Kashim Cooper, Finance Specialist and #ADCHero at the eponymous Loadbalancer.org, outlines some of the key considerations for credit unions wanting to take advantage of the cloud, but worried about data security and compliance.
Credit unions provide loans, savings, and other financial services to more than 375 million members in 118 different countries. The United States holds the greatest wealth of credit union members worldwide, with assets reaching a sizeable $1.58 trillion. They come in all shapes and sizes, but with fewer resources than banks, the services and technology offered by credit unions must be as cost-effective as possible, driving an even more pronounced shift towards digital service provision.
Cloud computing appetite
Continuous innovation in complex financial environments is extremely tough. Recent technology advances have created new opportunities to transform credit unions, but to innovate successfully they must carefully select the right infrastructure to help them meet the needs of their members (be that on-premise, private, public, community, multi or hybrid cloud). Nevertheless, regardless of the platform, compliance and security will be top-of-mind – whether they are one of the 41% of credit unions who have already deployed to the cloud, or the 24% still planning to make this transition.
Security and risk controls are paramount for financial institutions. In the US, banking regulations are somewhat fragmented due to regulations at both the state and federal level. All regulators, however, take a forensic interest in banking systems and controls, placing an equal emphasis on data protection and security, anti-money laundering, and compliance. With data and network security affecting every aspect of day-to-day banking and finance operations, a breach could be catastrophic – subverting data protections, disrupting uptime and taking applications away from the people who rely on them, 24 hours a day. Hence this must be avoided at all costs.
The Federal Financial Institutions Examination Council (FFIEC)
It is important to distinguish between core business applications, and the finance applications utilized by credit unions to manage and protect sensitive member data. Core business applications such as Enterprise Resource Planning (ERP), Customer Relationship Management (CRM), Web Filtering, Microsoft, Storage, and Print, are all fundamental to day-to-day operations but are not subject to the same stringent security and compliance regulations as finance applications. These mission-critical applications hold data that requires an enhanced level of protection, such as member details, accounts, load applications, transactions, transfers, banking records, and draft and ACH postings, as mandated by the Federal Financial Institutions Examination Council (FFIEC).
In 2020 the FFIEC issued a statement to address the use of cloud computing services and security risk management principles in the financial services sector. The statement underlined the importance of adequate security controls, resiliency and data management in order to explicitly underline the shared responsibilities between cloud service providers and financial unions. Even public cloud providers such as AWS have themselves gone to great pains to highlight the shared security liabilities of data held in the cloud. Crucially, it remains the responsibility of the credit union to undertake any additional work needed to adequately protect their member data – wherever it may sit – so this is not something that can be outsourced to a public cloud provider.
Credit union IT challenges
Cloud security considerations also sit alongside a host of other immediate and sizable IT challenges. Specifically, the need to retain existing members while at the same time build resilient IT systems, the requirement to grow members and services, an obligation to improve resilience against new security threats, and an urgent need to adapt to disruptive open banking models. All of this while maintaining member trust in their data security and protection policies and practices, with cybersecurity attacks on the rise. With a 1,318% increase in cyber attacks the National Credit Union Administration is so concerned about recent data security breaches that they have issued grants of up to $7,000 per credit union to strengthen their cybersecurity protection.
Juxtaposed to this is the promise of potential cost savings in the public cloud through the streamlining of operations and processes, minimizing the size of physical data centers, and an ability to scale infrastructure up and down on-demand. Because the cloud promises to solve many of these challenges (offering the opportunity for credit unions to adapt much faster to changing market and member trends), it is not hard to see why cloud data security considerations are currently under such scrutiny. But the public cloud is designed for the many, not the few. Generic security protocols are therefore unlikely to be sufficient to remain security compliant. With shared locations, servers, and an inability to customize data security settings, credit unions will likely struggle to meet their regulatory requirements. Public cloud providers may take on responsibility for the security of their platforms, but credit unions remain liable for the security of their data in the cloud.
So where does that leave credit unions and small finance companies? Here is some food for thought for those currently developing or refining their cloud roadmap.
