Public cloud in Fintech: With serious benefits come serious security risks

In 2019, at the Bloomberg “Women in Fintech platform” event, there was some great discussion on the growth trajectory of the fintech industry.

Initially, the expert panel agreed that public clouds and fintech startups are a match made in heaven. One of the experts, a member of Amazon’s Fintech startup development team, Kathryn Van Nuys, made an excellent point:

“The cloud has significantly lowered the barrier to entry for startups as they can launch and scale products, instantly paying for IT as they consume it, as opposed to needing to make a significant upfront investment in servers and infrastructure.

Many industry leaders share the same point of view. 55% of them are already using multiple public clouds, the 2020 IDG cloud computing study revealed. Even a good number of companies have dedicated ~30% of their IT budget to this purpose. Expecting exponential growth in public cloud adoption is only logical. 

However, despite its advantages, a public cloud isn’t all sunshine and rainbows.

First, there is a knowledge gap. Many companies struggle to understand how to secure data, stick to Fintech compliance guidelines, and hold it accountable for a breach. New policies and online threats add more to this confusion. 

Second, public clouds are not impregnable. There are enough horror stories of massive data breaches that led to the demise of otherwise successful companies.

As a Fintech leader, if you are worried about public cloud security or just hesitant to “go cloud,” this article will answer your questions.

Public cloud and Fintech: Not such a ‘match made in heaven

Despite all the good reputation, public clouds enjoy from the Fintech community, underlying concerns exist.

In a Cybersecurity survey, 52 % of respondents expressed that the chances of security breaches are higher in public clouds. And their concern is valid. Even some of the biggest brands could not protect themselves from hackers.

>500k

Zoom accounts were breached and their data was sold on the dark web, in April 2020. As per sources, hackers used previously leaked accounts to invade and compromise Zoom databases.

100 million

accounts of Mobikwik, a leading Indian Fintech platform, were attacked in March 2021. User data was available for sale on the dark web.

7.5 million

banking users of Dave, the US Fintech giant, were attacked in July 2020. User data was available for sale on the dark web.

These are some well-known examples. There were many more disasters we know nothing about that killed companies and put users at risk.

Spotting the Achilles’ heel: Vulnerabilities of cloud security

Public cloud infrastructure always comes with built-in cloud security. However, human error, lack of visibility, and the very nature of the cloud tech model expose some significant weak spots, such as:

Misconfiguration

Public infrastructures are designed for easy data sharing and scalability. This accessible data sharing feature opens up some potential risks. Usually, you can solve this with a suitable configuration. However, 55% of companies aren’t very familiar with cloud security configurations. Hackers can use these security loopholes to stage their attacks.

Unauthorized access

When your data is on the cloud, you lose visibility to some extent. Of course, cloud service providers do their best to ensure security, but there is a chance someone from their team used a weak login password or didn’t pay attention. If attackers find the access, they can easily bypass security walls and steal your data.

APIs

CSPs often offer APIs to their customers. The latest studies show two-thirds of enterprises give access to these APIs to external developers and business partners. If there are some vulnerabilities, potential hackers use those to wreak havoc. According to Gartner, APIs will be targeted more frequently by 2022.   

Contractual loopholes and breaches

For fintech companies moving to the cloud, contracts are crucial. Many large public cloud infrastructure providers add a clause that they own the right to sell your data (your user data) to third parties. If your user data got compromised, “legally” or not, it’s terrible news. Also, some unscrupulous Cloud Service Providers (CSP) may themselves breach the contract and misuse your data.

Ensuring cloud security 

To make your fintech security ironclad, here are some suggestions, albeit not exhaustive. But this can surely be your first step to increased cloud security.

Embrace a shared security model

Reputed public cloud providers like AWS and Microsoft Azure follow a shared security model. In simpler terms, you will be responsible for your data security and applications running in the cloud. It’s the CSP’s responsibility to ensure their platform is secure, updated, and always on. This model gives you great control over data encryption, fintech compliances, and data access.

Secure your APIs

Get your developers to design APIs with multiple authentications, encryption, and access control.

