Timely reminder about who bears responsibility for cloud security

Federal banking regulators' latest warning about cloud security seems to have stemmed from recent data breaches and the accelerated use of cloud computing by people working from home during the pandemic. The point was clear: If you use a cloud provider, you still have some responsibility for security.

The statement from the Federal Financial Institutions Examination Council reiterated existing recommendations that regulators have made to banks for years. There were no new rules issued. The Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp., two agencies that are part of the FFIEC, declined to take questions about why they issued the reminder at this time.

One source of inspiration for the note may have been the Finastra ransomware case. When the core banking software vendor was attacked in March, the company took some of its servers offline while it investigated the incident. Some clients who used software in Finastra’s infrastructure or cloud were affected. Banks that ran Finastra software on their own servers were not affected.

The data breach that Capital One suffered in July may also still linger in the minds of some in Washington. In that incident, records of 106 million credit card applicants that were stored in Amazon Web Services — including names, addresses, credit scores and payment histories — were exposed by a former Amazon employee through a vulnerability in a firewall Capital One set up.

Another driver, surely, is the increased demand for cloud computing with so many banking employees working from home.

“There’s no doubt that the Finastra debacle has motivated this conversation on cloud,” said Steve Hunt, senior analyst at Aite Group. “It's also timely because COVID-19 has created a groundswell of renewed interest in expanding or accelerating expansion into the cloud. People are asking cloud questions even more. So it's a perfect storm.”

Shifting quickly to a remote work environment can be difficult for employees who need to have direct access to legacy systems at the main office.

“The cloud makes it much easier to expand secure connections to applications to lots and lots of people working remotely,” Hunt said. “That's what it's for.”

Working with cloud partners

For some time, the common wisdom has been that Amazon, Google and Microsoft have far greater security resources than any individual small company could possibly afford. They have invested many millions in top-notch security that a smaller company could only dream of buying. So putting data in a large cloud could be safer, from that point of view, than trying to protect the servers in the bank’s basement.

But recent incidents have shown a few fallacies with that argument. Though the large cloud providers have deep knowledge of, and have devoted considerable dollars and other resources to, cloud security, they do not necessarily focus on all the ins and outs of data security and privacy that banks have to be sure they are covering. And they cannot necessarily help with the handoffs from bank to cloud.

“If I misconfigure a piece of software or an operating system I put in an Amazon server room, Amazon might not even know about it,” Hunt said.

Paolo Montini, chief data officer and head of cyber risk management at LendingClub, said most data breaches today are caused by misconfigurations of some kind.

“You can think about the Capital One data breach, there was a misconfiguration of a firewall that allowed someone from the outside to get access,” he said. “And then once you have access, of course you can get ahold of customer data like credit card numbers and so forth.”

Bank regulators have long cautioned banks about cloud security and the dangers of working with third-party vendors.

“The regulations already make cloud services pretty scary to financial institutions, which is why you don't see banks using public cloud very often, and when they do, it’s just for very limited, low-risk applications,” Hunt said. “The high-risk, sensitive applications are deep in the fortress.”

To date, most banks have stuck with using private clouds — virtual servers with some cloudlike qualities like flexibility and scalability on their own premises — and hybrid clouds, where some technology is on-premise and some resides with a vendor. That gives them oversight and control, if not the price and scale advantages of going to a public cloud implementation.

But they are starting to creep into the public cloud. Some banks have signed up with new core providers, including Nymbus, Neocova, Finxact and Technisys, that offer cloud delivery of their software. (According to a Nymbus spokesperson, though the company's platform is cloud native and can run on a public cloud, most of its financial institution clients use private cloud deployments.) Older cloud-based systems, including those from Temenos, Infosys Finacle and Oracle, are also getting traction.

The need for audits

In its statement released Thursday, the FFIEC issued a stern warning about responsibility for cloud security.

“Management should not assume that effective security and resilience controls exist simply because the technology systems are operating in a cloud-computing environment,” the interagency group said. “The contractual agreement between the financial institution and the cloud service provider should define the service-level expectations and control responsibilities for both the financial institution and provider. Management may determine that there is a need for controls in addition to those a cloud-service provider contractually offers to maintain security consistent with the financial institution’s standards.”

In Hunt’s view, this may be a nod to the fact that it is nearly impossible for a bank's chief information security officer to do an audit or even have access to an audit of cloud providers’ facilities and equipment.

Traditional core banking software vendors like Fiserv, FIS and Jack Henry have bank clients in their facilities doing audits on a regular basis.

Cloud providers like Amazon, Microsoft and Google are said to be less amenable.

“I've heard that Google Cloud Services is the only public cloud provider that allows third-party audits,” Hunt said.

A spokesperson for Google Cloud said, "Google Cloud offers contractual commitments that are tailored to the financial services sector, and include audit rights for customers and regulators where required." She offered a link to a blog about Google Cloud compliance for financial services firms.

Amazon and Microsoft did not respond to a request for an interview by deadline.

There are cloud access security brokers like Netskope, Bitglass and McAfee that act as an intermediary and make sure cloud providers’ security requirements are enforced. Of course, this adds cost and complexity when often, the main point of going to the cloud is to save money and simplify.

The regulators were saying, “You can't just go by trust,” Hunt said. “Just because Amazon and Microsoft are reputable companies, you need to have oversight."