The acceleration to the cloud has been building for a few years, as regulators, cloud service providers and banks become more comfortable with the controls and security that the cloud can provide to the banks.
The cloud offers several benefits to banking, including cost savings, improved security telemetry and better data security with the use of additional tools.
However, as financial sector companies push forward with modernization, difficulty sourcing talent looms as a potential security risk, an Accenture survey found.
A successful cloud migration project will require not only cloud experts and cloud security experts, but also DevOps engineers, business analysts, and project managers engagement.
Building a Team with Broad Skillsets
“By having a team with these skill sets and understanding of the cloud, organizations can ensure that the cloud migration is completed effectively and efficiently, and doesn’t introduce additional cyber and privacy risk,” explains Claude Mandy, chief evangelist of data security at Symmetry Systems.
He notes banks and financial institutions are in one of the most heavily regulated industries, with specific regulations focused on data security and privacy. Due to their role as critical infrastructure, availability to customers and use of third parties is also heavily regulated.
“They are also in one of the most heavily targeted industries from cybercriminals,” Mandy says. “Not only as juicy critical infrastructure targets, but also being an industry where a compromise can directly translate to financial gain for an attacker, without the need for extortion or sale of data.”
These heightened cybersecurity concerns translate directly to the cloud, as institutions focus on ensuring their data is secure, their cloud service providers are secure, compliant and their services are resilient to meet these regulatory needs.
New Environments Require Sufficient Expertise
Shay Siksik, vice president of customer success at XM Cyber, says the cloud is new to banks and often IT people are not trained or skilled to architect and configure the cloud, which may create security weaknesses.
“While the cloud seems like a very simple technology, that’s not the case,” he says. “Not knowing the cloud default configurations and countermeasures that should be taken against it might keep your application wide open.”
Siksik adds that changes in the cloud also happen quite frequently and with less level of control over changes than the bank normally has.
“The cloud is open to many developers and DevOps, which could push a change without the proper change process, as things are more dynamic,” he explains. “This mindset is new to banks, where normally you will have strict and long change processes.”
James McQuiggan, security awareness advocate at KnowBe4, explains cloud architects design and oversee the bank's cloud infrastructure implementation and need experience in cloud computing platforms and knowledge of network architecture, security, and compliance.
“The security specialists are to ensure the bank's cloud environment is secure and compliant with any applicable regulatory requirements,” he adds. “The skills needed are cloud security, threat detection and response, and a strong understanding of regulations and compliance.”
Meanwhile, DevOps engineers will manage the cloud infrastructure and develop and manage the bank's applications and must understand cloud infrastructure automation and application deployment.
“All the staff can acquire additional skills from industry events and conferences,” McQuiggan says. “The bank can consider additional training and certifications to ensure they have the right skills.”
Board of Directors Provides Guidance, Oversight
Financial institutions must involve many stakeholders when planning and moving to a secure cloud infrastructure.
Some key stakeholders include the board of directors, who will provide oversight, guidance, and strategy. They will be the ones who approve strategy and budgets to ensure the transition meets the needs and vision of the bank.
Mandy says other stakeholders may vary depending on the organization's geographical coverage, the migration goals and the sensitivity of the data being used.
“Given the reliance on the cloud service provider, procurement and general counsel should also be a key stakeholder to ensure adequate contractual protection and pricing,” he says.
The scale and complexity of the cloud are hard challenges to face into, and hence why observability is key to ensuring that it is operating as intended and that the data at the heart of the financial institution is protected from unauthorized access, destruction and/or alteration.
Mandy notes fixing the problem of scale and complexity is not simple but starts with visibility and this visibility needs to extend down to the most precise data level it can if it is to meet compliance requirements.
“At a financial institution, this is made even more critical given the potential impact, a single unauthorized change to data can have,” he says.
Temper Reliance on Cloud Providers for Security
Tom Kellermann, senior vice president of cyber strategy at Contrast Security, cautions financial institutions are over reliant on the cloud providers security capabilities and many times overlook application and API security.
“Many use multi-cloud and thus their workloads may not have the same level of security between clouds,” he adds. “Distributed multi-cloud workload security is an imperative. If we have learned anything from ongoing attacks, it is that cybersecurity is a functionality of conducting business not an expense.”
Among the key IT specialists that financial institutions need are application security experts, cloud workload security expert, and threat hunters.
“In addition to cyber security specialists, we will also see financial institutions begin to bring cybersecurity specialists on to their boards of directors,” Kellermann says.
He notes this is in line with a proposed rule from the Securities and Exchange Commission that would require public companies to disclose whether their boards have members with cybersecurity expertise.
What to Read Next:
Will Fallout from SVB Lead to a Rethinking of Tech Investment?
Cloud Adoption in Financial Services: Risks and Opportunities