Credit unions have a lot of angst about moving data into the cloud but they may be utilizing this technology more than they realize.
Financial services is increasingly a data-driven business, and it’s expensive to set up data centers and store information on hard drives. In recent years, more businesses have contracted with cloud storage service companies to host their data.
However, that has brought about a new type of risk. Three providers — Amazon Web Services, Microsoft Azure and Google Cloud — dominate the market. Credit unions must carefully vet potential providers to ensure that their data is being properly secured.
“Most organizations, particularly financial institutions, are using more cloud services than they realize because many vendors are transmitting data through the cloud,” said Doug Brush, vice president of cybersecurity solutions at Special Counsel, a legal consulting firm.
Credit unions face several cybersecurity challenges in the cloud, such as trying to figure out how to implement micro-segmentation so workloads are not all on a single flat network that can all talk to one another, patch and vulnerability management in a shared-responsibility model, and how to implement data loss prevention solutions in cloud workloads, said Alissa Knight, senior analyst for Aite Group. When something goes wrong, they have to perform digital forensics on compromised workloads, she said.
“Monolithic applications are moving to microservices and an API-first world,” Knight said, explaining application programming Interfaces make features or data available to API consumers who are authenticated and authorized to access those features or data. “Think of APIs as like the electrical socket in your home. You can connect a blow dryer, iPhone, KitchenAid mixer to it – it doesn’t care. Nor does the back-end electricity provider. APIs simply provide data from the back end and it doesn’t matter if it’s a web app, mobile app – it can be anything.”
Companies such as Amazon and Microsoft do a lot to protect the data they store but “they are not going to do it all,” Brush said. Capital One’s data breach, which exposed the information of more than 100 million accounts and credit card applicants earlier this year, is an example of potential security issues.
“Organizations still have to consider regular testing, proper identity and access management – making sure those are configured correctly,” Brush said. “Systems need to be tested regularly to make sure someone cannot do [a similar exploitation]. It was a misconfiguration that could have happened to anyone, but after it happened people piled on cloud services. Fundamentally, Amazon said it did everything it could, but it is up to the credit union to do regular security testing.”
Sherry Wu, vice president of IT for the $942 million-asset University of Michigan Credit Union in Ann Arbor, Mich., said from the perspective of her credit union, and the small sample of people she speaks with, the risk is higher for financial institutions than other types of companies because the industry is responsible for financial information.
There is a long list of questions CUs must ask to fully understand how a cloud services company handles security, including the type of data that will be stored in the cloud, where in the cloud the information will be held and whether the company’s data center is in the United States.
"The storage of member data is much more of a concern than general data,” Wu said. “If all of the storage locations are in the U.S., that would be fine, but you don’t want one location in the U.S. and another international. Different countries have different regulations regarding data security. We know how U.S. companies handle data, but we don’t know how other countries do.”
It is also important to find out how the cloud service company will address regulatory requirements for encryption and who has access to the data per the company’s controls.
Cloud security best practices
Brush said for the most part, decisions on CUs using cloud services will be made on an individual basis and by state and national regulations. He recommended CUs carefully review issues of data ownership and control, and compare the contracts of one cloud provider versus another.
“Be sure to ask what the rules of engagement are when moving from one provider to another,” he said. “When you move, you get charged on the way out, and there are access management considerations that take a lot of effort.”
Aite Group’s Knight suggested CUs need to perform static and dynamic code analysis of their applications running in their cloud service providers, ensuring those companies perform regular penetration testing. She said API security gateways should be used to interdict and inspect traffic going to and from API servers.
“Additionally, credit unions should be removing legacy antivirus solutions and instead relying on newer technologies for endpoint security in the cloud, such as endpoint detection and response solutions that leverage machine learning,” Knight said.
Wu said University of Michigan CU continues to evaluate cloud services on a case-by-case basis, determining whether a particular service makes sense.
“We look at how data is stored and accessed. We believe in using a mixture of holding data on the premises and in the cloud,” she said. “Make sure the cloud service company complies with your credit union’s data security requirements, and review the disaster recovery procedures for the cloud services company.”