You can even conduct penetration tests to identify any loopholes and get a secure code review. Also, use SSL/TLS encryption for improved security. Multi-layer authentication with schemes like OTP, digital identities are also helpful.

Consider using CSPM (Cloud Security Posture Management)

Misconfiguration of your public cloud environment is one of the biggest security threats out there. For any fintech company, any breach can be fatal as their user data is super confidential to begin with.

CSPM tools can be lifesavers here. These are designed to identify and resolve configuration issues and fintech compliance risks.

 Widely used CSPM tools are capable of :

  • Spotting and resolving misconfiguration issues
  • Remembering and utilizing different sets of best practices for different cloud configurations and services
  • Monitoring storage, encryption & account permissions, and compliance risks

For example, Cloudlytics ticks all the boxes mentioned above and then brings some more to the table. It’s on constant watch and spots any potential weakness long before the disaster can take place. You get all reports and data presented to you in an easily understandable and visually attractive manner at any time. It’s like having a guard to watch over your public cloud security.

Also, Cloudlytics works seamlessly in AWS, Azure, and Google cloud environments. Please feel free to reach out to us here to learn more and get a free demo.

Health of the Cloud in Healthcare Businesses

Gone are the days when healthcare organizations used to store patient data in piles of papers and files. Not only was that inconvenient and time-consuming, but also expensive in terms of both money and resources. Now, with exponential growth in technology, more and more healthcare businesses are moving to the cloud.

In fact, by 2027, the global market of healthcare cloud computing is estimated to cross $92 billion, as per a Research and Markets study.

How Cloud Computing is transforming the healthcare industry?

Healthcare organizations handle a multitude of patient data every day. And going the cloud way helps them do that more efficiently and conveniently. With all the necessary information in the cloud, healthcare businesses can store, access, update, and retrieve any piece of cloud-hosted healthcare data they need at any given time. That, in turn, helps patients receive timely and optimal treatment.

Moreover, moving to the cloud also cuts down costs compared to conventional data storage methods.

However, such advancements in health tech have brought in a wave of vulnerabilities and cybersecurity threats. Whether targeting sensitive patient information or healthcare facilities’ network operations, hackers adopt newer tactics to weaken cloud security. For example, they steal crucial patient information and use them to file false claims, impersonate identities, or resell to dark-web operators for higher profits.

How do hackers attack the cloud? What are the threats? Let’s find out.

Top 5 Threats Healthcare Industry is Facing in the Public Cloud

While cyber-attackers keep evolving their hacking mechanisms, the following are the most common types of healthcare attacks you will come across:

Ransomware Attacks

In ransomware attacks, hackers steal healthcare organizations’ data and ask for a ransom to return the same. If the targeted healthcare business fails to pay the demanded amount, hackers delete and destroy the entire stolen data. Such an occurrence can cause a massive blow to the organization’s operations and the quality and future of patient care. Therefore, the targets for ransomware attacks are both big and small healthcare businesses.

For instance, DCH Health System in Alabama suffered a ransomware attack in October 2019. The attack forced all three medical facilities of DCH to shut operations. The authorities had to pay an undisclosed amount as ransom to hackers to get back access to their files.

Insider Threats

Insider threats make for about 48% of all data breaches, as per the Data Breach Investigation Report 2020 by Verizon. Surprising, isn’t it?

Unfortunately, insider attacks often occur due to employee carelessness, lack of training, or deliberate attempts for financial gains. And healthcare organizations, too, tend to overlook its significance while focusing all their energies on strategizing and developing countermeasures for external attacks.

Internet of Medical Things (IoMT) Risks

The IoMT refers to various medical devices (including wearable ones) and apps connected to the network of a particular healthcare organization. It streamlines treatment and patient data, facilitating more straightforward data access. However, at the same time, these multiple access points expose the system to hackers, making the entire health network infrastructure vulnerable.

Distributed Denial of Service (DDoS) Threats

DDoS attacks, launched through malware, disrupt access to the entire health tech network, often leaving it inoperable. After infecting computers, the malware turns them into bots and gives total control to the hackers. It becomes almost impossible for healthcare industry professionals and patients to access vital, more straightforward records in such situations.

