Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC www.fmsinc.org 1 2015 Financial Managers Society, Inc.
Cloud Security Implications for Financial Institutions By Scott Galyk, Director of Software Development, FIMAC Solutions, LLC Cloud Computing and Financial Institutions Financial institutions are developing and adopting cloud strategies within their organizations. Such strategies are being defined for adoption of hybrid clouds that combine internal data centers with private clouds. The challenges for most financial institutions are controls and security available within the cloud, as institutions are seeking transparency, auditing controls and data encryption from cloud providers. Institutions see value in the form of flexible infrastructure capacity and reduced time for resource provisioning. The adoption of the cloud is driven by services for customer relationship management, application development and email. Significantly, compliance is the primary area of concern when considering adoption of cloud service and delivery models, and its drivers include data protection, corporate governance, Payment Card Industry Data Security Standard (PCI-DSS) and national regulations. Cloud Computing Overview The U.S. National Institute of Standards and Technology (NIST) defines Cloud Computing as a pay-per-use model for enabling available, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provide interaction. www.fmsinc.org 2 2015 Financial Managers Society, Inc.
NIST Cloud Computing reference architecture The NIST Cloud Computing reference architecture defines five major actors: cloud consumer; cloud provider; cloud carrier; cloud auditor and cloud broker. Each actor is an entity that participates in a transaction or process and/or performs tasks in cloud computing. Cloud Consumer: A person or organization that maintains a business relationship with, and uses services from, cloud providers Cloud Provider: A person, organization or entity responsible for making a service available to interested parties Cloud Auditor: A party that can conduct independent assessment of cloud services, information system operations, performance and security of the cloud implementation Cloud Broker: An entity that manages the use, performance and delivery of cloud services and negotiates relationships between providers and consumers Cloud Carrier: An intermediary that provides connectivity and transport of cloud services from providers to consumers www.fmsinc.org 3 2015 Financial Managers Society, Inc.
The NIST Cloud Computing model consists of five essential characteristics, three delivery models, and four deployment models. Essential Characteristics On Demand Self Service: A consumer can unilaterally provision computing capabilities without requiring interaction with service providers. On-demand self service provides automated provisioning of cloud resources. Broad Network Access: Capabilities are available over the network and access through standard mechanisms that promote use by heterogeneous client platforms. Access platforms include smart phones, tablets, laptops, and workstations. Resource Pooling: The provider s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence, in that the customer generally has no control or knowledge over the exact location of the provided resources. Pooled resources include storage, processing, memory, and network bandwidth. Rapid Elasticity: Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time. Measured Service: Cloud systems automatically control and optimize resource use, by leveraging a metering capability at some level of abstraction appropriate to the type of service. Such resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service. www.fmsinc.org 4 2015 Financial Managers Society, Inc.
Service Models Software as a Service (SaaS): The capability is provided to consumers to utilize a provider s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser or a program interface. But the consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Platform as a Service (PaaS): This is the capability provided to consumers for deploying onto the cloud infrastructure their consumer-created or acquired applications, created using programming languages, libraries, services, and tools supported by the provider. While the consumer does not manage or control the underlying cloud infrastructure, he or she does have control over the deployed applications, and possibly configuration settings for the applicationhosting environment. Infrastructure as a Service (IaaS): This is the capability for consumers to provision processing, storage, networks, and other fundamental computing resources where he or she is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications--and possibly limited control of select networking components. www.fmsinc.org 5 2015 Financial Managers Society, Inc.
Deployment Models Private cloud: This cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers. It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. Community cloud: The community cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns. It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. Public cloud: A public infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. Hybrid cloud: This type of infrastructure is a composition of two or more distinct cloud infrastructures that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability. www.fmsinc.org 6 2015 Financial Managers Society, Inc.
