Should financial services be reticent to the cloud?

By Jay Turner, vice-president, development and operations at Console Connect.

In recent years, a wave of data breaches and leaks have pursued businesses in the financial sector. A report from the NCSC found that 39% of UK-based businesses had a cybersecurity breach or attack in the last 12 months.

It’s no surprise that UK financial regulators are preparing to step up their scrutiny of cloud computing providers, amid growing fears that an outage or hack of their services could severely disrupt a banking system increasingly reliant on them. Regardless of the security processes adopted, off-premises operating systems will never be as safe and secure as those operated on-premises.

At the bare minimum, businesses require external remote access to function – be it going over the public internet through some sort of encryption, via an encrypted tunnel, or using dedicated connections to their cloud provider of choice.

The traffic must leave the virtual walls of the enterprise, and that brings with it an increased attack profile. There are very few companies, especially in the financial industry, which are completely confined to walls they exclusively control. Therefore, this need to “leave the premises” is not unique to cloud computing.

Many of the advantages of cloud computing are accessible via private cloud infrastructure of which there is a huge market, especially among security sensitive industries. While these private solutions do not offer the holy grail of infinite computing resources at the push of a button, requiring significant investment in maintenance and operation, they provide the flexibility that many businesses crave.

Rectifying security woes

Moving workloads to the cloud does not alleviate insecure practices. If an enterprise has a poor security posture, moving workloads to the cloud will simply magnify those deficiencies, making the enterprise an even bigger target for attack.

At the same time, many of these security failures are mitigated by being inside the virtual walls. Take, for example, a machine in a server room that has no ability to connect remotely. Now even if the root password for this machine is “password”, the machine is still inherently secure as it is not accessible from the network and it is physically located in an access-controlled environment.

Moving that to the cloud, however, means anyone who gains network access to the machine will likely gain remote access as well, given “password” is one of the first things an attacker would guess.

The same template can be applied to a myriad of security shortcomings. If something is remotely compromised security within an enterprise’s environment, it will be wide open once moved to the cloud.

There is precious little action a cloud service provider can take in these scenarios.

Certainly, they can put forward best practice guidance, help customers with implementations, and highlight potential threats, but ultimately the enterprise is fully in the driver’s seat with respect to their own security posture and adherence.

Beyond the remote access perspective, there are several security concerns with moving workloads to multi-tenant infrastructure, hence the uptake of private cloud infrastructure deployments. One is forced to rely upon the security of the virtual machine (VM) itself, as well as the underlying hypervisor, and these topics are extremely complex, ever-changing, and by their very nature, prone to attack. Gaining unauthorized access to a hypervisor is equivalent to the keys to the kingdom. The attacker can move freely between all the virtual machines hosted on that hypervisor and will then likely be able to move horizontally to other VMs.

This exposure represents a fair bit of the hesitancy witnessed in the industry for moving to the cloud. Many enterprises view these risks simply too great because of the unknown of how various tactics could be used to exploit their business. And remember, one’s own security posture is not the end of the story where it comes to multi-tenant access. You are relying on your “neighbor” to hold the same values. Made all the more frustrating and unpredictable given you have no clue who else is on the same hardware and might be the weak link in the chain.

The other concern for financial service organizations is around the reliability of the cloud. These large public clouds are themselves incredibly complex. Even under the best of circumstances their internal operations are going to fail from time to time.

Should enterprise network administrator accidentally fail a Border Gateway Protocol (BGP) update, one might lose access to a remote office for minutes or maybe an hour while the error is corrected. The enterprise is powerless to fix this, and typically left in the dark for even how to mitigate this sort of damage. While some large enterprises have the technical talent and financial pressure to deploy shadow infrastructure to serve as disaster recovery, such plans can age and have a high potential of doing more damage to the enterprise.

Overcoming reticence

Some of these security challenges will slow cloud adoption across financial services, and maybe rightfully so. In some cases, enterprises cannot even perform a proper impact assessment or risk analysis as many of the necessary variables are unknown (ie, what does one put down for the likelihood of a cloud region of a hyperscale cloud provider going down again for an hour? Two hours? Four hours?).

However, the financial services sector sees huge potential for cloud technology to make their systems faster, more agile and responsive to the needs of customers. Consumer banks, for instance, can develop cloud-based tools to quickly introduce new features in mobile banking apps or detect fraud. Lenders can use the cloud to process loan applications and analyze underwriting decisions for everything from mortgages to corporate borrowing. The possibilities are endless.

Since its inception, the cloud industry has matured to a point whereby businesses are no longer utilizing the benefits of one cloud, but many. As such, businesses have shifted towards a hybrid or multi-cloud model.

The move to a hybrid or multi-cloud environment has prompted many businesses to reassess their networking model. In particular, there has been a conscious move away from accessing the cloud via the public internet – which although convenient and affordable, does not meet the stringent requirements around security and performance.

To meet these requirements, organizations are increasingly turning to private connectivity options such as MPLS, VPLS and dedicated Ethernet links, especially when it comes to the more mission-critical cloud apps. The downside of these connectivity types, at least historically, is that they have slow and unwieldy deployment and management processes that fail to keep pace with modern business.

This is where a Network-as-a-Service (NaaS) platform could add real value to a financial services provider’s cloud environment. A NaaS platform can increase the security posture of a financial services provider by giving them real-time access to the cloud using a private dedicated connection.

Through these direct connections, an organization has a more secure path to the cloud that avoids the public internet and delivers a more reliable and consistent network performance for those important applications and services. It is a particularly good fit for organizations with any latency-sensitive workloads.

Implemented alongside some best security practices, NaaS could play a role in bringing the financial services sector closer to the cloud.

Leave a Comment