Phishing Attacks

Hackers use phishing attacks for data breaches. Phishing, one of the social engineering attacks, tricks victims into revealing information or deploys malware on their systems, as attackers pose as a trusted body via emails or messages. What’s fascinating is that many healthcare segment enterprises fall prey to it, despite the much-publicized instances of such attacks.

One of the recent examples of phishing attacks is the one on Georgia’s Aveanna Healthcare. The hospital witnessed the first such attack in July 2019 but detected it only in August 2019. As a result, the attack put around 166,077 patients’ data at risk. What was worse, patients were notified about the attack only in February 2020, violating the Health Insurance Portability and Accountability Act (HIPAA). Aveanna Healthcare, as a consequence, not only lost its reputation but is also currently facing a lawsuit filed by patients. 

Considering the nature and impact of these attacks, the HIPAA requires healthcare organizations to employ stringent security measures to protect patient data.

But how can you secure the cloud for your healthcare business?

Contrary to popular belief, data security is an ongoing process. Therefore, you will need to be proactive in implementing robust cloud security measures for compliance and data protection.

Here are some of the measures you should incorporate:

Risk assessments

It is critical to conduct periodic assessments of risks to identify weak and strong security areas for ensuring maximum data security. Furthermore, HIPAA rules mandate healthcare providers to perform annual risk assessments to retain their criteria.

Data encryption

Data encryption is one of the best techniques to ensure security on public clouds, whether stored or in-transit information. It makes it difficult for hackers to retrieve and read sensitive patient information.

Restrictions to data access

Not every employee needs access to every piece of information in your healthcare system. That’s where a role-based access system enters the picture. In addition, limited data access increases data security in the cloud since employees can only access those bits of information required to perform their job.

Employee training

Since many data breaches occur from negligence or human error, it is essential to train your employees on the best practices in cloud security. In addition, make them aware of the latest threats, such as phishing and scam attacks, and how to tackle those to prevent them from falling victims.

But as the saying, especially in the healthcare world, goes “Prevention is better than cure”. So, healthcare organizations need to be even more careful about Cloud Security Posture Management (CSPM).

What Exactly is CSPM?

As per Gartner’s definition, CSPM is a continual process of improvement and adaptation in cloud security to lower the probability of a successful attack. With CSPM, identifying and mitigating risks become automated across various cloud infrastructures, including SaaS (Software as a Service), PaaS (Platform as a Service), and IaaS (Infrastructure as a Service).

Furthermore, CSPM tools offer automated compliance monitoring and continuous checking for misconfigurations, both intentional and unintentional. Such continual, automated detection prevents potential data leaks/breaches while helping organizations make timely, essential updates.

The key, however, is to choose the right security partner. Cloudlytics, a global solution provider, provides modern enterprises with best-in-class CSPM solutions. Our solutions ensure that healthcare players achieve the required standards in cloud compliance, asset monitoring, and precise security analysis.

Ensure data security with Cloudlytics today. Talk to our healthcare cloud experts. Book a free consultation here.

Cloud Asset Management – 4 Key Challenges and Simple Remedial Suggestions

Attackers are on a constant lookout for vulnerabilities in the cloud assets of an organization. As organizations add new assets, the implementation often lacks proper access management and thereby makes the infrastructure more susceptible to breaches. To safeguard against these, technology leaders must consider Cloud Asset Management (CAM) to replace or re-implement their solutions. For asset management, organizations must further focus on achieving end-to-end visibility while keeping their endpoints secure and compliant.

Gartner predicts that through 2025, 99% of mishaps in cloud security will be because of the faults originating at an organization’s setup.

It is thus highly recommended that organizations follow the best practices of Cloud Asset Management to mitigate underlying challenges.

Our research at Cloudlytics indicates that most professionals find Cloud Asset Management because of issues like…

  • Frequent changes in assets
  • Intangibility of assets
  • Scalability issues
  • Fast deployment that open leaves open backdoors
  • Monitoring difficulties due to the absence of specialized tools

Further, cloud hosting involves challenges in maintaining observability into assets. The highly flexible nature of the cloud brings added challenges of access control. For example, organizations face issues such as the doubling of cloud assets as the instances are spun up or down.