Cloud Computing Security Cloud computing and storage solutions provide users and enterprises with various capabilities to store and process data in third-party data centers. Cloud consumers may use one or more service models and deploymen0t models. Importantly cloud security involves issues and concerns falling into two broad categories: Security related to cloud providers that offer service models and deployment models. The security issues related to cloud consumers that utilize those models. Thus, the providers and customers share responsibility for such security. Providers are responsible for ensuring that infrastructure is secure and that the consumer s data and applications are protected. On the other hand, customers are responsible for validating and applying standard security and privacy policy and procedures that have been adopted. Thus, cloud consumers surrender levels of control over security and privacy based on usage of service and deployment models. Private clouds offer the consumer the greatest amount of control as he or she is the sole user of the cloud. Alternatively, community clouds reduce security and privacy controls as the consumer shares use of the cloud with a select group of other consumers. Finally, public clouds offer the least amount of control, as consumers share use of the cloud with a broad group of other consumers. Cloud security controls Cloud security architecture is effective when correct defensive implementations have been designed and implemented. The architecture should recognize issues that will arise with security management that utilizes security controls. Security controls are used to safeguard system weaknesses and reduce effects of an attack. The security controls are grouped into broad categories with subcategories, and include the following. Deterrent controls Deterrent controls are intended to reduce attacks on a cloud system, by informing potential attackers that there will be adverse consequences for attacks. Preventive controls Preventive controls strengthen systems against incidents by identifying and managing vulnerabilities to reduce or eliminate them. The use of strong authentication policy, practices, and standards for consumers provides mechanisms for positive identification and reduces instances of unauthorized access. Detective controls Detective controls are intended to detect and react appropriately to any incidents that occur. Such controls signal the preventative or corrective controls to address the issues. System and network security monitoring, intrusion detection and prevention arrangements are used to detect attacks on cloud systems and the supporting communications infrastructure. www.fmsinc.org 7 2015 Financial Managers Society, Inc.
Corrective controls Corrective controls reduce incident consequences and damage, and are employed throughout the life of an incident. Dimensions of cloud security Security controls should be selected and implemented based on risks through the assessment of threats, vulnerabilities and impacts. Significantly, cloud security concerns can be grouped into any number of dimensions. Gartner Group has identified seven dimensions, while Cloud Security Alliance identified 14 areas of concern. The top dimensions are: Security and privacy Identity management Cloud consumers utilize identity access and management systems to control access to information and computing resources, while cloud providers may integrate a consumer s identity access and management systems into its infrastructure. Physical security Cloud providers secure physical infrastructure against unauthorized access, interference, theft, fires, floods and other events to ensure that essential resources are available in of disruption. Also, providers utilize data centers that are professionally designed, constructed, managed, monitored, and maintained to deliver cloud computing resources. The providers may offer both service and delivery models as a provider, or provide services while also consuming delivery models as a cloud consumer for another provider. Personnel security Personnel security is mitigated through security screening, security awareness and training programs, proactive security monitoring and supervision, disciplinary policy and procedures, employment contracts or agreement, service level agreements, codes of conduct, or general employment practices and policies. Availability Cloud providers ensure that consumers can rely on access to data and applications. Application security Cloud providers ensure that applications delivered using SaaS service models are secure by architecting, designing, implementing, testing and maintaining application security measures that meet industry standards required by cloud consumers. Privacy Cloud providers ensure that non-public information and critical data are masked or encrypted and accessible by authorized consumers. Providers also ensure that digital identities and credentials are protected using Identity and access management systems. Further, providers ensure that data collected or produced is protected using best practices, policies and standards support by data archiving and purging processes. www.fmsinc.org 8 2015 Financial Managers Society, Inc.
