The self-service and dynamic nature of cloud infrastructure creates challenges for risk and compliance professionals. Tools that worked well in the traditional data centre do not translate to the public cloud.  

Due to these concerns over regulatory compliance and security, as well as the complexity involved in replacing legacy systems, financial institutions are taking a more tentative approach to change – especially when it comes to implementing new technologies that could put compliance at risk.

So how can today’s financial service organisations embrace the many benefits of the cloud without opening up a Pandora’s box of risk relative to compliance and security?

Cloud native frameworks

One way that innovative financial service organisations are addressing this issue is by introducing cloud native frameworks to govern the cloud. The major cloud providers have been hard at work to ensure that there is a fundamental infrastructure for compliance in place, and new tools are available to ensure that the parameters are being followed and that financial institutions are in compliance.

Let’s explore one of these common frameworks and how it maps to the cloud.

Cloud Security Alliance Cloud Controls Matrix (CSA CCM)

The Cloud Security Alliance Cloud Controls Matrix (CSA CCM) framework provides fundamental security principles to guide cloud vendors and assist prospective cloud customers in determining the overall security risk of a cloud provider. The CSA CCM provides a controls framework with a detailed explanation of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains.

As a framework, the CSA CCM provides organisations with the needed structure, detail, and clarity relating to information security tailored to the cloud industry.  It has also become the generally agreed upon standard of US-based financial services companies on how they will govern their use of the cloud.   Many financial institutions use the CSA CCM because it encompasses multiple security frameworks across multiple organisations and allows them to look at their legacy frameworks and determine which portions are covered.

The CSA CCM strengthens existing information security control environments in a number of ways:

• It emphasises business information security control requirements;
• It reduces and identifies consistent security threats and vulnerabilities in the cloud;
• It provides standardised security and operational risk management; and
• It seeks to normalise security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.

One reason it is such a powerful resource is that if you are compliant in one area, it can provide validation that you are compliant with numerous related frameworks. 

For example, the control ID – DIS-03 under the CCM Domain – data security and lifecycle management for eCommerce transactions, requires data related to e-commerce that traverses public networks to be appropriately classified and protected from fraudulent activity, unauthorised disclosure, or modification in such a manner to prevent contract dispute and compromise of data.  If an organisation is in compliance with DIS-03 there is a direct correlation with NIST 800-53 which addresses these same security requirements with controls including:

• AC-14: Permitting actions without identification or authentication
• AC-21: Information sharing
• AC-22: Public Accessible content
• IA-8: Identification and Authentication (Non-organisational users)
• AU-10: Non-Repudiation
• SC-4: Information in shared resources
• SC-8: Transmission confidentiality and integrity
• SC-9: Transmission confidentiality

Many financial institutions use the CSA CCM because it encompasses multiple security frameworks across multiple organisations and allows them to look at their legacy frameworks and determine which portions are covered.

CSA CCM and cloud management platforms

CSA CCM has directives AIS-04, BCR-07, BCR-10, BCR-11, IAM-01, IAM-12, IVS-01, and IVS-03.  All of these require that you have Global API Accounting Configured so that it records API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the specific cloud service. Global API Accounting provides a history of API calls for each account, including API calls made via the management console, SDKs, command line tools, and other cloud services.  Without this, you are in violation of CSA CCM. With a cloud management platform, users can build an automation to remediate. For example, in AWS, this would mean the cloud management platform would use the API to write credentials to turn on AWS CloudTrail for the resource in question.

Embracing cloud automation

The ability to automate the enforcement of best practices and standards will be a game changer for the financial services industry. Cloud automation tools provide organisations with continuous compliance and the ability to take the burden off of the IT department by automatically monitoring applications and identifying and fixing issues on the fly. They continuously scan the virtual infrastructure, identify non-compliant resources and remediate common cloud problems related to security, cost and compliance.

As financial institutions look to reinvent their IT organisations, they must ensure that security, governance and compliance is at the foundation of all decisions.  Regulatory compliance and managing cyber risk do not need to be the enemy of innovation. For such a regulated industry, automated cloud services and frameworks can help financial service organisations advance IT innovation