Moving the Financial Sector to Cloud – Adopting a DevSecOps Approach to Reduce the Risk of a Cybersecurity Storm?

  • Alex Hammond, Partner at Airwalk Reply

  • 29.07.2022 01:45 pm
  • #risk #cybersecurity

Despite previous hesitancy, financial service providers (FSPs) have begun their migration to the cloud and multi-cloud solutions. Hybrid working, which requires connectivity from anywhere, is the latest catalyst for this transition, but it’s been a long time coming.

Among its many benefits, cloud adoption delivers faster data accessibility and scalability with fewer overhead costs on tech infrastructure and hardware. It also makes it much easier to innovate services to adhere to regulatory requirements and critically, meet the desires of a new breed of digitally native customers. But there is still one big hurdle to its adoption – data security.

If not implemented and managed correctly, cloud usage can introduce a range of new security risks that can have serious implications for organisations - these are multiplied further in a multi-cloud environment. ICO research shows that finance, insurance, and credit was the third most frequently targeted sector for cyber incidents (behind retail & manufacturing + general business) in the UK – particularly concerning given the industry’s critical importance to the wider economy.

So, what is it about the shift to the cloud, that increases the risk of a cyber-security breach? Three key factors, unique to a cloud environment, explain the challenge:

1. The need for constant vigilance and a DevSecOps approach

With on-premises solutions, cyber-security solutions are managed on owned servers and are tested and audited prior to launch. They require an initial investment and security checks, but they don’t require the high level of ongoing vigilance that the cloud does.

Risks on the cloud, however, change every day; and every device, from a connected computer to a connected fridge is a potential cyber-attack point. It’s a moving beast that security teams must constantly monitor and address. Furthermore, cloud networks and IoT systems have produced a staggering proliferation of data making the process of managing a network increasingly more complex.

This creates the need for an ongoing process of incremental change, not a one-off exercise. Securing the cloud must become part of the development team’s daily cadence, and a move not just to DevOps but to a DevSecOps model. This is a cultural shift that integrates security testing and protection throughout software development, deployment and operations. Engineers then become responsible for the security of what they build, possessing the knowledge to fix things in the correct way. This will change attitudes as a zero-trust model of ‘authenticate everywhere, never trust, always authenticate’ becomes embedded in corporate culture. This approach of constant vigilance is a new way of thinking that also requires specialised expertise.

2. A shortage of talent

The UK is facing a major shortage of talent in cyber security, big data analytics and technical architects. According to a recent DCMS report, the recruitment pool for cybersecurity professionals has a shortfall of 10,000 people a year, despite being the most sought-after tech skill in the UK.

Reliance on traditional security, risk management processes and auditing measures has resulted in a lack of cloud-skilled IT teams as the trend has long been for IT and security support to be operationalised and executed by more junior (and often offshore) resources. With cloud security a growing concern, there is a lack of highly skilled, experienced, and cloud-knowledgeable resources to tackle these challenges. There is a naivety and over-reliance on the cloud service providers (CSPs) (like AWS, Microsoft Azure or Google Cloud Platform) themselves to take on this burden for them, but the use of cloud services doesn’t remove a company’s regulatory requirements to secure its own data.

3. Handing over security responsibilities to a CSP:

Existing in a cloud ecosystem means participating in the shared responsibility model, as both CSPs and their customers have some degree of management over security in the cloud. Some IT teams mistakenly believe that when a bank uses a CSP, all its data security requirements are managed by the provider. However, banks still are required to ensure the security of their customers’ data and should be able to audit the security provisions of the companies that manage and control their data. To further complicate this, CSPs do not always make it easy for companies to access their security protocols – there is a culture of “there’s nothing to see here” which cannot be reconciled with the regulator's need for demonstratable security and control.
 

The silver lining

Every cloud does indeed have a silver lining, and for FSPs who can successfully navigate this digital transition, there are many:

Firstly, CSPs are constantly innovating, evolving, and maintaining their services which takes the burden of investing in massive IT estates away from the banks. This allows cloud users to implement the best practices of modern policies, architecture, and operational processes built to the requirements of the most security-sensitive customers. Banks can then focus on what they do best: building and providing services for customers.

Also, the cloud offers a scalable solution. This is particularly useful in instances when regulations make actual demand difficult to predict. For example, when ‘Open Banking’ came into effect in 2018, it required banks to release their data in a secure, standardised form which could be shared more easily with other banking applications. There was no way to predict whether banks would need to share that data with 10 or 30,000 others, or whether their entire customer base would engage versus a handful of users, but banks partnering with CSPs could lean on their flexible computing capacity to scale and meet those demands.

Finally, and perhaps most importantly, cloud infrastructure is a key enabler for DevOps. It accelerates IT transformation, and with advanced tools and automation, banks can double down on their work to streamline and embed greater efficiencies that are truly transformative. Unless banks can shift technology estates to these new security paradigms, they will be left behind by the rapid pace of more agile start-ups and challenger banks.

With the cloud the destination for the majority of organisations, many of the existing challenges around security and talent will continue to be addressed by the CSPs. Think of it as a ‘safety in numbers’ approach. But banks must still invest in their own internal resources and/or find partners outside the CSPs to minimize their risks and maximize the returns on investment of a cloud approach.

Other Blogs