FS-ISAC 2022: Cloud Security for Financial Services
Reading time: 6 minutes
FS-ISAC 2022 Europe concluded the first day of workshops, presentations and panels from financial services industry experts and leaders. FS-ISAC 2022 America was held in Orlando in March, and FS-ISAC also hosted a “Canadian Cyber Security Event” in Toronto. The theme for the US event was “The New Cyber Age: Hyper-Connected and Unconnected”, as security skyrockets to become a top priority for financial services, and many become more digitized and adopt the cloud .
FS-ISAC, the only cyber intelligence community dedicated to financial services, earlier this year released the annual report, Global Intelligence Office Report, Navigating Cyber 2022. The report noted the growing importance of global solutions and the key risks that institutions could expect to see in the future.
Steven Silberstein, CEO of FS-ISAC, says, “As fincyber’s global utility, FS-ISAC enables industry-wide cross-border sharing to pool resources, expertise and capabilities to to better manage the cyber risks that the global financial industry faces on a daily basis. »
We totally agree with this push for global solutions, because the cloud is an area that touches every end of the Earth. Additionally, the report noted third-party risks, zero-day vulnerabilities, and ransomware as risks to be prepared for. We will add to this list misconfigurations and workload vulnerabilities being two recurring needs and pain points within cloud enterprises.
Our Sonrai team attended all events as financial institutions such as major banks are some of our primary customers – we hold an interest in industry cloud security. Below we’ll go over some tips on how the financial services industry can approach cloud security, but first let’s hear some early highlights from today’s Madrid event and what themes were featured at events this year.
Danny Adamson, Regional Sales Manager for EMEA, noted that today’s keynote, titled “Cyber 2.0: Sailing Ahead in Turbulent Times,” by Santander CISO Daniel Barriuso, set the mood for the day in the right direction. However, Danny noted recognizing new trends and market drivers and interacting with customers and peers as the highlight for him.
FS-ISAC themes and questions from participants
Earlier this year, our North American team participated in FS-ISAC. After our executives were interviewed, they noted several themes in questions and interests from cloud peers or organizations:
- Data discovery and classification for structured and unstructured data was of great interest to prospects.
- Frequent and common interest in the automated tagging of resources, in general, and data in particular.
- Multidimensional accounts in AWS and nested groups in Azure AD.
- Much use or interest of Multicloud.
- Many were looking for a plan or guidance on how to manage the secure migration from hybrid to cloud.
- How to use cloud-native frameworks to secure the cloud. Most used data center approaches.
- Many are unaware of the risks that identity poses in their cloud.
We look forward to hearing what the shining themes and conversations from the EMEA event will be.
So how can financial services approach cloud security?
While not all FS-ISAC 2022 attendees are in the cloud, many are on their way or in it entirely. After answering all sorts of questions about cloud security, we wanted to offer some tips on how financial services can better lock down their cloud usage. Our approach to cloud security comes from all angles – four, in fact. The four pillars of cloud security are identity, data, platform, and workload. Below, we’ll summarize how to establish a total cloud security program:
Step 1. Review and protect all sensitive data.
Know where your data is, make sure it’s properly classified, and identify and monitor critical resources. With complete visibility into your data stores, secret stores, identities, and identity rights, you can always determine the effective permissions needed to honor least privilege. Complete data visibility and granular access monitoring unlocks the enforcement of least access, which unlike least privilege, uniquely implements security policies from the data itself to the identities. These policies ensure that identities have the minimum rights to perform their functions.
Step 2. Connect the dots
The goal is still to block potential entry points to access your sensitive data, but in the cloud, the perimeter to cross is now that of identity. The answer to “Where is my data?” should be straightforward. Your organization will want to bring together object storage, warehouses, databases, block storage of all shapes and sizes, as well as historical data location and movement, to provide cloud teams with a view uniform and a faithful image of the current security posture. If there is an untrustworthy relationship, you will want to eliminate it immediately. The “explosion radius” of potential security issues should be reduced by automatically eliminating inactive data access rights. Lock data should be closely monitored with a built-in alarm system that triggers in the event of sudden and unexpected activity. Connect your cloud posture, workloads, and identities to sensitive data.
Step 3: Prioritize risks
Once you know where your concerns lie, the next step is to plan an attack strategy. Dynamic cloud environments can create a lot of alerts as your development team spins the infrastructure up and down, so prioritization based on impact on sensitive data is essential. Controls must be accompanied by continuous monitoring. If a deviation from the baseline is detected, you will need to alert the right team with the right level of urgency so they can take the appropriate action to resolve the issue.
Step 4: Operationalize and Fix
Eliminate unnecessary alerts. Your infrastructure becomes more dynamic and complex. Your risks too. Mapping and understanding risks is meaningless if you can’t solve them today or solve new problems that will inevitably arise over time as your cloud grows. Avoid alert accumulation and give cloud teams a sustainable, scalable, and automated way to manage their risk over time. Organize your cloud environments by team and data sensitivity, so you can automatically apply policies to each environment and workload based on risk tolerance. Route alerts to those working in or managing the environment, so that corrective action is taken by the people best equipped. An operationalized process helps avoid placing restrictive policies on non-critical development environments or missing the necessary controls for more sensitive issues.
Compliance and Frameworks
The foundation of cloud governance, when it comes to financial services organizations, involves three frameworks, namely Center for Internet Security (CIS) Credentials, Cloud Security Alliance Cloud Controls Matrix (CSA CCM), and the SOC 2. how applications are created, not where they are created. Frameworks allow organizations to build and run applications in private, hybrid, and public clouds.
A roadmap to compliance involves three key elements of compliance: systems, frameworks, and cultures. Systems: Implement cloud-native infrastructures that address the challenges of public cloud automation. Frames; Incorporate the three structures mentioned above and use them as the basis of your cloud governance strategy and by selecting the right framework, you can enjoy a solid foundation with easy to understand guidance. Cultures; Change the traditional view of IT departments that sees them operating as silos and adjust it to “trust but verify” instead, allowing you to reap the benefits of the public cloud. This can also include raising awareness among your teams.
This blog was inspired by the timely FS-ISAC EMEA conference, as well as other events this year, but also aims to better arm financial industry organizations with cloud security recommendations. If you want to know more, read how a top 10 US bank partnered with Sonrai Security to secure their cloud.
*** This is a syndicated blog from Sonrai’s Security Bloggers Network | Enterprise cloud security platform created by Tally Shea. Read the original post at: https://sonraisecurity.com/blog/fs-isac-2022-cloud-security-for-financial-services/