Here are some key challenges with Cloud Asset Management (CAM)

Here are some key challenges with Cloud Asset Management (CAM)

1. Non-listed purchases

With the ever-increasing feasibility of deploying cloud services, Software-as-a-Service (SaaS) in particular, the standard IT processes of purchasing these services are often side-stepped. Usually considered as an operational expenditure, rather than capital, cloud services are purchased easily through corporate credit cards and are not often subjected to a thorough approval process and criteria. This leads to the non-involvement of asset management teams in the procurement of cloud services. As a result, they are left unaware of such implementations, thereby posing a risk to the entire infrastructure.

2. Coping with changing dynamics

Cloud adoption is on the rise because of the faster time to market and the agility it offers. Comparatively, traditional asset management practices often involve long lifecycles. This allows organizations time for reconciliations, monitoring, and planning. The challenge for organizations, when it comes to Cloud Asset Management, is thus to identify, design, and deploy reactive methodologies for improved efficiency.

3. Underlying and often hidden costs

Cloud Asset Management is accompanied by different licenses and contracts. This necessitates organizations to build new capabilities and skill sets. While these contracts and licenses are deceptively trivial at face value, numerous underlying, direct and indirect costs are incurred that need to be accounted for. These costs could be on the account of migration, system integration, premium support services, oversubscription, additional storage requirements, service renewals, and more.

4. Control issues

Transparency is a must among cloud service providers when it comes to data backup and security. Organizations with mission-critical or confidential information require full control over their asset management, as a publicly accessible environment will involve intrinsic risks. Having a SaaS setup limits organizations from adapting to underlying platforms or understanding how they are developed.

Overcoming CAM challenges

Here are some simple tips that I believe will help overcome the Cloud Asset Management challenges that we identified above.

1. Mitigating misconfigurations

Addressing gaps in misconfigurations or vulnerabilities is complicated. Organizations must look to implement processes for continuous monitoring and identification of misconfigurations in workloads. By comparing the data with CIS benchmarks, organizations can identify cloud assets that don’t follow the recommended best practices. Implementing continuous interrogation and discovery, which goes hand-in-hand with automation, will enable organizations to maintain security of assets in their cloud environment.

2. Controlling security

Understanding security controls and managing cloud assets with caution is the key. This will ensure that organizations have the know-how of their inventory and make informed decisions on security measures. As organizations develop a better understanding of the cloud assets they possess, identifying gaps in protection and adopting the right tools for securing the same becomes easy.

3. Awareness about workloads

Modern organizations with advanced capabilities in application maintenance know that everything probably involves an API. This is a huge advantage in managing asset inventory. However, this also means high investment while doing this for multi-cloud environments or correlating inventories of cloud assets with the security control data. Effective asset management becomes more achievable when organizations are capable of accessing every resource in their cloud environment.

To Conclude

Cloud Asset Management empowers organizations in utilizing their resources and assets efficiently. It also assists in reducing costs and making informed investment decisions. Partnering with the right cloud provider and using the latest technologies and tools can help organizations in achieving an effective Cloud Asset Management practice.

At Cloudlytics, we have built a world-class tool and an enviable team of experts to help you just do this! For the latest in cloud asset management and compliance solutions, reach out to our experts here

GRC and CSPM – a match made in heaven the cloud

Given the demands of hyper-growth, super efficiency and rapid digitalisation, the cloud has become the default for most, if not all, organisations. However, with the increase in cloud adoption, there is also an increase in data security risks. A survey by Security Magazine reveals that around 75% of the organisations have faced cybersecurity attacks in some form or the other. These include ransomware/malware, data breaches, and many more underlining the severity of the risk.

Therefore, to secure your company from untoward incidents like data breaches that put your company’s credibility at stake, you need a fool proof strategy. A tightly integrated GRC approach is a proven winner. In a cloud first world, enabling it with efficient cloud-specific tools like Cloud Posture Management (CSPM) solutions is key.

Let us try to understand the importance of GRC in cloud security and how CSPM tools can ensure a secure cloud environment.

What Is GRC?

GRC is an acronym for governance, risk management and compliance. In the software world, it is a structured approach that organisations use to align IT practices with their core business objectives to free the organisation from cyber threats.

