There is a lot of ongoing buzz in the media about the attractiveness of cloud technology for financial organizations — and the cybersecurity challenges that come with it. The benefits of cloud use include increased flexibility, agility and cost reduction; in fact, IDC Financial Insights calculates that the biggest global banks will save $15 billion by 2019 from cloud adoption and cut technology infrastructure costs by 25%. At the same time, adopting cloud technologies causes cybersecurity concerns. For example, one company had hundreds of gigabytes of sensitive client and company data exposed due to improper configurations of AWS S3 buckets.
Is the cloud actually less secure than an on-premises environment? Because so much of the evidence is vague and anecdotal, there is a lot of confusion among IT pros about the true risks for financial organizations in the cloud.
To get hard data, we asked organizations across the globe about their cloud security concerns; we present the findings and our analysis in Netwrix 2018 Cloud Security: In-Depth Report. This post summaries the top results and conclusions.
What is the impact of cloud adoption on cyber security?
Financial organizations adopt the cloud more extensively than the other industries surveyed. Overall, 96% of the respondents from financial sector store sensitive data in the cloud. One third (34%) of respondents say the security of their IT infrastructure improved after cloud adoption, and 31% report no change.
Indeed, typically the cloud is more secure than on-premises options in terms of data storage. Consider the poor on-premises experience of Lloyds Bank: Thousands of people had their data stolen when a storage device disappeared from the company’s office. If this data had been stored in the cloud, the theft could not have happened so easily. According to Microsoft, more than 80% of the world’s largest banks and more than 75% of the most important financial institutions use Azure — solid proof of the cloud’s attractiveness for financial industry.
88% of financial organizations plan to move more sensitive data to the cloud
The Netwrix survey also shows that financial organizations plan to expand their cloud usage. Overall, 88% of financial organizations plan to move more sensitive data to the cloud, and 47% want to start using a cloud-first approach.
However, it will be a mistake to say that storing data in the cloud gives 100% security. Through the cloud, data flows freely to and from both enterprise endpoints and mobile devices belonging to employees. This raises strong cybersecurity concerns about the vulnerability of the devices to unauthorized access, which is a major concern for 63% of respondents.
What are the biggest cloud security risks?
Our survey found that 39% of financial institutions consider employees to be the weakest link, while 28% picked third parties with legitimate access.
Why do they think this? It is very hard to monitor user activity in the cloud and control user access to sensitive data, especially now that most companies have a bring-your-own-device (BYOD) policy that allow employees to use their own devices for remote work. Although these employees usually have to provide a user ID and password to access corporate data from outside the company’s network, they often forget to log out, which is a huge problem when their devices get lost or stolen.
39% of financial institutions named employees as their main security risk
In addition, they use unsecure desktops in hotels or cafes to answer business emails, and often forget to log out there as well. Therefore, ensuring endpoint security is crucial for financial organizations. According to the Financial Services breach report from Bitglass, one in four breaches in the financial services sector over the last several years were due to lost or stolen devices, and one in five were the result of hacking.
Because a compromised administrator account gives an attacker the keys to the kingdom, financial entities pay more attention to IT accounts than to business user accounts. These efforts have begun to pay off; almost half of the financial organizations in the survey (47%) say they have succeeded in gaining control over IT activity in the cloud, which is the highest number of all industries surveyed. However, only 19% of them have visibility into the activity of end users in the cloud, a serious gap they need to address.
How do organizations plan to improve cloud security?
Improving cloud security is tricky and requires involvement from parties across the organization. Overall, 76% of respondents plan to implement stricter security policies, such as establishing appropriate security rules and ensuring that all employees adhere to them.
76% of financial institutions plan to implement stricter security policies
For example, employees must be aware that they are not allowed to download files with confidential data to their personal devices or click on suspicious links in emails.
Unfortunately, updating security policies is no silver bullet for strengthening cloud security. One useful strategy to improve the security when dealing with cloud applications is to require multifactor authentication (MFA) for all users. MFA can be achieved using a combination of devices and identification tools like passwords, PINs and biometrics. Microsoft has this option pre-installed for Office 365 users. MFA can help protect the organization’s data if a malicious party steals an employee’s device, but it is not enough — hackers can beat more and more MFA options and get to sensitive data. And of course, MFA cannot guarantee that everybody in the organization follows the security policies.
Therefore, organizations need to continuously monitor user activity to make sure that all users follow the rules and detect malicious activity in time to prevent real damage. In particular, if an organization allows BYOD, they must make monitoring of employee activity a top priority. User behavior analysis (UBA) technology is very useful because it baselines the normal behavior patterns of users, spots anomalies and sends alerts to information security team so they can respond quickly. For example, if a user tries to access files that they don’t typically use, the UBA solution issues an alert.
Adopting cloud technologies offers significant benefits, but also puts additional responsibility on the organization to ensure security. I recommend the following best practices for gaining the benefits of the cloud while reducing security risks:
- Choose a reliable provider.
- Grant privileges to users according to least-privilege principle.
- Update access rights on a regular basis.
- Update passwords on a regular basis.
- Start your cloud migration with non-core business processes (for example, HR and accounting).
- Secure your endpoints.
- Implement strong security policies and make sure everyone adheres to them.
- Monitor user behavior in the cloud.