Cloud Security and Compliance Guide for the Financial Services Industry

How to drive digital transformation while ensuring cloud security and compliance

Financial service organizations are experiencing a culture shift as they respond to consumer demand for improved experiences delivered when and how they want them. Building applications and migrating regulated workloads to Amazon Web Services, Microsoft Azure, and Google Cloud Platform offers an attractive way to speed innovation, time to market, and resilience. The self-service and dynamic nature of software-defined cloud infrastructure creates unique challenges for risk and compliance professionals in the financial services industry. Processes and tools that worked well in the traditional datacenter do not directly translate to the public cloud. Due to these concerns over regulatory compliance and security, as well as the complexity involved in migrating legacy
systems, financial institutions have taken a tentative approach to adopt public cloud–especially when it comes to implementing new technologies that could put compliance at risk.

For financial service organizations to take full advantage of the opportunities public cloud offers, they must ensure that their customers are comfortable with this shift, that clear cloud governance standards are defined, and that they can present evidence of compliance to assessors and auditors. This is an achievable objective, and this guide explores the roadblocks to innovation, the frameworks that financial services organizations are leveraging to ensure strong governance in the cloud, a roadmap for continuous compliance in the cloud, and how InsightCloudSec by Rapid7 can help you achieve this goal.


Roadblocks to Innovation

While many financial service organizations know they have to make changes, they are often risk-averse when it comes to implementing new technology (and for a good reason). This cautious approach is driven by substantial regulatory requirements, the critical nature of financial systems, and the sensitive nature of consumer information. The risks are not imagined, as the financial services industry experiences security incidents 300 percent more frequently than other sectors. In addition to being a giant bullseye for hackers, the financial services industry is one of the most heavily regulated and scrutinized industries. Several regulations have been put in place to protect the privacy and security of consumers including the Sarbanes-Oxley, and Gramm-Leach-Bliley acts, Payment Card Industry Data Security Standard (PCI DSS), and most recently the General Data Protection Regulation (GDPR) set forth by the European Union. Financial service organizations that don’t comply with these regulations face substantial penalties.

Ensuring Cloud Security and Compliance in the Financial Services Industry

The challenge is how do these regulations translate to public cloud? How do you map directives back to a novel, and ever-expanding, set of cloud services, especially relative to the set of software-defined configurations that often result in a violation of policy? How do you do this while embracing self-service, from which the public cloud derives much of its flexibility and agility? How do you ensure continuous compliance in the dynamic and transient world of public cloud and do so on a constant and consistent basis? In essence, how can today’s financial service organizations embrace all the many benefits of the cloud without opening up a Pandora’s box of risk relative to compliance and security?

The first part of the answer is to embrace cloud native frameworks.

Cloud Native Frameworks

The Cloud Security Alliance Cloud Controls Matrix (CSA CCM), SOC 2, and CIS Benchmarks are the trifecta of frameworks that should make up the foundation of cloud governance for financial services organizations.

Let’s explore these frameworks and the value they deliver.

Cloud Security Alliance Cloud Controls Matrix

Cloud Security Alliance Cloud Controls Matrix is the gold standard for cloud native security assurance and compliance. It provides a cloud native controls framework with a detailed explanation of security concepts and principles. The CSA CCM recommendations are mapped to many other compliance standards, such as NIST, and can help companies meet their requirements under these regulations.

The CSA CCM provides a controls framework with a detailed explanation of security concepts and principles that are alignedto the Cloud Security Alliance guidance in 16 domains:

  • Application & Interface Security (AIS)
  • Audit Assurance & Compliance (AAC)
  • Business Continuity Management & Operational Resilience (BCR)
  • Change Control & Configuration Management (CCC)
  • Data Security & Information Lifecycle Management (DSI)
  • Datacenter Security (DCS)
  • Encryption & Key Management (EKM)
  • Governance & Risk Management (GRM)
  • Human Resources (HRS)
  • Identity & Access Management (IAM)
  • Infrastructure & Virtualization Security (IVS)
  • Interoperability & Portability (IPY)
  • Mobile Security (MOS)
  • Security Incident Management, E-Discovery, & Cloud Forensics (SEF)
  • Supply Chain Management, Transparency, and Accountability (STA)
  • Threat & Vulnerability Management

As a framework, the CSA CCM provides organizations with the needed structure, detail, and clarity relating to information security tailored to the cloud industry.

