Security

Banking Cloud Security: What Is Cloud Security Posture Management?

Financial institutions need to keep up with the rest of the digital world. CSPM promises to make compliance and cloud computing work together.

Ernie Smith

Ernie Smith is a former contributor to BizTech, an old-school blogger who specializes in side projects, and a tech history nut who researches vintage operating systems for fun.

As cloud computing continues to reshape and redefine many industries, financial services have some of the strongest potential to excel with the cloud, thanks to its global reach.

Multicloud solutions, once used primarily to supply customer services, are managing more internal infrastructure and starting to make an impact.

Still, concerns about governance, compliance and the risks of misconfiguration have slowed the cloud revolution in the financial field — especially given that people’s assets are at stake. But an emerging approach to cloud security promises to balance concerns of compliance with the advantages of automation, and banks stand to benefit from this shift.

What Is Cloud Security Posture Management (CSPM) in Banking?

Cloud security posture management refers to a segment of IT security that helps detect and manage misconfigurations that may arise when using different cloud service providers (CSPs).

The use of CSPM is growing in the security sector, in large part because of cloud computing’s natural appeal, especially across multiple applications and environments.

Click the banner below to dig deeper into cloud security posture management guidance from CDW.

During a CDW Tech Talk interview this year, Sarah Kent, a security assessment specialist with CDW, explained that the added complexities of multicloud environments made tools that enable CSPM — including DevOps tools for automated monitoring and policy enforcement technologies to mandate configuration standards — increasingly important for many lines of business.

“CSPs provide similar services, but each one has a different security policy and a different way of implementing those policies,” Kent said. “IT staff don’t have the knowledge yet to secure all cloud provider platforms, and data encryption of backups is no longer centralized. The bottom line is that the complexities of multicloud translate into more complexity with security.”

Recent research on this issue bears out. A report from the Cloud Security Alliance and VMware released in September examined the primary causes of cloud misconfigurations across industries. It found that 62 percent of respondents blamed a lack expertise in cloud security best practices, while 49 percent cited a lack of security visibility and monitoring, and 43 percent pointed to rapid deployment as the main culprit.

Worst of all, some compliance mechanisms can fall out of date (22 percent) or remain at the default settings (34 percent), leaving cloud applications and services alike at risk of serious attacks.

The Benefits of Cloud Computing in Banking

The need for CSPM solutions is growing in response to the demand for cloud computing in the banking industry. While the industry was very early to computing in general, compliance and security concerns have slowed the growth for cloud solutions. This is especially true for critical bank systems, where concerns about managing security, privacy and assets remain top of mind.

But the mindset around the cloud is quickly changing. One recent study conducted by Google Cloud with the Harris Poll found that 83 percent of financial services leaders reported that their companies relied on cloud technologies in some form. But a plurality (38 percent) are using hybrid cloud solutions, with smaller portions using single-cloud (28 percent) and multicloud (17 percent) solutions. That could eventually shift: 88 percent of respondents who aren’t using multicloud solutions are considering such a strategy in the future.

Nikhil Girdhar, the head of product marketing for cloud security solutions at CloudHealth by VMware, says the financial industry’s focus customer service creates a need to keep up by continually building improved services using new technologies.

“Companies in these sectors are rapidly embracing cloud-native technologies and DevOps automation to speed up innovation and better serve customers,” he says. “However, the adoption of these newer technologies is also fraught with a lot of risk, as witnessed in various cloud security breaches stemming from human errors and cloud misconfigurations that have made headlines.”

How Do CSPM Solutions Work?

CSPM helps organizations manage risks by setting a series of recommended standards for configuration. Those configurations can then be applied across an organization’s tools in an automated way, using a DevOps-style approach to cloud security.

“Properly enabled cloud security posture management can automatically and continuously monitor cloud instances against a variety of requirements,” says Jim Reavis, co-founder and CEO of the Cloud Security Alliance.

Girdhar adds that CSPM solutions help enterprise businesses align on consistent standards across the organization, creating opportunities not only to improve guardrails around security and compliance but also to reduce risk along the way.

“This can help developers and security save significant costs and speed up software development,” he says.

How CSPM Aligns with Cloud Compliance Standards

The financial industry has to work within compliance standards such as the Payment Card Industry Data Security Standard and the General Data Protection Regulation, which can be difficult to manage at scale. Technology must be able to scale up with organizations — and that’s what CSPM solutions are designed to do.

In her CDW Tech Talk interview, Kent noted that many CSPM solutions can generate different kinds of compliance reports.

“CSPM automates reporting so that your organization is maintaining compliance 24/7, not just when the auditor shows up,” Kent said.

This means that any regulatory needs can be tracked on the fly, Girdhar adds, so it’s easy to ensure that processes are being followed, even on the most obscure of implementations.

“With out-of-the-box assessments readily available for various regulatory standards, CSPM solutions can help different teams agree on common security and compliance policies for cloud environments and build a baseline understanding of risk,” he says. “From there, each developer team can collaborate with central IT teams to prioritize risks that need immediate attention and execute appropriate manual or automated remediation actions available in their CSPM solutions.”

Reavis notes that CSPM solutions create a documentation trail that could benefit banks looking to highlight their compliance approach.

“The level of granularity, logging and reporting offered by such solutions provides very credible proof of compliance with regulatory mandates,” he says.

Girdhar adds that the number of cloud services in use can make it difficult for governance, risk management and compliance (GRC) departments to track issues after the fact. A CSPM solution makes this easier.

“Anybody who has been through a recent cloud audit understands how tricky and complicated this exercise is,” he says. “CSPM solutions can be of huge benefit to GRC teams, as they provide an audit trail of cloud compliance history and easy access to reports as required by your auditors.”

The drumbeat of technology is unlikely to slow down. For financial institutions figuring out how to make the cloud compatible with their compliance needs, a cloud security posture assessment could be a great way to start the conversation.

tatianazaets/Getty Images