Data security is a key issue for financial services leaders as they consider strategies to accelerate or escalate cloud adoption. We find they share a hesitancy to store and manage data using a relatively new, evolving technology. Risk-aversion is perfectly natural in heavily regulated industries, but this blog considers how cloud best practice can alleviate concerns.
Cloud Security Concerns
According to a study by cloud security specialist Barracuda, more than half (51%) of IT and data security professionals have difficulty managing privacy and data protection regulations in a cloud environment. The survey also suggests that as organisations employ more cloud services and software as a service (SaaS) applications, the level of visibility on where data is stored drops significantly.
Findings like this are a serious concern for financial services organisations. Yet the opportunities and benefits of cloud adoption are too great to be ignored.
In recognition of the challenges, Azure and AWS have published specific guidance on architectural approaches for the financial services industry. They both show how to go beyond general best practice to satisfy stringent financial services industry demands. This blogpost explores some of the guidance from AWS.
Well-Architected Financial Services
IT security risks come from within the organisation as well as outside it. Employee error or negligence can pose a significant threat, not to mention the damage that can be inflicted by malicious insiders. Whether data is stored in the cloud or on-premise, technical solutions must go hand-in-hand with operational measures.
For financial services organisations, least-privileged access or a ‘zero trust’ philosophy is a good starting point. AWS also advocates four principles to underpin the design of cloud-based architectures for financial services workloads:
- Documented operational planning
- Automated infrastructure and application deployment
- Security by design
- Automated governance
Automating infrastructure, application deployment, and governance is perhaps daunting for organisations that are new to the cloud. However, it enables security to advance to a higher level than can ever be achieved on-premise. By minimising human involvement, it significantly reduces risk of error and improves consistency. It also allows quicker execution and scaling of security, compliance, and governance activities.
Financial services organisations undergoing largescale migration would be well advised to refactor workloads for the new environment. This provides a valuable opportunity to introduce automation alongside security by design approaches. The additional upfront investment will go a long way towards addressing security concerns in the cloud.
As well as outlining general principles for the good design of financial services workloads, AWS illustrates six common scenarios that influence design and architecture. These include financial data, regulatory reporting, AI and machine learning, grid computing, open banking, and user engagement. The list is not meant to be exhaustive, but an additional scenario that is regularly encountered relates to network connectivity. Read on to find out how Sourced handled a financial data scenario for a customer that specialises in employee pay processes.
Customer Spotlight: Financial Data in Cloud-based Workloads
According to AWS guidance, any financial data architecture should exhibit three common characteristics:
- Strict requirements around user entitlements and data redistribution.
- Low latency requirements that change depending on how the market data is used (for example, trade decision vs. post trade analytics), and can vary from seconds to sub-millisecond.
- Reliable network connectivity for market data providers and exchanges.
But how are they upheld during mandatory audits, especially when it comes to user entitlement and data redistribution? This was the challenge facing one of our customers as it prepared for largescale cloud migration. An internal firewall appliance solution needed to meet the auditing requirements of regulatory bodies without compromising security standards.
Sourced’s solution involved the CloudGuard platform from cybersecurity specialist Check Point, enabling traffic to be scanned securely in a way that met regulatory stipulations. We also suggested modernising the security set-up to make the important transition from a ‘pet’ to a ‘cattle’ mindset. This paved the way for a more automated approach firmly aligned with security by design principles as well as allowing the customer to build out scalable groups behind the scenes.
The approach is rooted in the assumption that failure is inevitable, looking to minimise the damage that occurs when it happens. In this way, it supports both the ‘reliability’ and ‘security’ pillars of Well-Architected.
Additional security measures include the internal routing of traffic, which is especially beneficial for confidential information. Any traffic ingress and egress passes through the Check Point appliances, securing the data within the AWS network.Network engineers, security teams, and compliance auditors are given a centralised view and good visibility of the deployed AWS network. An additional benefit is that the Check Point appliance service works like any on-premises version. This reduces the need to re-skill teams to use a different technology stack and facilitates integration with existing management services.
Partner With Cloud Experts to Manage Risk
Cloud adoption presents risks and opportunities for any organisation, but the stakes are particularly high for the financial services industry. Ensuring cloud enhances data security, rather than hindering it, requires specialist expertise which many companies lack in-house. Sourced’s cloud consultants and engineers are on-hand to help. Find out more about our cloud security services here.
As a Lead Consultant with almost a decade’s experience in cloud, Colin has extensive knowledge of DevOps, IT Operations, and Cloud technologies. He is generous about sharing his expertise and is recognised as an AWS Certification Lead Subject Matter Expert, an AWS Community Builder, and an AWS Ambassador.
