also face regulatory requirements, which require strict diligence when setting up and managing third-party services, such as cloud providers, she said.

Regulations such as the Payment Card Industry Data Security Standard, the California Consumer Privacy Act, the General Data Protection Regulation and the Sarbanes Oxley Act necessitate security controls for data handling, implementation and monitoring capabilities. To ensure compliance and adhere to these standards, financial services organizations must be able to analyze their cloud infrastructure and configurations.

“In many ways, the sophistication of the major cloud providers regarding security means that the sector is more secure as it migrates to the cloud,” Betz said.

But resilience is a key issue. The financial sector is heavily reliant on a few large cloud services providers, creating concentration risk, Betz said. “If one major provider does go down, a large proportion of the sector could be impacted,” she said.

Financial services firms have adopted cloud rapidly in the past few years, with 98% using some form of cloud computing, and 59% storing or processing regulated banking information within cloud services, according to the Cloud Security Alliance.

With the pandemic and the subsequent remote working, financial institutions have grown more comfortable with cloud computing as a responsible technology that can provide greater confidence in security controls, said Troy Leach, chief strategy officer at Cloud Security Alliance. He also helped establish and lead the PCI Security Standards Council, which creates global standards and certification programs for the payments industry.

The breakneck pace of adoption has also resulted in a shortage of security experts who understand the overlapping, yet unique needs of the two industries.

The cybersecurity sector has faced a shortage of skilled security professionals for most of its existence. Cloud solutions help mitigate this, because security can be integrated into the infrastructure and managed in a centralized place, Betz said.

“Even then, financial institutions are still expected to conduct due diligence and oversight of third parties. This ability to evaluate security in a complex environment requires a high level of skill, which will continue to be highly sought-after, she said.

Hiring and retraining existing staff to meet the volume of needed workers is a challenge too, in addition to the regulatory landscape wanting to force multi-cloud infrastructure for resiliency, Leach said. This means that a financial institution may be required to support multiple cloud service providers that operate differently and have different approaches to security assets.

“The expectation is that these organizations will simply hire subject-matter experts for each iteration of cloud, which defeats some of the benefits and efficiencies that cloud services offer,” he said.

Financial institutions also face the unique expectation of managing financial data, in addition to technology that could influence access to that data, Leach said.

“Not only is there the challenge of restricting access to financial accounts and keeping the information confidential, but there is legacy legislation that has existed for 30+ years and was established before there was any commercial concept of cloud computing and leveraging all the various type of services available today,” Leach said.

The Accountability Musical Chair

Misunderstanding cloud service responsibilities is the most common security issue today, Leach said. A vast majority of reported data breaches within cloud services are associated with misconfigurations or poor understanding of who has responsibility, he said.

Accountability for third-party services must be documented and understood completely by both parties. “For example, there are so many native security controls that exist in cloud architecture. But if they are not enabled, it is like owning a sports car but only using it because you like the leather seats and never turning over the engine,” Leach said.

This is especially important since cloud services are offered in many different ways.

The makeup of each offering, and whether or not security is included, depends on the chosen cloud service as well as the firm’s specific needs, Betz said. Software as a service usually includes security, but infrastructure as a service providers may only offer the building blocks to protect the solution, she said. In an IaaS environment, the cloud provider usually applies security, such as patching capabilities, to the base infrastructure, but the financial institution still needs to secure the application within the cloud platform, she said.

“The beauty of cloud services is the ability to have advanced customization. But it also makes it highly important for your security teams to have good, ongoing cloud security training to understand how best to apply the security,” Leach said.

With the shared security responsibility model, financial companies must ensure that they evaluate and discuss which of the expected security requirements will be available inherently in their services, an additional service or expected of the customer to BYOS, aka Bring Your Own Security, Leach said.

The level of responsibility for each partner changes if the platform is used as an IaaS, SaaS or platform as a service, Betz said.

IaaS requires the institution to have more security responsibilities in the setup and maintenance of the cloud solution, whereas SaaS solutions require the cloud provider to have more security responsibilities. SaaS solutions also can be built on a cloud provider, which creates more complexity as there is a fourth party involved in the solution. Contracts are used to identify the split of responsibilities, she said.

