Configuring cloud security through code
Financial Services Institutions are currently facing a significant challenge in identifying solutions and capabilities which will help organizations protect data across geographies. Global organizations encounter additional challenges remaining compliant with varying levels of regulations and requirements for the countries their data resides in. Identifying and implementing proper controls while following local governance orders is also a critical cost optimization and risk aversion step institutions must take to avoid catastrophic fines (major company was fined $877 Million for non-compliance with the GDPR1). Financial Organizations encounter an added layer of complexity in remaining compliant with industry specific requirements such as Payment Card Industry Data Security Standard (PCI-DSS). Zero-trust architecture is a strong method to remaining compliant while securing your environment and a great place to build this is in the Cloud. Cloud Migration is a strategy many organizations are considering, but this comes with a flurry of other business hurdles.
Some other key concerns are as follows:
To address these concerns, businesses must take a comprehensive, iterative, multi-layered approach to cloud migration and data protection. For a successful journey to the cloud, global financial organizations need to understand their organizations data needs from an enterprise level view, build a compliance strategy for current and future regulations, and implement layers of technology controls to create a secure and complaint environment.
A common misconception is organizations should begin their cloud journey by migrating. IT Implementations may be perceived as progress, but it is critical to not jump straight in without setting a foundation and understanding scope and risk of your data assets. Establishing a Cloud Center of Excellence (CCOE) is a successful methodology that aligns departmental goals and needs at the enterprise level through a diverse set of organizational shareholders. Through the lens of the CCOE, the business’s data lineage becomes clear, and so do the associated risk and governance requirements. Global companies are challenged by a number of data protection compliance laws that applies to the data where it resides. Non-compliance comes with a heavy cost, so companies should learn the laws associated with each one of their datastores and utilize proper industry frameworks (NIST, FedRAMP) to achieve certification. Compliance Laws will continue evolving so to stay ahead of the curve, financial organizations should study proposed legislation for countries their data is stored. Understanding the future requirements of data protection will help your business iterate and prepare for tomorrow’s challenges, today.
Some of tomorrow’s challenges are clear, but many of them are a mystery. To prepare for unknown risk, financial institutions should adapt a Zero-Trust Mindset as they implement technology controls across their environment. Implementing zero-trust IAM policies, storing privileged functions in Privileged Managed Tools or cloud-native secret management functions, and enforcing MFA to access sensitive resources shrinks your attack surface and limits the damage a hacker can create if account credentials are compromised. For sensitive data (PII) develop a Zero-Trust Architecture by logically segmenting databases, apply encryption first strategy where applicable, and invest in Cloud Disaster Recovery. Technology controls are only as effective as the people who configure them and unfortunately, the most common error in cloud misconfiguration stems from human error. Hacks from these errors end with your company losing an average of $8 Million2 and the loyalty of your customers. The solution is Security Policy as Code (PaC), a programmatic approach to implement security policy that prevents insecure architecture from being configured. PaC has the ability to continuously monitor your environment, perform audits, and run validation tests pre- and post-deployment. This cost optimization step has helped companies save $5 Million per Year while lowering audit costs by 80%3.
For a successful journey to the cloud, global financial organizations need to understand their organizations data needs from an enterprise level view, build a compliance strategy for current and future regulations, and identify layers of technology controls to create a secure and complaint environment. KPMG possesses the tools, people, and processes needed for a successful journey to the Cloud. We have the potential to help define strategy through developing your CCOE but can also save you time and money while gaining public trust through Policy as Code (PaC). KPMG’s partnership with a Concourse Labs (a Leader in PaC) enables enterprises to perform routine audits, automate security, accelerate secure application development, and prevent misconfigurations. We have the potential to provide clarity into your data needs, build compliance guardrails that protect your assets, and help architect a Zero-Trust environment with layers of security that would define your organization as a business built on trust and security.