Cybersecurity insights from industry experts.
Securely Moving Financial Services to the CloudSecurely Moving Financial Services to the Cloud
Financial services organizations migrating applications to the cloud need to think about cloud governance, applying appropriate policies and oversight, and compliance and regulatory requirements.
October 10, 2023
When it comes to financial services moving securely to the cloud, there are several important considerations. Secure cloud usage first starts with secure use of the cloud by the financial services industry, including secure configurations, resiliency, and using pipelines that ensure consistent guardrails for developers, infrastructure teams, and security teams. This is layered on top of a secure foundation from cloud service providers. Additionally, there are compliance and regulatory requirements that must be met in order to demonstrate the effectiveness of the security measures in place.
Key areas to consider:
Business objectives and risk appetite
Oversight and governance of the cloud program
Threat and compliance-driven security controls
Continuous monitoring and drift detection
When migrating to the cloud, every organization must think about how they'll govern the process. This includes applying appropriate policies and oversight, as well as implementing technical controls. It is crucial to approach this from a threat-driven perspective, considering the various threat actors that may try to compromise security practices and policies.
Cloud Governance is Key
For financial services, cloud governance is essential. Cloud governance is a set of policies and procedures that help organizations manage their cloud computing resources effectively. It is important to establish a clear cloud governance structure before moving to the cloud, as it helps ensure that cloud resources are used securely and efficiently. This requires an organizational, operational, and technological approach to assist financial services in leveraging the cloud.
There are three lines of governance that are important for cloud governance:
First line of governance: This is responsible for the day-to-day management of cloud resources. It typically includes IT teams, development teams, cybersecurity, and DevOps teams.
Second line of governance: This is responsible for overseeing the first line of governance and ensuring that cloud resources are being managed in accordance with organizational policies and procedures. It typically includes audit and risk teams.
Third line of governance: This is responsible for providing independent assurance that cloud governance is effective. It typically includes an audit that reports to the board's audit committee.
When implementing an organizational, operational, and technological approach to cloud governance, you should consider the following:
Infrastructure pipelines: These are automated pipelines that can be used to deploy and manage cloud infrastructure via terraform.
Application pipelines: These are automated pipelines that can be used to deploy and manage cloud applications with embedded security controls and checkers.
Data pipelines: These are automated pipelines that can be used to move and manage data in the cloud using tools like data classification, data tokenization/encryption, and data loss prevention tooling.
Change management: An integrated process for managing changes to cloud resources that enforces good governance around change.
Policy revisions: This is the process of reviewing and updating cloud governance policies and procedures with stakeholders.
Monitoring: This is the process of logging and tracking changes to cloud resources, as well as monitoring the environment for security. This includes both application, infrastructure, and security monitoring.
Asset inventories: This is a process for identifying and tracking cloud resources and what is running at any given time,
What to Consider With Cloud Adoption
As you move to adopt the above, it’s important to take an “everything as code” approach, in order to scale the operations and ensure repeatability in deploying, recovering applications, and ensuring controls are working effectively.
Financial services is a highly regulated industry, and cloud adoption brings increased scrutiny from regulatory and compliance partners. To address this, a cloud-native approach should be taken to mitigate risk and alleviate concerns. This requires collaboration among different teams, including frontline, technology, business, security, tech controls, operational risk management, and audit teams. By working together, a secure and compliant framework can be established.
Trusted third parties may also be involved in the implementation process. It is important to consider how their work will be verified and how their expertise can support the project. This may involve testing and verification of audit and compliance solutions.
From an executive perspective, it is crucial to communicate the cloud strategy and its benefits to the business. This includes demonstrating how security and compliance controls are continuously monitored and maintained. The cloud offers opportunities to showcase compliance and risk through data analysis. Gradual improvements should be made to the control environment over time, fostering a culture of quick learning and adaptation.
In summary, financial services moving to the cloud must address security, compliance, and governance considerations. Collaboration among various teams is essential, as is the involvement of trusted third parties. Executives should effectively communicate the cloud strategy and ensure continuous compliance and risk monitoring. As with all organizational change management, culture is an important aspect to keeping the team motivated and being able to fail fast. This culture has to be demonstrated by leadership and all teams working collaboratively to achieve the mission.
Read more Partner Perspectives from Google Cloud
Read more about:Partner Perspectives
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023