Eduard Meelhuysen, Head of EMEA, Bitglass
The benefits of cloud computing are now widely documented, but while some industries have leapt at the chance to migrate to cloud based services, the banking and finance sector has been relatively conservative, and for good reason. The stringent security and compliance regulations that govern this industry make the adoption of new technology a tricky business. Anything new must undergo extensive testing before implementation and wherever data security is concerned, the need to tread with caution is exceptionally high.
The risks involved in banking data security are enough to keep any CISO awake at night. But as security technology continues to evolve, a growing number of highly secure solutions are becoming available that can bridge the gap between the benefits of cloud services and the security and compliance concerns that go with it.
An effective cloud security solution for the financial services sector will need to take into account a range of specific use cases and needs. One emerging solution is a Cloud Access Security Broker (CASB), a software tool that sits between the cloud and all endpoints, mediating data access between the two. Crucially, a CASB allows an organisation to extend its security policy beyond its own infrastructure, making it ideally suited banking and financial institutions looking to capitalise on the benefits of the cloud.
Unmanaged device access control
With on-premises applications, it’s relatively easy to limit access to certain data sets or resources to only authorised, managed devices. However, public cloud applications such as Office 365 and Salesforce are available from anywhere and on any device, making it much more difficult to maintain the same high levels of control outside the organisation’s four walls. A CASB can alleviate this problem by strictly controlling access to data from unmanaged devices based on customisable standards.
When a user attempts to access a protected application, the CASB can quickly determine whether the device is managed or unmanaged. For unmanaged devices, a policy can be configured that allows for certain types of restricted web access, but blocks more sensitive access, such as from file sharing clients like OneDrive. This kind of configuration allows an organisation to remain relatively flexible for its employees, whilst protecting sensitive data and IP from being copied to unauthorised or unmanaged devices that aren’t as easily monitored by Data Loss Prevention (DLP) technology.
External sharing controls
File sync and share apps can be a great productivity boon, and if you’re a Google Apps or Office 365 customer, chances are you have large amounts of “free” storage “included” in your enterprise license. That said, fear of the share button holds many financial services firms back from using these applications. A CASB can allow you to scan data-at-rest in these applications, looking for any sensitive information. From there, a number of response actions are possible including quarantine for investigation, share removal and encryption. This gives you the ability to allow employees to share data, but without the risk of data leakage.
Leading CASB solutions have integrated identity and access management functionality directly within the platform. In addition to limiting the hassle and expense of dealing with a separate vendor, integrated identity can provide value-added functionality such as step-up authentication when suspicious activity is detected. Since phishing and credential compromise continue to be the main attack vectors in the majority of high profile data breaches around the world, the ability to thwart this activity can be worth millions.
For example, if a user logs into Office 365 from London and five minutes later, someone logs into Salesforce with that same user’s credentials from somewhere in Eastern Europe, or from a malicious IP address, a CASB can not only detect this suspicious activity across these disparate cloud apps, but it can take action – forcing multifactor authentication on both devices mid-session.
While access controls and granular DLP can limit the risk of data leakage, full-strength cloud encryption adds another layer of security, often necessary for compliance as organisations deploy public cloud apps. Data-at-rest encryption solutions takes many forms, some are full-strength and preserve app functionality, others are more limited in scope or function. Whether an organisation needs field or file-level encryption, all want control over data, control over encryption keys, and an unchanged experience for end-users.
With FCA compliance requirements, detailed, audit-level logging is a must-have for UK financial organisations. CASBs can provide this alongside a much larger set of visibility functions such as activity dashboards, alerts and user behaviour analytics, which can help keep sensitive data secure.
For example, if a user’s personal mobile device is lost or stolen, a CASB dashboard can be used to identify exactly which files are resident on the device in question and whether those files contain sensitive data. The leading CASB solutions now also have the functionality to selectively wipe that data off the stolen device, even if it never had a MDM software agent or other management software installed on it.
Banking on SaaS security
The banking and finance industry has a reputation for being conservative when it comes to new technology, but given the nature of the data and information it must protect, this shouldn’t be seen as a negative thing. Whilst the strengths of the cloud are becoming harder to ignore, data security must be prioritised. However, the emergence of solutions such as CASBs are creating an ideal middle ground, marrying the convenience and flexibility of cloud services with the security, compliance and data protection needs of banking and finance businesses.