Compliance Data storage and use are governed by various laws and regulations. U.S. privacy and data protection laws that govern data storage and use include: Gramm-Leach-Bliley Act (GLBA) Sarbanes-Oxley Act (SOX) Basel Committee on Banking Supervision (BCBS) Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) Payment Card Industry Data Security Standard (PCI DSS) Federal Information Security Management Act (FISMA) Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health (HITECH) Children s Internet Protection Act (CIPA) Family Educational Rights and Privacy Act (FERPA) Others Similar laws may apply in different legal jurisdictions and may differ from those enforced in the US. Cloud consumers should be aware of the legal and regulatory differences between the jurisdictions within which provider operate. Laws and regulations mandate controls that must be supported by reporting against the controls. Thus, providers must satisfy requirements to demonstrate compliance and accountability. Business continuity and data recovery Cloud providers should provide business continuity and data recovery plans to ensure that service and delivery models are maintained in the event of a disaster or an emergency that causes data loss supported by data recovery practices, policies and standards that ensure data is restored. And consumers should validate and/or verify that the provider s business continuity and data recovery plans satisfy their business continuity and data recovery plans. Logs and audit trails Providers must produce and provide logs and audit trails that can be accessed by consumers. Thus, a provider ensures that logs and audit trails are properly secured, maintained, archived and purged in accordance with best practices, policies and standards. Likewise, consumers should validate and/or verify that the provider s logs and audit trails are properly secured, maintained, archived and purged in accordance satisfy their practices, policies and standards. www.fmsinc.org 9 2015 Financial Managers Society, Inc.
Legal and contractual issues Cloud providers and customers should negotiate terms for liability, intellectual property, end-ofservice, and data retrieval for litigation or other purposes supported by service-level agreements (SLA). Managing Cloud Computing Security Managing cloud computing security is shared between providers and customers. Roles and responsibilities for managing cloud computing security are defined below: Cloud providers are responsible for cloud computing security. Providers are accountable to customers for cloud computing security. Cloud consumers support providers in delivering cloud computing security through review and verification. Providers consult with consumers to review, confirm and verify that cloud computing security requirement. Providers inform customers about cloud security events, issues and resolutions. www.fmsinc.org 10 2015 Financial Managers Society, Inc.
Framework for managing cloud computing security Management of cloud computing security uses a framework that is defined by four broad categories: Visibility Compliance Threat Prevention Data Security Visibility Visibility provides the ability to view and review information or data across the cloud computing enterprise. Information and data views are provided for infrastructure, platforms, services, software and other resources used within the cloud computing enterprise. Information and data from cloud computing resources provide insights about: Threats and vulnerabilities. Remote access devices. Global positions and locations. User access, authorization and devices. User activities and data usage. Business drivers define visibility for cloud computing security. Business drivers that define visibility include: Protecting sensitive data for commercial and legal reasons. Tracking services used by employees. Monitoring and managing data stored and used by services. Identifying anomalies that may indicate a breach. Auditing user access by devices and locations. Defining boundaries to comply with privacy laws and regulations. Cloud customers should ask key questions about visibility to assess and verify that the provider s cloud computing security meets or satisfies its policy, procedures and standards. Key questions include: Questions Which services are employees and business units using overall and in each category (e.g. file sharing, social media, collaboration)? Which services are gaining in popularity and should be evaluated for enterprise-wide adoption? What is the risk level of each service in use? How effective are my firewalls and proxies at identifying cloud services and enforcing www.fmsinc.org 11 2015 Financial Managers Society, Inc.
acceptable cloud use policies? Which redundant services are employees using, and are they introducing additional cost and risk or inhibiting collaboration? How do I quantify the risk from the use of cloud services and compare it to peers in my industry? Which services house sensitive or confidential data today? What are the security capabilities of the services storing sensitive data? Which data is available to external collaborators outside of the company? Which partners cloud services are employees accessing, and what s the risk of these partners? Which external collaborators are granted access to our company s services? How do I track and log all user and admin actions for compliance and investigations? Compliance Compliance provides the ability assess compliance with laws, regulations and standard that govern data use and storage across the cloud computing enterprise. Information and data from cloud computing resources provide insights about: Where is sensitive data stored? How is sensitive data used? How is sensitive data protected? Sensitive and confidential information on customers may be hosted within the cloud enterprise. Information and data that is common to the cloud enterprise include: General information and data. Financial information and data. Employee information and data. Intellectual property. Security information and data. Providers and customers should engage in standard activities to protect data and meet compliance requirements. Activities that they should perform include: Asking the 5 w s: who, what, when, why and where to assess data protection and compliance requirements. Using data to prove and support the answers to the 5 w s. Collaborating on reporting for data protection and compliance. Tracking and logging user behavior across the cloud enterprise. www.fmsinc.org 12 2015 Financial Managers Society, Inc.