1. Public cloud: still infrastructure, just in someone else’s hands
Data held in the cloud will often need additional protection put in place, for both security and compliance reasons, such as deploying a Web Application Firewall (WAF). Whether working with a simple static website or a full-blown dynamic web application, putting a WAF in place provides the ability to filter, monitor, and block HTTP traffic. Inbound client request traffic and outbound responses from the credit union’s back-end servers can be analyzed in order to harden and protect access to those services. A WAF differs from a traditional firewall which provides a barrier between external and internal network traffic. A WAF allows traffic to be meaningfully inspected and informed decisions to be made in order to improve the security of a web application.
While many public cloud platforms feature a built-in WAF offering of some description, using a cloud platform-specific WAF can be limiting as well as expensive. Most of the built-in WAF services currently available in public clouds require a separate service instance to be provisioned and paid for. Looking at their technical implementation, which is usually something of a black box and not open to user scrutiny, these built-in WAFs typically use a cut-down version of the free and open-source OWASP ModSecurity Core Rule Set, the de facto standard set of rules to use with a WAF engine. Some functionality and protection is usually removed by the service provider in favor of ease of use, and often these services provide little to no flexibility, making it impossible to deploy a custom configuration for a specific application. Crucially, these built-in services almost always use outdated versions of the Core Rule Set which are no longer supported and lack protection against the latest vulnerabilities and attacks. This often leaves users relying on a set of WAF rules that are anywhere up to five years out of date, without users being aware of this. Not great from a security perspective.
2. Private cloud: customized security protection
One of the great things about the private cloud is that it is much easier to connect to and share data with third party systems and platforms, as members are now demanding. Third party data sharing can save the member having to enter duplicate information on multiple systems, facilitate identity checks, and expedite Automated Clearing House (ACH) credit payments, processing and electronic transfers. With private cloud, IT teams have full sight and control of customized security settings which provides additional security protection for critical workloads and regulatory compliance. Because servers aren’t shared with other financial institutions, private cloud therefore offers a closed space that can only be accessed by an authorized list of users with the right credentials.
The main downside of private cloud is the cost of establishing and maintaining the infrastructure and services required. But beyond this, private cloud may not be able to offer the same level of redundancy as the public cloud, where providers such as Azure have the resources to provide numerous forms of data storage replication: Locally Redundant Storage (LRS), Zone-Redundant Storage (ZRS), Geo-Redundant storage (GRS), Read-Access Geo-Redundant Storage (RA-GRS), or Read-Access Geo-Zone-Redundant Storage (RA-GZRS). This means the public cloud may therefore offer faster disaster recovery in the event of a system failure.
3. Hybrid cloud: consider the application, not the platform
Cloud is not an all or nothing, and credit unions will likely need to retain hybrid cloud environments. In a hybrid environment hardware and software is based on- AND off-premise (as opposed to private cloud which is on- OR off-premise, and may or may not be run by a third party). As such, data can be managed across multiple platforms. The complexity of a hybrid environment comes in running adequate security protocols across public and private cloud platforms. Shifting non-critical applications/day-to-day business operations to the public cloud is therefore likely to make more sense initially, with sensitive or critical data retained in the credit union’s own private cloud, or on-premise. However, running software across private and public cloud environments while meeting compliance requirements remains a significant challenge.
The reality is that on-premise solutions are likely to remain a critical part of any credit union security strategy for some time to come. At the end of the day, the only way you can 100% guarantee data security is by having physical control of the box that houses that data. And private cloud environments managed by a third party relinquish that. Indeed, even serverless applications require a physical server somewhere to execute the code and so, as Forrester acknowledge, hardware is likely to remain a critical component of any data security strategy for many years to come, housing sensitive member data and customized applications. Hence individual workloads and their associated risk assessments should inform any infrastructure decisions.
When security is the priority, private cloud or on-premise environments are likely to be the safest places for credit unions to store their sensitive data, where customization opportunities increase the likelihood that regulatory requirements can be met. For core business applications, however, the safeguards in the public cloud are likely to be more than adequate. So determining whether you can or should move to the public cloud are two very different questions. And the Service Level Agreements of every public and third-party private cloud provider will need to be forensically examined to ensure that security expectations and compliance requirements can be complied with.
While security protocols in any form may undermine the ease and speed of access for members, retaining customer trust is the most fundamental pillar of any financial institution and so should be the primary driver of the decision making process. Credit unions should not therefore become complacent when it comes to data security. Out of sight, should most definitely not mean out of mind.