The opportunity to boost productivity, lower costs, and provide advanced analytics has lured financial companies to adopt cloud strategies. They see these benefits as ways to gain a competitive advantage in both the short and long run. Some companies, however, are reluctant to use cloud-based services because of security risks the cloud presents and how strictly regulated this sector has grown. Before diving into the challenges with cloud adoption, it's important to look at the ways these institutions are using the cloud.
Card and mobile payment processing
While some big banks currently process their own credit/debit transactions, a majority of them choose Visa, MasterCard or a third-party processor. These payment processors now operate in the cloud.
Marketing and customer relationship management (CRM)
Cloud apps like OMI are common in the financial industry, which provides banks with market research and analytics for market segmentation purposes.
Big banks typically maintain their own core banking systems. This, however, isn't always feasible for small to mid-size institutions, so they end up using cloud-based core banking systems.
A few of them have moved their app development and testing to cloud-based IaaS like Amazon Web Services (AWS), Azure, and Google Cloud Platform so they can avoid costly hardware and software upgrades. Once tested, the apps are moved back into the actual work environment.
The Security Challenges of Moving to the Cloud
A majority of security experts today aren't confident that their cloud setup is compliant. In a recent study, securing customer information and internal financial data topped the list when it came to security concerns. Cybersecurity skills shortages and a lack of visibility were also on the list, 3rd and 4th respectively. These challenges are preventing some companies from going to the public or private cloud.
A Quick Snapshot of the Capital One Breach
For companies who have gone to the cloud, some of them end up sticking with the built-in native security solutions that AWS, Azure, etc. provide. This simply is not enough however, as noted in the Capital One data breach that exposed over 100 million customer applications. In this case, Capital One lacked security software that automated compliance by checking for misconfigurations. Ultimately, Capital One had a misconfigured web-application firewall (WAF) that was being used as part of its operations in the cloud with AWS. More specifically, the misconfiguration had given the WAF too many permissions like being able to list all files and having the capability to read those files . When the intruder launched a Server Side Request Forgery (SSRF) attack, she tricked the WAF into requesting information from the "metadata" service which is responsible for handing out temporary info to a cloud server like credentials in order to access any resource to which that server has access. Since cloud native security features didn't include the ability to prevent sophisticated attacks, the SSRF went unnoticed and the attacker walked out with over 100 million customer applications that included sensitive information.
Solutions that Reduce Risk and Automate Compliance
Capital One could have been able to prevent this breach had they supplemented their native security with a few of Check Point's security solutions known as CloudGuard IaaS and CloudGuard Dome9 . CloudGuard IaaS could have detected the SSRF attack in real-time by leveraging the award-winning collaborative network known as Threat Cloud. With Dome9, they would have been able to automate compliance by automatically remediating violations before they even became risks, like the misconfiguration of the WAF that had too many permissions assigned to it. To learn more about how CloudGuard can help you transition to the cloud or secure your current cloud environment, feel free to reach out to me for a consultation.