Integrating and assessing security information and event management policies, practices and standards. Identifying and assessing cloud security components that satisfy functional, compliance and risk requirements. Laws, regulations and standards drive compliance across the cloud enterprise. regulations that drive compliance include: Laws and Gramm-Leach-Bliley Act (GLBA) Sarbanes-Oxley Act (SOX) Basel Committee on Banking Supervision (BCBS) Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) Payment Card Industry Data Security Standard (PCI DSS) Federal Information Security Management Act (FISMA) Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health (HITECH) Children s Internet Protection Act (CIPA) Family Educational Rights and Privacy Act (FERPA) Others Customers should review key data elements related to compliance to assess and verify that the provider s cloud computing security meets or satisfies its policy, procedures and standards. Key privacy data elements include: Name Address Birthdate Phone numbers Fax numbers Email addresses Social security numbers Medical record numbers Health plan numbers Bank account numbers Credit card account numbers Professional certificates Professional license numbers License plate numbers Finger prints Voice prints Full face photographs Any other unique identifying numbers Uniform resource locator (URLs) Internet protocol number (IPs) www.fmsinc.org 13 2015 Financial Managers Society, Inc.
Compliance is a shared responsibility. Cloud consumers are responsible for protecting the privacy of employee and customer information and data, while providers are responsible for protecting product data and information. Cloud customers should ask key questions about compliance to assess and verify that the provider s cloud computing security meets or satisfies its policy, procedures and standards. Key questions include: Question Which applications house sensitive data subject to regulatory compliance? Which services are gaining in popularity and should be evaluated for enterprise-wide adoption? What are the legal terms of the services housing sensitive data? Which employees are accessing sensitive data, and how are they using or sharing it? Which employees are uploading sensitive data to high-risk services? Which administrators have behavioral anomalies that indicate excessive privilege access? When is sensitive data uploaded to the cloud, and what action should be taken (allow, block, quarantine, encrypt)? How do we leverage previous resource investments and extend existing on premise data loss prevention policies to the cloud? How do we implement a closed workflow to review, remediate compliance violations, and educate violators? Is sensitive data kept in a specific country or region to comply with international data residency requirements? Threat prevention Threat prevention provides the ability to identify, isolate, mitigate and prevent attacks or intrusions from external or internal resources. Threats are designed to steal corporate data or to damage an ongoing concern. Threats are presented in two basic forms that are categorized as an attack or intrusion. Common attacks or intrusions that impact cloud security include: Insiders attacks to obtain data about customers, sales, intellectual property or network data Denial of service attacks to disable services. Malware injection attacks to modify data, extract data or block data. Side channel attack to gain access using physical encryption information Authentication attack to gain assess using compromised credentials Man in the middle attack to gain access as an unknown intermediary between parties.
Threat prevention is managed through controls that are employed against events. Common events that drive controls for threat prevention include: Access from known suspicious countries, locations, or devices. Access by compromised user / service accounts. Access by cancelled, dormant or inactive user/service accounts. Direct access that bypassed security controls. Access by browsers and operating systems that are not or are no longer supported. Cloud customers should ask key questions about threat prevention to assess and verify that the provider s cloud computing security meets or satisfies its policy, procedures and standards. Key questions include: Question What does normal behavior for any given service look like? How does a user s role affect their normal cloud service usage patterns? How do I monitor and baseline usage across the enterprise for both local and remote employees? Which users are accessing large volumes of sensitive data? Which administrators are accessing large volumes of sensitive data? Which cloud services have behavioral anomalies that indicate insider threat? Which cloud services have behavioral anomalies that indicate malware at work? Which cloud services have behavioral anomalies that indicate an account is compromised? Which cloud services in use are rated as high-risk and have an anonymous use policy? Data Security Data security refers to policies, technologies and controls to protect the cloud computing enterprise. Data-security controls are designed and implemented provide data privacy and protection for the following: Data corruption. Data theft or illegal use. Data privacy. www.fmsinc.org 15 2015 Financial Managers Society, Inc.
