Everything's in the cloud now – including new cybersecurity risks
Across the financial sector, there’s unprecedented demand to optimize, accelerate and automate every aspect of business. Merchants, credit unions, banks and payment service providers are running hundreds of applications – hard pressed to accommodate the sheer volume and constant flux in demand for data processing and storage.
Despite hesitation by financial organizations to move to the public cloud, adoption is expected to grow following the Financial Industry Regulatory Authority’s decision to move about 90 percent of its data stores to Amazon Web Services. Innovative institutions have realized the need for a shift from existing on-premises infrastructure to a hybrid model involving one or more infrastructure as a service (IaaS) solutions. Embracing the cloud as part of their overall data center strategy enables organizations to meet heavy demands while improving cost efficiencies.
But when it comes to the cloud, compliance can be complex. As innovators in credit unions expand their cloud footprint, they must pay close attention to the jurisdictions where their data is stored. For instance, a credit union can be subject not just to federal laws but also to the Payment Card Industry Data Security Standard (PCI-DSS) set by the credit card companies, along with state-level regulations such as New York’s Cybersecurity Requirements for Financial Services Companies. Beyond that, credit unions with members operating in Europe must consider the European Union’s General Data Protection Regulation, which introduces data residency and privacy concerns, with high penalties for non-compliance.
Financial regulation is a labyrinth. Navigating compliance in virtual and cloud environments is no easy task, particularly when spanning multiple jurisdictions where regulations are continuously evolving.
For example, CUs offering credit cards must not only ensure that they protect members’ card and account data, but that task becomes even more complicated when that data resides on diverse sets of virtual machines or databases across integrated private and public data centers – and it all needs to be done with high degrees of automation. Knowing how that data is protected, where it resides and who has access to it is critical, both to meet business goals and to comply with regulatory obligations. This makes protecting data in cloud environments even more critical.
Despite the need for data protection in the cloud, credit unions are faced with varying security capabilities across different virtualization, cloud and hardware vendors, with little to no cross-platform visibility. Without a unified approach to cloud security, organizations face serious risk and gaps in compliance. What do these include?
First, credit unions can be at significant risk of a data breach. Sensitive cardholder and account data stored in plain text is vulnerable to loss, theft or exposure in the cloud.
Additionally, institutions must protect against losing control of their data. Strong cryptography is recommended to protect sensitive cardholder and account information, but without exclusive control of keys, data is still at risk.
Credit unions may experience data sprawl. Sensitive workloads restricted to the private data center can easily leak to unprotected environments, leading to unmanageable risk scenarios and conflicts with data residency under EU GDPR regs.
Finally, organizations can encounter siloes and security gaps. Security solutions tied to a specific cloud service provider, a hypervisor (which is software, firmware or hardware that creates and runs virtual machines) or dedicated hardware appliance create risk management siloes and security holes between different environments.
So how can you best address these issues to ensure your credit union is meeting regulation requirements and protecting the member data you hold?
- Treat the management of on-premises and cloud-based data with the same rigidity. It’s critical that cloud management should be treated the same as managing on-premises servers and services. Management must cross these inferred boundaries or there will be a gap in which security and compliance fail. This, unfortunately, can lead to data breaches or regulatory failures that impact member trust and a credit union’s reputation, and can also result in substantial fines or operational costs to rectify the situation.
- Encrypt your data. It’s important to note that while your cloud service provider is responsible for the security of the cloud itself, you are accountable for the security of your data hosted in the cloud. You should encrypt everything sensitive and confidential. This helps protect the data not only from outside hackers but also from the risk within – whether intentional or by accident – by turning data into an unbreakable code. The only way someone can decipher encrypted data is by having the key to decode it. As a result, unauthorized users won’t be able to read the data, even if they access it, significantly minimizing the impact of a data breach on a credit union.
- Use a single key-management solution for all of your security. When it comes to security key management, a single key management solution should be considered for all of your credit union’s platforms. Evolving hypervisor vulnerabilities create a security risk, so don’t leave keys open to theft or transfer of authority. By separating keys from the hypervisor, keys and data are never exposed to government agencies or dangerous insiders. Furthermore, if there’s a breach at your cloud solution provider’s facilities, your encrypted data and keys won’t be compromised.
- Employ user-friendly tools to track and report that virtual machines and data are always in a protected state. Data security solutions that provide instant visibility through a simple dashboard are critically important. These kinds of tools make it easy to help verify compliance across numerous security standards.
The cloud is transforming the way credit unions work, providing increased efficiencies and cost savings. However, with the cloud comes security risks if data, infrastructure and workloads are not managed correctly. Financial institutions are high priority targets of cybercrime due to the monetary gain at stake, so data protection must be prioritized as a critical task. Ensure your organization has the right management tools and processes in place to support consistent data security and compliance – or risk the potential harsh repercussions.