By Lalitendu Mohanty, Global Lead, Cloud Solutions at Infosys Finacle
The cloud's numerous advantages, such as low total cost of ownership, extreme scalability, high agility and support for innovation, make a compelling value proposition for banking enterprises. By leveraging the cloud, banks can take more new products to market more quickly, improve customer experience, respond faster to external stimuli and even accelerate digital transformation. But before that, they must ensure that their data and applications will be absolutely secure once they migrate to the cloud; this is not only necessary for regulatory compliance but also for user adoption.
A framework for cybersecurity
A six-step security framework based on certain fundamental principles enables enterprises to safeguard their cloud assets. Here is a brief description:
- Incorporating an enterprise-wide risk management framework: As a first step, a banking security framework must craft a comprehensive and robust policy.
- Defining best practices: The various risk elements and controls must be defined, and the best practices to implement these controls should be laid out.
- Establishing standards for technical and information security: There must be clear standards for each and every element in a security process, from user identification and authentication to access control and privileges. It is equally important to specify standards for the security tools and information security measures that banks may use to ward off potential cyber risks. Most banks follow the recommendations of NIST (National Institute of Standards and Technology), which has defined 255 controls in different areas of cybersecurity; however, it is up to the individual banks to decide which controls to activate – too many controls would increase the number of alerts and impact day to day productivity; too few would expose the organization to risk.
- Spreading awareness among staff: A 2019 report based on nearly 44,000 security incidents and data breaches from 86 countries found that one-third of the events in 2018 were caused by internal agents. Some of these events arose from sheer negligence, as in the case of a North American healthcare products and solutions provider, whose failure to protect equipment and encrypt information resulted in several cases of theft of personal information. Building security awareness among employees can go a long way in preventing breaches caused by thoughtless behavior – for instance, downloading attachments from unverified sources. Therefore, the framework must provide guidelines for educating staff about the bank's security policies and norms of secure behavior; employees must be trained to be alert to potential security events and also trained on how to respond in case of a breach.
- Collaborating with the industry: All banks in a region are bound by the same security and regulatory compliance mandates. Also, security must be a collective endeavor to succeed, because a single weak link can compromise many others around it. Hence apart from controls, technical standards and staff training, a bank's security framework should address industry-wide collaboration to improve awareness and implementation of best practices, share information on new threats, pool solutions etc. One example of industry collaboration is an initiative driven by the Bank Policy Institute, which co-developed a cybersecurity assessment tool called "Financial Services Sector Cybersecurity Profile" along with the American Bankers Association and experts from more than 150 financial institutions around the world.
- Practicing cross-border cooperation: The impact of a cybersecurity breach may be felt far and wide in the globalized banking world. This is why it is imperative for banks to collaborate on security outside their borders. Also, a regulatory supervisory approach transcending national boundaries can help to share knowledge and best practices and thereby mitigate the impact of cyber attack.
A cloud security framework provides a list of key functions necessary to manage cybersecurity-related risks in a cloud-based environment. This includes referencing security standards and guidelines based on best practices and industry standards and adopting specific controls when identifying and responding to threats.
This framework has six critical pillars:
- Identify: Understand organizational requirements and complete security risk assessments.
- Protect: Implement safeguards to ensure the infrastructure is self-sufficient during an attack.
- Detect: Deploy solutions to monitor network breach and identify security-related events.
- Respond: Launch countermeasures to combat potential or active threats to business security.
- Recover: Develop and activate the necessary procedures to restore system capabilities and network services in the event of a disruption.
- Report: Provide a consolidated view of the breaches that occurred, and alerts with preventive actions on how it resolved the crisis.
Each of these individual pillars helps define actionable areas of cloud security that an organization should prioritize, and provides a solid foundation for their cloud security architecture. In connection with a cloud security framework, the architecture gives a model with visual references on how to properly configure secure cloud development, deployment and operations.
Organizations follow a structured security framework to address the monitoring of incident management along with using centrally managed security logs and monitoring solutions. This ensures patch and anti-virus management, and does a regular system vulnerability assessment to ensure seamless business continuity. The security control provided in the cloud is aligned to ISO 27001.
The average number of yearly breaches in financial services organizations tripled from 40 in 2012 to 125 in 2017. A sound security framework will protect a bank, but will not eliminate breaches altogether. When a bank faces the inevitable, it must quickly identify the problem and the application that has been impacted, then find the vulnerability, assess the organization's security infrastructure and resolve the problem. Here, the services of an ethical hacker for identifying the issue, resolving it, and conducting penetration testing before reporting and closing the case, can be very useful. The report must be audited quarterly/ yearly and signed off by the Board, as a corporate governance best practice.
Around the world, banks are taking to the cloud. While the cloud provider takes care of securing the infrastructure, it is the banks' responsibility to protect their cloud-based data and applications. This can be particularly challenging when applications are built in parts, across distributed locations, using Agile principles. Setting up a robust security framework is an important move towards protecting applications and information, but it is only the beginning. The framework must be part of a continuous, evolving and iterative process of threat monitoring, identification, analysis, resolution and reporting in order to be effective.