  • It emphasizes business information security control requirements
  • It reduces and identifies consistent security threats and vulnerabilities in the cloud
  • It provides standardized security and operational risk management
  • It seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud

As discussed above, one reason it is such a powerful resource is that if you are compliant in one area, it can provide validation that you are compliant with numerous related frameworks.

For example, the control ID – DIS-03 under the CCM Domain – Data Security and Lifecycle Management for E-commerce Transactions, requires data related to e-commerce that traverses public networks to be appropriately classified and protected from fraudulent activity, unauthorized disclosure, or modification in such a manner to prevent contract dispute and compromise of data.

If an organization is in compliance with DIS-03, there is a direct correlation with NIST 800-53 which addresses these same security requirements with controls including:

  • AC-14: Permitting actions without identification or authentication
  • AC-21: Information sharing
  • AC-22: Public Accessible content
  • IA-8: Identification and Authentication (Non-organizational users)
  • AU-10: Non-Repudiation
  • SC-4: Information in shared resources
  • SC-8: Transmission confidentiality and integrity
  • SC-9: Transmission confidentiality

Many financial institutions use the CSA CCM because it is also a well documented and very accessible framework that can be communicated to customers as the standard by which they can hold the financial institution accountable. There has also been movement within the industry to select CSA CCM as a commonly used standard among institutions such as banks.

Service Organization Control (SOC2) Report

Another approach financial service organizations must take, is mapping cloud controls to traditional frameworks like the Service Organization Control (SOC2) report. Developed by the American Institute of CPAs, the SOC 2 report focuses on a business’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system.

SOC2 measures five controls that are specifically related to IT and datacenter service providers which are generally referred to as the CIA Triad plus privacy:

  1. Security (protection of information and systems from damage or unauthorized access)
  2. Availability (reliability of customers’ access to information and systems)
  3. Processing integrity (completeness, validity, and accuracy of the organization’s data processing)
  4. Confidentiality (protection of designated confidential information)
  5. Privacy (limited collection and use of personal information)

Center for Internet Security (CIS) Benchmarks

CIS Benchmarks are secure configuration guidelines and settings created to help you secure specific platforms, including AWS, Azure, and GCP. These benchmarks help you safeguard systems against today’s evolving cyber threats and are endorsed by leading IT security vendors and governing bodies. They are prescriptive guidance the help you create a secure baseline configuration when operating in AWS, Azure, or GCP. In March
2018, Microsoft published the CIS Microsoft Azure Foundations Security Benchmark which is the recognized industry-standard for securely configuring traditional IT components. In September 2018, CIS published a new benchmark for security cloud workloads on Google Cloud Platform (GCP). This benchmark contains dozens of security recommendations across Identity & Access Management, Logging/Monitoring, Networking, Storage, Compute and Kubernetes. In December 2017, CIS published the
AWS CIS Foundations Benchmark which provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings.

It is important to note that the CIS Benchmarks from each of the cloud service providers are for a base set of cloud services and do not guide the complete and ever-expanding collection of services offered by each provider. Therefore it is essential for each institution to perform the legwork to expand the principles established in the CIS Benchmark to a broader set of services or leverage 3rd party software like InsightCloudSec that provides out-of-the-box compliance capabilities.

Developing a Roadmap for Compliance

There are three keys to building a roadmap for compliance: culture, frameworks, and systems. Combining these three keys allows customers to build cloud operations maturity through automation.

