Will financial services move to the cloud? This question has been asked so many times its surprising the answer still surprises so many people. Beginning with the arrival of Shadow IT services, financial institutions have had a presence in the cloud for a long time. Today, more and more companies of all sizes are actively moving applications, data, and even infrastructure to the cloud.
Something which has changed over the years is the ability of security professionals to detect Shadow IT and hosted applications in use by the company. Made possible with the advent of next-gen firewalls and advanced content filters, this discovery has taken Information Security teams out of denial and into a proactive state. Security vendors have responded in kind, with an assortment of products and services designed to secure hosted data and applications. These, in turn, have paved the way even further for financial organizations to be able to relax policies around cloud implementations.
If unwanted Shadow IT was the start for financial organizations, simple applications came next, particularly those which did not require confidential data to be uploaded off-site. File sharing services, which actually improved security when compared to the email model, came next. New, niche applications began to be developed solely for the cloud and soon traditional software vendors began to offer hosted implementations with additional functionality not offered with on-premises counterparts. Combined with the proliferation of mobile computing, these changes have made it almost impossible for even the largest financials to ignore to the paradigm shift which has overtaken the industry, and today some financial services companies are even considering full scale infrastructure deployments to the cloud.
Institutions seeking to protect their data on the cloud have more than a few things to worry about. The most significant threat is unauthorized access, which for financial institutions often means breach of confidential information, fraudulent transactions and reputational fallout. Also of concern are service outages (including denial of service attacks), ability to meet compliance and regulatory requirements and a lack of clarity with regards to the burden of liability for data stored at a third party.
Identity verification is the first line of defense against unauthorized access. Inside the network, IT organizations have easy and readily available methods for authenticating users and the focus has largely been on keeping intruders out. The focus changes entirely for hosted applications, which are by definition exposed to myriads of malicious actors. Traditional employment of usernames and passwords do little, if anything, to protect company data. Passwords can be easily guessed, brute forced, or captured in a key logger or phishing website.
Multi-factor authentication greatly reduces the threat but doesn’t eliminate it, and biometric devices are not typically supported by hosted application vendors. Limiting access to company owned assets is also an important factor for many financial institutions, which need to ensure that confidential data isn’t copied onto personal employee computers. The ability to record logins and logouts is also important to most financial institutions.
Identity federation offers a simple solution to most of these challenges. With federation, Information Security departments are able to manage access to hosted applications by leveraging existing authentication systems. Federation systems can be coupled with multi-factor authentication and biometrics at the source if needed, or they can also be implemented with single sign-on capabilities, eliminating the need for passwords altogether.
Federation from existing identity sources also allows Information Security teams to easily monitor access and integrate log data with SIEM systems or other security analysis tools, and federation systems can be adapted to prevent authorized access from unauthorized devices.
The risk behind service outages, vendor compliance, internal vendor breach, and apprehension about liability can best be mitigated through well negotiated contracts and thorough research in the quality and capabilities of cloud vendors and service providers. Be assured that soon enough, vendors in the cloud will be better at security than the rest of us.
Editor’s Note: The opinions expressed in this guest author blog are solely those of the contributor, and do not necessarily reflect those of Centrify.
Learn more about Centrify’s cloud offering here.