Some of this is part of a long-planned transformation and some is a rapid response to changes in ways of working. But is security keeping pace? And does it matter?
The biggest security trap that we’re seeing financial organisations fall into at the moment is thinking that security is a one-off fix – you make a big move, like shifting a legacy application from on premise to the cloud, you adjust your security and you’re done. In reality, your organisation’s attack surface is constantly changing in response to every small addition or migration you make. Every tiny change to your infrastructure can have a knock-on effect on your overall security, so it’s risky to look at these changes in isolation. Instead, you need to consider the impact on your end-to-end security.
The bottom line is that security needs to be a strong thread that runs through your entire cloud operation – joining up and protecting your cloud connectivity, management and relationship with cloud providers.
Here’s what banks and financial services organisations need to do each time they make a change to their cloud infrastructure:
Not every cyber threat applies to every sector, so don’t waste resources trying to protect against events that are unlikely to affect banking and financial services. Take expert advice – we use a threat prioritisation framework tool as a filter for our customers – then map this knowledge onto your cloud and infrastructure transformation plans. This will mean you can build in the right levels of control and visibility from the start.
When it comes to threat intelligence it can be easy to drown in a sea of data, so focus on getting a source that’s understandable and actionable to help you exercise the control that will protect your organisation.
The importance of network visibility and control increases as the volume and breadth of what you need to protect continues to grow.
It’s crucial that you can identify what data is at greatest risk, have an action plan for protecting it and persona modelling to bring deep insight into where you need visibility and control. You can then take a threat-led approach to planning, looking at what native controls cloud providers deliver, where these will be enough, and where you’ll need to put in extra overlay controls. This should include gaining visibility over data that bypasses the data centre and flows directly from your users’ laptops to the cloud provider. Look at ways to wash that data through your agreed criteria to ensure you remain compliant with all industry regulations.
Automation is a highly effective tool within security that can do a lot of the heavy lifting involved, but it needs to be well thought through. When you’re considering what security events to automate, think about what capability you’d be prepared to lose if a cyber incident triggered an automatic cut off – and what events warrant a high degree of manual intervention.
If you assume your defences have been compromised, it puts you in a strong position to meet the needs of the business. By anticipating attacks, you can take action to assess how your organisation would react and whether you’ve got the right policies and procedures in place. You’re truly on the defensive, and this will help you identify the weak spots that an attacker could exploit.
Managing public clouds effectively can be labour intensive and difficult because every cloud has its own tool system. Microsoft alone has tens of thousands of cloud configuration options - and getting just one wrong could leave you open to an incident.
Cloud Control for financial services supports your orchestration, combining your choice of clouds simply and configuring them as you need them. Security is a fundamental part of this offering, incorporating all our experience of protecting governments and critical national infrastructure. You’ll have the high degrees of control and visibility that are essential to protect your business and ensure you’re always compliant with regulation.
Find out more about how Cloud Control can secure your move to the cloud by getting in touch with your account manager.