“Regardless of the contractual split of security responsibilities, regulators are increasingly holding financial institutions responsible for security incidents that occur through third-party suppliers,” she said.

Financial firms also face reputational risk related to suppliers. Customers do not know or care about the minutia of contractual responsibilities – they only care whether their money and data are safe with their institution, she said. Security, compliance and procurement leaders at financial institutions must consider their third-party risk appetite accordingly, Betz added.

Implementation Challenges

Previously, companies faced natural pain points of modernizing technology to former business practices and approaches to auditing that would satisfy a traditional, on-premises environment. Documentation and the expectation that everything was going to be in a simple static state or log file was a greater challenge.

But now, when we are creating more than a 100 zettabytes of new data daily – before the quick adoption of ChatGPT and other generative artificial intelligence – the natural evolution is more automation to manage the pace of data processing, which means regulatory perspective needs to transition to the assessment of the process and assuring the practice is immutable, Leach said.

Regulators hold financial institutions responsible for understanding and managing security risks, including the use of cloud services, Betz said. To mitigate risk, financial institutions should perform due diligence and conduct ongoing oversight. For example, to do in-depth risk analysis, institutions need to make sure they understand the software bill of materials of their chosen solutions, so they are able to address newly identified vulnerabilities, she said.

Going forward, new regulatory requirements will require further scrutiny of cloud service providers that previously did not have direction regulatory obligations, Leach said.

“For example, the Digital Operational Resiliency Act will provide new expectations for the role of supply chain and solution providers by expecting threat-led penetration test of the cloud service provider, which qualifies under their definition of Information Communication Technology provider,” he said. Similarly, the new PCI DSS v4.0 requirements include similar expectations for “multi-tenant service providers” and how they must be assessed for security. Both of those set of requirements going into effect in the first quarter of 2025, he said.

Original Post URL: https://www.govinfosecurity.com/banking-tech-forecast-cloudy-chance-cyber-risk-a-22441

Category & Tags: –

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Apress
Jump-start Your SOC Analyst Career – A Roadmap to Cybersecurity Success by Apress
Jump-start Your SOC Analyst Career...
FIRE EYE
The Cyber Risk Playbook – What boards of directors and executives should know about Cyber Risk by FireEye.
The Cyber Risk Playbook –...
Unbound Security
The Cybersecurity Acronym Book
The Cybersecurity Acronym Book
CISO2CISO Notepad Series
How Can We Structure Cybersecurity Teams To Better Integrate Security In Agile At Scale?
How Can We Structure Cybersecurity...
Marcos Jaimovich
Presentación “ModoSOC in Real Life” por Marcos Jaimovich en SEGURINFO Chile 2022.
Presentación “ModoSOC in Real Life”...
IBM Security
How much does a data breach cost in 2022? IBM Cost of a Data Breach 2022 Report by IBM Security
How much does a data...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...
Forrester - Allie Mellen
Adapt Or Die: XDR Is On A Collision Course With SIEM And SOAR – EDR Is Dead, Long Live XDR by Allie Mellen – Forrester
Adapt Or Die: XDR Is...
CYBER LEADERSHIP INTITUTE
CISO PLAYBOOK: FIRST 100 DAYS Setting the CISO up for success
CISO PLAYBOOK: FIRST 100 DAYS...