Governance refers to a process where management uses hierarchy or company policies to govern based on factual data and statistics. Risk management involves the evaluation of data and prioritising the same based on an overall risk assessment.

Compliance is the process of adhering to the rules of the market, organisation, and regulators or government in company operations.

GRC essentially guides enterprises to run their business within the constraints of law, finance, and compliance. Privacy policy, data share policy, compliance, risk estimation, finance, etc., all come under GRC.

With the dawn of the digital era, and businesses facing a paradigm shift towards cloud infrastructure, companies started facing cloud security issues, and multiple security disasters started to surface. It was in 2002 when Forrester put forward the need to use GRC as a marketplace tool.

GRC for Cloud Infrastructure Security

One of the hurdles that enterprises face while shifting to the cloud from on-premises is managing cloud risks while adhering to compliance. A well-planned and well-structured GRC provides a broader and more efficient approach for managing the cloud security risks of any organisation.

Even when companies adopt public cloud infrastructure, due importance to GRC should be a priority. When organisations broaden their GRC to the cloud, they get greater visibility to possible cloud risks. Risks that compromise the credibility and authenticity of the organisation.

A well-structured GRC strategy for cloud risks encompasses:

  • Identifying cloud security assets and compliance
  • Identifying data-related assets and compliance
  • Embedding security control on cloud
  • Monitoring and automating the overall cloud security compliance
  • Continuously improving the security control processes

A strategically sound GRC helps the facilitators of cloud security practices like the CISOs of the company in many ways.

It empowers them with detailed and high-quality information that enhances decision-making capabilities. It also adds more agility, accountability and promotes a safe and productive working environment. In effect, it improves the overall performance of the organisation over a secure cloud.

To successfully implement GRC, organisations need to focus on chalking out an effective and holistic action plan leveraging the best CSPM tools.

Achieving GRC using CSPM Tools

CSPM or Cloud Security Posture Management tools are cloud security products that help companies achieve a secure cloud environment and adhere to the compliances. It is a cloud security solution that examines and compares an organisation’s cloud environment with a set of relevant compliance rules, best cloud security practices, and possible risks.

Gartner states that most of the cloud security breach is due to misconfiguration of the cloud environment. Misconfiguration can occur due to several reasons. The most common cause is a lack of visibility and understanding of cloud resources. This makes the cloud infrastructure vulnerable to data breaches and other security threats.

CSPM tools help organisations to mitigate such risks to up to 80%, as per this Gartner research. Some of the other ways CSPM tools benefit the organisations :

  • Provide greater visibility across cloud platforms by monitoring cloud platforms in real-time
  • Analyse the cloud data in real-time for any potential risks
  • Continuously checking for any cloud compliance deviation
  • Detect possible threats and remediates misconfiguration issues

Businesses are continuously evolving around cloud infrastructure. Therefore, cloud governance helps organisations centrally manage the resources without being vulnerable to malicious attackers. The role of CSPM in managing cloud-based services such as SaaS, PaaS, Iaas is therefore indispensable. Not only does it spot the security threats, but it also identifies areas of improvement. It empowers organisations with the rightful insights into implementing best compliance practices.

Cloudlytics CSPM tools enable businesses to bolster cloud posture and build a robust public cloud environment by achieving an optimum GRC. It is designed to enable organisations to follow the proper protocol and identify the potential security risks, provide appropriate and timely remedy all this while maintaining compliance with policies.

Conclusion

As digital transformation continues to drive companies towards cloud services, the need to escalate GRC from on-premises to cloud is inevitable. Deploying CSPM solutions is the first step towards ensuring a secure cloud environment as it helps organisations implement best GRC practices in the cloud.

Cloudlytics’ CSPM tools are an asset for organisations, especially those which leverage a complex cloud environment and multi-vendor support. It strengthens cloud security and helps organisations reap the true benefits of cloud computing.

Make your GRC water-tight with Cloudlytics CSPM. Book a free demo here

Further reading: 

  1. Our e-book on CSPM called ‘A to Z of CSPM’ 
  2. 7 Best Practices for Cloud Security Monitoring

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!

</