Data security is managed through activities and controls that are designed to protect data integrity and privacy. Common activities and controls that drive data security include: Access control policies, practices and standards. Encryption policies, practices and standards. Encryption across applications, services, and data. Tokenization policies, practices and standards. Control over encryption keys. Data masking to protect sensitive information. Planning, scheduling and performing data backups. Planning, scheduling and performing data purges / erasures. Access Controls Access controls are used to manage access to applications, services, data and infrastructure. Access controls are designed and implemented across the cloud computing enterprise and its resources. Common activities and controls for applications, services and data include: Access and identity management policies, practices and standards. Authentication mechanisms and protocols. Managing, monitoring and performing audit processes. Common activities and controls for infrastructure include: Managing and monitoring physical access to data centers and resources. Managing and monitoring network access to resources. Encryption Encryption controls are designed and implemented to protect data and provide privacy. Encryption controls are driven through the use best practices and standards. Common best practices and standards that are applied include: Avoiding proprietary algorithms. Utilization of standard algorithms that have been reviewed against modern cryptographic standards. Selection of algorithms that fit the application and its functionality. Controlling ownership of encryption keys. Data Migration Migrating and moving data to the cloud enterprise should utilize best practices and standards to ensure data security. Best practices for migrating and moving data to the cloud include: Using encryption or tokenized practices for sensitive data or other data. Verifying authentication and authorization practices and procedures are defined and enforced. Assessing support for encryption key management. www.fmsinc.org 16 2015 Financial Managers Society, Inc.
Auditing user or group access to enterprise data. Confirming data ownership / stewardship to prevent data loss due to de-provisioning activities. Certifying data loss prevention and e-discovery are available. Validating data usability after data migration. Cloud customers should ask key questions about data security to assess and verify that the provider s cloud security meets or satisfies its policy, procedures and standards. Key questions include: Question Which cloud services encrypt data at rest and provide multi-factor authentication? What are the compliance certifications of the services employees are using? Which of our cloud services undergo regular penetration testing? Which of our cloud services has been compromised in the last week, month, year? Which data should be encrypted in which cloud services? How do we encrypt data while maintaining required functionality within cloud services? How do we encrypt data while controlling our own encryption keys? How do we employ tokenization to ensure data privacy in addition to security? How do we enforce access policies based on user, device, and location? References NIST Cloud Computing Standards Roadmap, Special Publication 500-291, Version 2, July 2013 The Definitive Guide to Cloud Security, Skyhigh Networks The Cloud Encryption Handbook: ENCRYPTION SCHEMES AND THEIR RELATIVE STRENGTHS ANDWEAKNESSES, Skyhigh Networks Cloud Adoption Practices & Priorities Survey Report - January 2015, Cloud Security Alliance www.fmsinc.org 17 2015 Financial Managers Society, Inc.
HOW CLOUD IS BEING USED IN THE FINANCIAL SECTOR: SURVEY REPORT March 2015, Cloud Security Alliance Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014 Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014 2015 REPORT: KEY REQUIREMENTS FOR CLOUD SECURITY, Cypher Cloud About the Author Scott Galyk is Director of Software Development at FIMAC Solutions, LLC. Published by: Financial Managers Society 1 North LaSalle Street, Suite 3100 Chicago, IL 60602 info@fmsinc.org www.fmsinc.org/whitepapers (member login required) For over 65 years, the Financial Managers Society s network of members has provided technical education to financial professionals from community financial institutions through conferences, seminars, webinars and publications. For details on FMS membership benefits or how to become a member, please visit www.fmsinc.org/join or call 800-ASK-4FMS (800-275-4367). www.fmsinc.org 18 2015 Financial Managers Society, Inc.