LASTEST PUBLISHED POSTS

National Security Agency
CSI Cloud Top10 Key Management
CSI Cloud Top10 Key Management
CSA Cloud Security Alliance
Defining the Zero TrustProtect Surface
Defining the Zero TrustProtect Surface
HANIM EKEN
CONTAINER SECURITY INTERVIEW QUESTIONS ANSWERS
CONTAINER SECURITY INTERVIEW QUESTIONS ANSWERS
CNIL
PRACTICE GUIDE GDPR – SECURITY OF PERSONAL DATA Version 2024
PRACTICE GUIDE GDPR – SECURITY...
PWNED LABS
Cloud Security Engineer Roadmap
Cloud Security Engineer Roadmap
tutorialspoint.com
Cloud Computing Tutorial Simply Easy Learning
Cloud Computing Tutorial Simply Easy...
SMITHA SRIHARSHA
CISSP Preparation Notes
CISSP Preparation Notes
CISSP Mind Map: All Domains
CISSP Mind Map: All Domains
Lansweeper
CIS 18 CRITICAL SECURITY CONTROLS CHECKLIST
CIS 18 CRITICAL SECURITY CONTROLS...
Semaphore
CI-CD with Docker and Kubernetes
CI-CD with Docker and Kubernetes
EC-MSP
BUSINESS CONTINUITY PLAN & DISASTER RECOVERY PLAN TEMPLATE
BUSINESS CONTINUITY PLAN & DISASTER...
PWC
Building a risk-resilient organisation
Building a risk-resilient organisation

More Latest Published Posts

40 under 40
40 under 40 in CyberSecurity 2024
40 under 40 in CyberSecurity 2024
HADESS
40 Days in DeepDark Web About Crypto Scam
40 Days in DeepDark Web About Crypto Scam
Everbridge
8 Principles of Supply Chain Risk Management
8 Principles of Supply Chain Risk Management
CHAOSSEARCH
Threat Hunter’s Handbook – Using Log Analytics to Find and Neutralize Hidden Threats in Your Environment
Threat Hunter’s Handbook – Using Log Analytics to Find and Neutralize Hidden Threats in Your Environment
ENDGAME
The Hunters Handbook Endgame’s Guide to Adversary Hunting
The Hunters Handbook Endgame’s Guide to Adversary Hunting
THE EU’S MOST THREATENING by EUROPOL
THE EU’S MOST THREATENING by EUROPOL
National Cyber Security Centre
Responding to a cyber incident – a guide for CEOs
Responding to a cyber incident – a guide for CEOs
IGNITE Technologies
CREDENTIAL DUMPING
CREDENTIAL DUMPING
HADESS
Pwning the Domain Lateral Movement
Pwning the Domain Lateral Movement
Jorgen Lanesskog
PING Basic IP Network Troubleshooting
PING Basic IP Network Troubleshooting
TELESOFT
Layer 7 Visibility What are the Benefits?
Layer 7 Visibility What are the Benefits?
TIGERA
Introduction to Kubernetes Networking and Security
Introduction to Kubernetes Networking and Security
Department of Defense's (DoD)
Defense Industrial Base Cybersecurity Strategy 2024
Defense Industrial Base Cybersecurity Strategy 2024
Dummies
Zero Trust Access for Dummies Fortinet
Zero Trust Access for Dummies Fortinet
Homeland Security
Zero Trust Implementation Strategy
Zero Trust Implementation Strategy
National Australia Bank Limited
Your Business and Cyber Security
Your Business and Cyber Security
CYFIRMA
Xeno RAT- A New Remote Access Trojan
Xeno RAT- A New Remote Access Trojan
IGNITE Technologies
Windows Persistence COM Hijacking MITRE T1546 015
Windows Persistence COM Hijacking MITRE T1546 015
IGNITE Technologies
Windows Exploitation Rundll32
Windows Exploitation Rundll32
IGNITE Technologies
Windows Exploitation Msbuild
Windows Exploitation Msbuild
HADESS
Web LLM Attacks
Web LLM Attacks
HADESS
Trended Protocols for Security Stuff
Trended Protocols for Security Stuff
Red Iberoamericana de Protección de Datos
Transferencia Internacional de Datos Personales – Guia de Implementación
Transferencia Internacional de Datos Personales – Guia de Implementación
CYFIRMA
TRACKING RANSOMWARE January 2024
TRACKING RANSOMWARE January 2024
https://www.linkedin.com/in/harunseker/
TOP Cyber Attacks Detected by SIEM Solutions
TOP Cyber Attacks Detected by SIEM Solutions
TRAVARSA
Top 100 Cyber Threats and Solutions 2024
Top 100 Cyber Threats and Solutions 2024
Top 50 Cybersecurity Threats
Top 50 Cybersecurity Threats
OWASP
Top 10 Considerations for Incident Response
Top 10 Considerations for Incident Response