Cloud Computing And Cybersecurity Need Better Oversight Now – Forbes

(Photo Illustration by Budrul Chukrut/SOPA Images/LightRocket via Getty Images)

On Aug. 5, the Office of the Comptroller of the Currency (OCC) handed down a cease and desist order to Capital One for its failure to establish effective risk assessment and management processes before migrating its information technology operations to a cloud operating environment.

While we hear about data breaches on a nearly weekly basis, the Capital One incident is noteworthy because it involved the banks migration to cloud computingsomething that many banks are either in the process of doing, or will be doing in the near future.

The $80 million fine Capital One must pay to the US Treasury is pocket change for the bank.

The compliance actions the bank will be required to take will likely prove to be the bigger headache. The OCCs consent order requires Capital One to:

Its hard to believe, but bank executives concerns regarding cybersecurity are declining (that isnt a typo).

According to Cornerstone Advisors Whats Going On in Banking studies, nearly half of bank executives put cybersecurity on their list of top three concerns for 2018. That percentage declined to 36% in 2019 and dropped even further to 21% in 2020.

Financial Institutions Citing Cybersecurity as a Top Three Concern

Whats going on here?

Operational integration is lulling banks into a false sense of (cyber) security.

Cybersecurity policy is becoming business as usual for banks. As a result, bank execs are more confident today than they were three years ago that cybersecurity policies are well-designed and being well-executed.

Its a false sense of security, however, because banks have yet to feel the cybersecurity impact of cloud computing.

Three data points highlight the growth of cloud computing in banking:

As cloud computing within banking grows, the prevalence of cyber breaches for cloud services is growing significantly as well. According to a Verizon study:

Cloud assets were involved in about 24% of breaches this year. Cloud breaches involved an email or web application server 73% of the time, and 77% involved breached credentials.

A new report from Cornerstone Advisors, commissioned by DefenseStorm, Cloud on the Horizon, identifies emerging cloud-related cybersecurity challenges facing banks including:

1) Over-reliance on providers. There is an over-reliance on providers to complete cybersecurity checklists from banks during due diligence. It would be pretty easy for them to dupe us, said one Chief Information Security Officer (CISO) interviewed for the report.

There is also over-reliance on just a few providers.

Richard Harmon, Managing Director at Cloudera, calls this cloud concentration risk and writes, the consolidation of multiple organizations within one cloud service provider (CSP) presents a more attractive target for cybercriminals.

2) Reporting problems. Bank CISOs have discovered incorrect completion of due diligence cybersecurity requests for third party risk management from the providers.

Transparency has become an issue, as well. CISOs stated a lack of willingness to show any of the providers security policies or audits.

One CISO mentioned that when his bank asked a provider for a SOC-2, the vendor produced Amazon Web Services SOC 2. When the CISO questioned the vendor as to whether it had its own SOC 2, the provider was unaware it even needed to do its own.

3) Technical limitations. Many cloud vendors have cybersecurity limitations. For example, they cannot IP-restrict or require multi-factor authentication for third parties. Configuration is a challenge, as well.

Its not just the vendors fault. According to Bill Glasby, Chief Technology Officer of Heritage Bank, one issue around cloud security is operators' inability to configure the tools. The problem is that its all home-brew today.

Banks migration to the cloud will necessitate changes to how they govern IT from three perspectives:

1) Contractual. Migrating to the cloud requires switching from traditional security testing to a contractual-based model for security testing. Banks cant move to the cloud without caring about and dealing with the contractual clauses with their service providers. In particular, banks should negotiate the reversibility clause with their cloud providers.

One problem, however, according to a CIO interviewed by Cornerstone, is that many cloud providers dont even know what should be written in a reversibility clause.

2) Organizational. Business departments and lines of business end-running IT and buying cloud solutions directly from cloud providers will become more prevalent with a migration to the cloud. IT will have to reinforce its IT governance policies and procedures in order to minimize the risks caused by the solutions implemented by the different business departments.

3) Strategic. Business departments want flexibility and innovation. However, migrating to cloud services typically involves a shift from highly customized to mostly-standardized services. This can cause friction between IT and the businessfriction that must be resolved with strategic clarity and direction.

To handle the coming wave of cloud-related cybersecurity issues, Cornerstone and DefenseStorm recommend that banks:

For a complimentary copy of the Cloud On The Horizon report click here. To register for the Cloud On The Horizon webinar on August 20 at 2:00pm ET click here.

See original here:
Cloud Computing And Cybersecurity Need Better Oversight Now - Forbes

Related Posts

Comments are closed.