Cloud computing promises significant costs savings and more streamlined management of mission-critical information technology, data processing, and storage needs, but the question is — is it secure?
As Vibrant Credit Union continues to grow their footprint in the cloud, I’ve been tasked with migrating securely to the cloud without inflating the credit union’s IT budget. Like most organizations, we continue to have to do more with less without sacrificing our security posture, in fact, we need to continue to improve. Cloud security automation has helped my team not only improve our security posture by continuously monitoring for vulnerabilities in their Amazon Web Services (AWS) environment, but also has eliminated the pain of annual regulatory compliance audits.
Here are five questions I often get asked about Vibrant Credit Union’s move to the cloud:
Does Cloud Computing help you move faster?
In short, yes, moving to the cloud enables you to spin up resources and shut them down dynamically in an on-demand basis. The elasticity of cloud computing enables continuous development, allowing you to release software as rapidly as you like. But be warned, the speed of continuous development will increase the volume of vulnerabilities in your environment if it’s not well aligned with the security practices of your organization. In practice, cloud technology is a path to help security people get things done.
Is it really cheaper?
The advent of the cloud will forever change the landscape of IT budget. No longer are we housing, powering, and maintaining a farm of depreciating hardware assets. We are able to convert the capital expense associated with provisioning data centers into a more flexible consumption-based operating expense. Organizations are no longer tied down to physical datacenters, they are able to move elastically in the cloud based on the needs of the business.
What about security and databreaches?
While it is true that in the cloud, it’s easier to rebuild servers, it’s much more painful to do so if you haven’t properly protected your data. The speed and agility of the cloud works to the hackers’ advantage. In the cloud, more of your data is moved, processed, stored and accessed globally (including by mobile devices) which increases the data’s vulnerability to security breach and the corresponding adverse legal, regulatory and business consequences.
An automated attack runs 24/7/365 waiting to find the vulnerabilities for a way in. Attackers are doing things in a programmatic fashion. Automation is great for detecting and exploiting the risk – but you have to fight fire with fire. Arm yourself with automation and visibility so that you can identify your vulnerabilities before an attacker leveraging automation can detect it.
What about compliance?
Migrating to the cloud does not relieve your organization of its legal and regulatory responsibility for what is put into the cloud. In fact, moving to the cloud now has it’s own collection of industry-specific laws, regulations and compliance standards.
For banking, the big regulator is the Federal Financial Institutions Examination Council (FFIEC). This is a government interagency body consisting of several different banking regulators including the National Credit Union Administration (NCUA) and the Office of the Comptroller of the Currency (OCC). This organization exists to help make banks less vulnerable and more resilient to cyber-attacks. A typical audit in the banking industry would consist of NIST 800-53 and ISO 20001- 300 specific standards. An audit like this would include everything you would expect to be adhering to from a security perspective, security controls, encryption, length and complexity of Passwords, as well as non-technical controls, employee background checks, access to systems removed before they are fired, etc.
Compliance with these regulations is imperative, failure to comply will result in administrative orders and penalties with the potential to damage your business and brand reputation. While some framework controls are met by the cloud providers themselves, organizations need to be able to validate and prove that security standards are met. Even with a small cloud environment, monitoring by hand would be extremely burdensome if not impossible. My compliance team is also my security team; using security automation tools, like the Evident Security Platform (ESP), has helped us get to a place where we continuously monitor and manage the risks and vulnerabilities in our Amazon Web Services (AWS) environment and are also able to achieve continuous compliance. Our move to the cloud is actually helping us enforce encryption of member data, compliance with FFIEC guidelines, and implementation of SSA16.
Is it possible to manage security and compliance without automation?
If you were to manually audit your cloud infrastructure, it can consume several hours, even weeks of your most valuable resources, security experts. If you add up all the discovery, auditing, remediation, and training time that security professionals have to deploy to protect cloud accounts without leveraging automation, you will lose at least one person from your team to these activities just to maintain existing security state. If you wish to move the ball forward and further implement advanced security controls or compliance frameworks, you can expect to consume up to 3 full-time bodies just to achieve baseline security practice.
These were all factors in Vibrant Credit Union’s own move to continuous monitoring and continuous compliance in the cloud. Operating in the cloud brings a different reality than what enterprises worried about a few years ago when they were concerned that the introduction of the cloud and the use of cloud services in the supply chain would actually increase security vulnerabilities. As we moved to the cloud we’ve had to change how we enforce compliance and security policy and in some cases even change the security policy to ensure that we’re not creating new risk. With a small staff and limited resources, the move to the cloud made security automation a necessity.