FS-ISAC 2022 Europe wrapped up day one of workshops, presentations, and panels from experts and leaders in the financial services industry. FS-ISAC 2022 America was held in Orlando back in March, and FS-ISAC held a ‘Canadian Cyber Security Event’ in Toronto as well. The U.S. event theme was ‘The New Cyber Era: Hyper Connected and Unbound’ as security skyrockets to a top priority for financial services, and many digitize further and take on the cloud.
FS-ISAC, the only cyber intelligence community dedicated to financial services, earlier this year released the annual report, Global Intelligence Office Report, Navigating Cyber 2022. The report noted the increasing importance of global solutions and top risks institutions could expect to see in the future.
Steven Silberstein, CEO of FS-ISAC, says, “As the global fincyber utility, FS-ISAC enables industry-wide cross-border sharing to pool resources, expertise, and capabilities to better manage cyber risks that the global financial industry faces on a daily basis.”
We couldn’t agree more with this push for global solutions, as the cloud is a realm touching every end of the Earth. Additionally, the report noted third-party risk, zero-day vulnerabilities and ransomware as the risks to prepare against. We’ll add to that list with misconfigurations and workload vulnerabilities being two recurring needs and weak points within enterprises in the cloud.
Our Sonrai team attended all events as financial institutions like major banks are some of our top customers – we hold a stake in the cloud security of the industry. Below we’ll review some guidance on how the financial services industry can approach cloud security, but first, let’s hear initial highlights from the Madrid event today and what themes have been presented at the events this year.
Danny Adamson, Regional Sales Director in EMEA, noted that today’s opening Keynote, titled ‘Cyber 2.0: Sailing Ahead in Turbulent Times’, by Santander CISO, Daniel Barriuso, kicked off the day’s mood in the right direction. However, Danny noted recognizing new trends and market drivers and interacting with customers and peers as the highlight for him.
FS-ISAC Themes and Attendee Questions
Earlier this year, our North American team attended FS-ISAC. After our executives were interviewed, they noted several themes in questions and interests from peers or organizations in the cloud:
- Data Discovery and Classification for structured and unstructured data were of high interest to prospects.
- Frequent and common interest in automated resource tagging, in general, and data specifically.
- Multidimensional accounts in AWS and nested groups in Azure AD.
- Lots of Multicloud use or interest.
- Many sought a plan or guidance on how to manage secure hybrid to cloud migration.
- How to use cloud-native frameworks to secure the cloud. Most used datacenter approaches.
- Many are unaware of the risk identity poses in their cloud.
We’re looking forward to hearing what the shining themes and conversations of the EMEA event will be.
So How Can Financial Services Approach Cloud Security?
While not everyone attending FS-ISAC 2022 is in the cloud, many are on their way or are fully there. After fielding all sorts of questions about cloud security, we wanted to offer some guidance for how financial services can better lock down their cloud use. Our approach to cloud security comes from all angles – four, in fact. The four pillars of cloud security are Identity, Data, Platform, and Workload. Below we will summarize how to establish a total cloud security program:
Step 1. See and protect all sensitive data.
Know where your data is, ensure it’s classified properly, and identify and monitor critical resources. With complete visibility into your datastores, secret stores, identities, and the identity’s entitlements, you can always determine the effective permissions needed to meet least privilege. Full data visibility and granular access monitoring unlocks Least Access enforcement, which, in contrast with least privilege, uniquely implements security policies from the data itself outwards towards identities. These policies ensure that identities are provided with the minimum amount of rights to fulfill their duties.
Step 2. Connect the dots
The goal is still to block potential entry points for reaching your sensitive data, but in the cloud, the perimeter to breach is now identity. The answer to ‘Where’s my data?’ should be simple. Your organization will want to gather object storage, warehouses, databases, block storage in every shape and size, along with the location and movement history of data, to provide cloud teams with a uniform view and true picture of the current security posture. If there is an untrustworthy relationship, you’ll want to eliminate it immediately. The “blast radius” of potential security concerns need to be reduced with the auto-elimination of inactive data access rights. The lockdown data needs to be closely monitored with a built-in alarm system that triggers in the event of sudden and unexpected activity. Connect the dots from how your cloud posture, workloads and identities tie back to sensitive data.
Step 3: Prioritize risk
Once you know where your concerns lie, the next step is planning a strategy of attack. Dynamic cloud environments can create numerous alerts as your development team spins infrastructure up and down, so prioritization based on impact to sensitive data is critical. Controls must be backed by continuous monitoring. If any deviation from baseline is detected, you’ll want to alert the right team with the right level of urgency so they can take the respective action to resolve the issue.
Step 4: Operationalize and fix
Eliminate useless alerts. Your infrastructure is getting more dynamic and complex. So are your risks. Mapping and understanding risks is meaningless if you can’t fix them today or resolve new issues that inevitably will emerge over time as your cloud grows. Avoid alert buildup and provide cloud teams with a sustainable, scalable, and automated way to manage their risk over time. Organize your cloud environments by team and data sensitivity, so you can automatically apply policies to each environment and workload to match the risk tolerance. Route alerts to the people working in or managing the environment, so remediation is handled by people best equipped. An operationalized process helps avoid placing restrictive policies on noncritical development environments, or missing needed controls for more sensitive concerns.
Compliance and Frameworks
The foundation of cloud governance, when it comes to financial service organizations, involves three frameworks, namely, Centre for Internet Security (CIS) Benchmarks, Cloud Security Alliance Cloud Controls Matrix (CSA CCM), and SOC 2. Cloud-native frameworks are about how applications are created and not where they are created. The frameworks empower organizations to build and run applications in private, hybrid, and public clouds.
A roadmap to compliance involves three key building blocks to compliance: systems, frameworks, and cultures. Systems: Implement cloud-native frameworks that address the challenges arising from automation of the public cloud. Frameworks; Incorporate the three structures mentioned above and use them as a foundation for your cloud governance strategy and by selecting the right framework, you can enjoy a strong foundation with easy-to-understand guidance. Cultures; Modify the traditional view of IT departments that sees them operate as silos and instead adjust it to a ‘trust but verify’, which will allow you to enjoy the advantages of the public cloud. This may also include creating awareness amongst your teams.
This blog was inspired by the timely FS-ISAC EMEA conference, as well as the other events this year, but also intended to better arm organizations in the financial industry with cloud security recommendations. If you’re interested in further learning, read how a Top 10 U.S. Bank teamed up with Sonrai Security to secure their cloud.