In addition to her work as a Distinguished VP Analyst with Gartner for Technical Professionals, Lydia Leong has been sharing her wealth of knowledge on cloud computing for well over a decade under her pen name CloudPundit. Lydia recently posted a blog1, “Banks are accelerating their cloud journeys”, where she briefly touches on several key trends associated with banks and their use of public cloud infrastructure.

This blog highlights four key cloud security challenges that arise when Banks move to public cloud, and how a Security-as-Code architecture uniquely solves these challenges at the speed and scale that Banks must innovate and operate.

Core Banking Is Going Cloud

There is mounting evidence that banks are migrating core banking systems to the public cloud as part of their continued efforts to transform and modernize digital banking services. Leading banks and financial institutions, including Wells Fargo, Morgan Stanley, and Capital One, have all made substantial commitments and investments in migrating core workloads to the public cloud.

However, traditional security architectures that financial firms have relied on for decades are not designed to secure modern cloud technologies, nor can they keep pace with modern DevOps practices that have become highly automated. Given that institutions carry a high burden for security and regulatory compliance, they must adopt an innovative approach that protects against the leading cause of cloud breaches and does so at the speed at which they must innovate and operate.

Security-as-Code is the practice of instantiating or expressing security and cloud control objectives in code to orchestrate their application and automate manual security and compliance processes at scale. It is the progression of applying modern technology to improve effectiveness and efficiencies in securing public cloud services. This way, financial firms can create, apply, manage, and audit cloud security controls in a manner that is consistent with how cloud services are increasingly being built and deployed.

Application Migration Is Accelerating

Banks and other financial firms are migrating a significant percentage of their existing applications to the public cloud. Application modernization and rearchitecting for cloud are major drivers behind the significant investments firms have made in agile DevOps practices. However, the volume and velocity at which cloud applications are now developed far exceed the capacity security teams can manage. As a result, there is a growing backlog of cloud applications in development, waiting on security validation before they can be deployed.

However, few tools exist that will enable security teams to unblock this backlog and avoid the avalanche of exploitable misconfigurations and risks hiding within software-defined tooling like infrastructure-as-code. In fact, a recent study2 found only 4% of respondents are confident in their ability to spot cloud misconfigurations within infrastructure-as-code.

Firms need an “early-warning system” that empowers security teams to break the cloud application backlog and avoid the avalanche of hidden cloud security risks looming within development and delivery pipelines. Several things are critical to effectively shifting cloud security left. These include the ability to push security controls into continuous delivery pipelines to ensure security requirements are implemented correctly and consistently by cloud application developers. Seamless integration within CI/CD and GitOps workflows to preserve the integrity of the developer experience are also essential, as is automated inspection of complex infrastructure-as-code templates and plans to uncover hidden and dangerous security risks in seconds.

Banks Need Centralized and Decentralized Cloud Security Governance

According to Lydia, “Banks generally like the Gartner-style cloud center of excellence (CCOE) model where an enterprise architecture function provides cloud governance, brokerage, and transformation assistance. However, their CCOE model is likely to be federated to empower different business units or regions to take charge of their own destinies. And many banks are splitting off a separate cloud IT unit under a deputy CIO, which is effectively a self-contained organization with hundreds of people devoted to the cloud migration and transformation effort.”

This points to the fact that public cloud security and risk governance is very much a team sport. As banks shift security left, more groups and more people become involved. Security teams must arm application developers, cloud operators, and business leaders with the ability to self-service their respective cloud applications and services. This entails federating policy authorship to front-line experts to write contextual policies at the application level, automatically routing risks to the right owners, and empowering developers to remediate violations without security intervention, all while ensuring security teams have enterprise-wide visibility of remediation burndown and risk posture.

Banks Are Multi-Cloud

Whether growth was through acquisition, merger, or achieved organically, banks, like most large enterprises, tend to use more than one cloud service provider. This strategy is typically pursued for reasons that have less to do with resiliency and more for the different technologies and services each provides. However, a multiple of different services, technology stacks, and terminology increases the complexity, and therefore the risk, associated with securing multi-cloud workloads and data.

Banks can improve multi-cloud security efficiency and effectiveness with a single comprehensive solution that unifies all multi-cloud assets and their associated risks and governs them with a universal library of policies and a common, robust set of access controls. When using multiple clouds, firms must ensure they are consistently enforcing the same security controls across vastly different environments.

Having a single policy architecture, a common set of policies, and access to cloud service properties in each provider’s native type language are essential for eliminating uncertainty in policy definition and evaluation and for keeping pace with new cloud services as they are released. Finally, to prove multi-cloud compliance to auditors, firms will need a sole source of truth and a system of record for all multi-cloud policies, covering their full lifecycles.

Concourse Labs instantiates the key principles of Security-as-Code in an easy-to-use and quick to deploy SaaS platform that enables banks to understand, improve and manage their cloud security posture quickly and confidently. With Concourse Labs banks can:

  • Prevent the #1 cause of cloud data breaches
  • Implement effective, scalable, and customized cloud security in days
  • Immediately assess cloud security posture against regulatory obligations from FINRA, FinCEN and OCC, and best practices from NIST, CSA and CIS

 

For more information on Security-as-Code, please read this short blog.

1 CloudPundit, Banks are accelerating their cloud journeys, October 2021

2 snyk, Infrastructure as Code Security Insights, February 2021