First, organizations must modify the command and control mentality of traditional IT and marry it with a “trust but verify” approach when looking to take advantage of the advantages of public cloud.

Second, incorporate CSA CCM, SOC 2, and CIS Benchmarks as the foundation of your cloud governance strategy.

Third, identify and implement the systems that are cloud-native and can help you address the unique challenges of the public cloud through automation. Fortunately for today’s financial institutions, there are ready-made solutions available that help organizations achieve continuous security, compliance, and governance while embracing the dynamic,
software-defined, self-service nature of public cloud and container infrastructure.

InsightCloudSec is a leader in this space. InsightCloudSec’s software appliance performs real-time, continuous discovery and monitoring of resources in Amazon Web Services, Microsoft Azure, Google Cloud Platform, Alibaba Cloud, and Kubernetes. This data is distilled into actionable insights and presented through a single-pane-of-glass console that provides an
assessment of your holistic security and compliance posture.
InsightCloudSec offers more than 165 out-of-the-box policies that map to best practices and standards including SOC 2, CSA CCM, PCI DSS, NIST CSF, NIST 800-53, ISO 27001, CIS, FedRAMP CCM, HIPAA, and GDPR. Customers enable these out of the box or configure custom, cloud-native policy guardrails (“Insights”). Policy violations are flagged in
real-time, and customers can automate remediation with out-of-the-box, or custom, workflows (“Bots”) that integrate with 3rd party systems like Splunk and ServiceNow.

These workflows are fully configurable and can incorporate a full range of lifecycle actions that are contextually allowed by the resource in violation. For example, the workflow may Modify Security Groups, Disassociate Public IP, or Terminate Instance when remediating a compute instance in violation of policy.

Embracing Cloud Automation

Financial services organizations use InsightCloudSec to automate the detection and remediation of cloud and container infrastructure misconfigurations that violate policy.

InsightCloudSec enables these industry leaders to take full advantage of agility and speed of cloud and container technology, while actually strengthening their security and compliance posture. This is a double win that increases productivity, innovation, and profitability while decreasing risk.
InsightCloudSec has a secondary benefit of making the audit process less time consuming and therefore more efficient. First, companies should conduct their own “internal audit” on a regular basis to help identify any potential noncompliance issues—before auditors do.

Companies often cite “lack of resources” as the reason they fail to perform these proactive spot checks, but the costs of failing a regulatory compliance audit are likely to be far greater than devoting time and resources to confirm the organization isn’t making any missteps.

The good news is that InsightCloudSec helps financial organizations identify any potential noncompliance issues enabling easier “internal audits” for financial organizations. Second, financial institutions spend millions of dollars annually on auditors to ensure compliance.

InsightCloudSec automation helps reduce auditor hours through reporting and evidence of compliance.

Next Steps

As financial institutions move to embrace public cloud, they must ensure that security, governance, and compliance is at the foundation of all decisions. Regulatory compliance and managing cyber risk do not need to be the enemy of innovation. A combination of culture change, adoption of cloud-native frameworks, and the use of tools like InsightCloudSec can help financial service organizations advance innovation while protecting them against risk and ensuring that compliance standards are being met.

About InsightCloudSec by Rapid7

InsightCloudSec enforces security and compliance policies in real-time, empowering customers to give developers the freedom to innovate using AWS, GCP, Azure, Kubernetes, and Alibaba. Customers like Spotify, 3M, Fannie Mae, Autodesk, Discovery, and Pizza Hut use InsightCloudSec to automate the detection and remediation of cloud and container infrastructure misconfigurations that violate policy and security risk. InsightCloudSec enables these industry leaders to take full advantage of the agility and speed of cloud and container technology, while actually strengthening their security and compliance posture. This is a double win that increases productivity, innovation, profitability, and security. InsightCloudSec is designed for cloud infrastructure, security, compliance, and governance professionals who want to identify risks in real-time and take automatic, user-defined action to fix problems before they’re exploited.