Cesar Augusto Nogueira | Cloud Architect | everis Brazil

Protecting PII Data for Cloud-Based Financial Services

Data security is a growing problem, and we have seen a common misunderstanding that the public cloud is not an acceptable environment for confidential data such as PII, but this idea is simply incorrect.

Properly protecting sensitive data, such as PII (Personally Identifiable Information) is extremely important for any digital company. The financial, legal, and reputational costs of not maintaining data security can be extremely high. There is a common, serious misconception that migrating to the public cloud increases these risks. Adopting services such as the Google Cloud Platform (GCP) helps increase and strengthen system security, while offering lower cost, greater flexibility, broader services, and other benefits.

When a company fully adopts the superior technology and practices available with a public cloud platform such as the Google Cloud Platform, it can cut costs and increase efficiency, and greatly improve its general risk profile, creating extremely favorable results.

This issue is not disappearing, and the consequences of data failures will be increasingly severe in the future. Investments in confidential data, such as PII, are significant and will continue to grow. This context means a new solution is required, and the improved security available through prudent and holistic adoption of the resources in the public cloud can offer a life raft for the security teams of financial services firms.

Fortunately, the predominant security resources and products offered by public cloud providers are inherently broader and more robust that those offered in a local data center, and, as such, offer a basis for updating the company’s security position.

In this context, it is time to stop asking whether the cloud is secure, and instead start learning how to securely migrate to the cloud. To do this, an approach of “form the inside out, using defined software,” takes the place of an approach to security based on a traditional perimeter, implementing new methods that are not available through local solutions, and applying new security standards in each layer of abstraction, from managing identity context for data at rest

The risks of cloud-based data systems are the same cyber risks faced by any on-premises system.

These risks fall into three categories: risks that lead to a compromised system; vulnerabilities that leave systems exposed; and events that can impact businesses due to vulnerabilities and threats.

· Internal malware: a threat that comes from within, whether from your team or from a trusted partner. Frequently the hardest threat to detect; therefore, potentially the most dangerous.

· Abuse and misuse of cloud-based resources: implementing services using inadequately secure cloud services create vulnerabilities to several risks that can extend beyond the company itself, such as e-mail phishing and cryptocurrency mining.

· Account invasion: involves malicious actors obtaining control of accounts and stealing information, maliciously changing data, or redirecting traffic to illegitimate websites. The resulting confusion and reputational damage can cause incalculable harm.

· Advanced Persistent Threats (APTs): APTs are notable for their long-term, and often slow, infiltration strategy, followed by long-term operation, making them particularly hard to detect. In many cases, by the time APTs are detected they have already done significant harm.

· Access Management: low administration with identities, credentials. If the tools used to manage and monitor identities and access are incomplete, or have blind-spots and gaps, the entire system becomes vulnerable to attacks, information theft, and much more.

· Na insufficient Planning and Security Project: adding new resources and processes without adequate analysis and testing can create increased financial, legal, and commercial risks.

· Insecure Interfaces and APIs: interfaces and APIs are entryways to the system and, if they are not well designed, can become security gaps. Any weakness at these points offers an entrance for ill-intentioned actors, who then gain unrestricted access to cause damage.

· System Vulnerabilities: Bugs in hardware and underlying firmware and software, such as CPUs, OSs, and third-party components can also create exposure for a system, services for data sharing are especially susceptible to this type of vulnerability.

· Vulnerabilities in shared technology: security failures in underlying third-party components or in open code provide additional vectors of vulnerability that must be resolved. A minor flaw can become a big responsibility if it is used to get around system security.

· Data breach: as major companies including Yahoo, Marriott, Target, Equifax and many others can attest, a data breach is a major lapse in security. If the breach is caused by a directed attack, human error or negligent policies, the legal, financial and reputational costs can be astronomical.

· Data loss: not all data problems are due to theft, sometimes data is lost to accidental deletion of a physical catastrophe such as a fire, storm, or earthquake. In addition to the expense and difficulty of trying to recover lost data, data loss can also harm the continuity of business and cause contractual concerns.

· Denial of Service (DoS): A DoS attack occurs when system resources are overwhelmed by a large, coordinated influx of traffic. This is nothing new, but the proliferation of cloud-based services can make DoS attacks faster, stronger, and potentially much more expensive. A DoS attack can also create reputational risk and impact contractual obligations.

The amount of exposure to these issues, and their relative importance, depends on the specific facts and circumstances of each situation, but this list offers a practical guide to ensure that every issue is covered and, more importantly, no threat, vulnerability, or event is left out of your analysis.

By following the recommended practices of the GCP and DevSecOps, it is possible to create a system with a higher degree of security than existing systems, and has the flexibility and responsiveness needed to address future needs.

By taking advantage of a cloud-based security approach and implementing security methods to reduce risk beyond what is possible in a local data center, you can make your security approach more effective at every step of the process. To that end, we follow a methodology that covers 11 best practices that have been proven to produce the desired results.

11 best practices for security in the cloud

1 . Keep your security and compliance objectives in mind.

2 . Focus on “what to protect” instead of “surface attack.”

3. Develop a perspective of “trust nothing” and “continuous verification” in the cloud.

4. Consider end-to-end security for your hybrid cloud environment.

5. Take advantage of the efficacy of a global network.

6. Embrace maximal automation of your infrastructure.

7. Respect systems.

8. Use improved cloud management.

9. Elevate identity management as a service.

10 . Use proactive and reactive security rules.

11. Practice risk exposure, isolation, and remediation.

Effective monitoring is important in the cloud, due to the enormous quantity of information being created.

It is essential to have an intuitive and self-descriptive representation of the aggregation, filtering, and classification of monitoring data, in the form of a dashboard.

This helps direct effective automatic correction of threats, and rapid response to any risks that are uncovered.

We use the Stackdriver service, part of the GCP, to provide monitoring and alerts for resource peaks and anomalies, allowing us to immediately help identify compromised systems and networks. With Stackdriver, our clients can create internal pathways for security audits, to know who is accessing each system, and receive immediate alerts for any violations.

Considering the amount of monitoring data generated, we create personalized dashboards and visualizations for response teams, which isolate packets of manageable and actionable information.

We are also implementing the GCP Cloud Security Command Center, a new product that makes the creation of these assets faster. Finally, in addition to auditing internal changes, our Access Transparency Service permits the tracking of audits in the GCP itself to isolate and respond to updates and alterations.

To protect PII Data in the cloud, you must:

· Establish a regulatory conformity approach.

· Resolve threats that can lead to system compromise.

· Prevent events that impact your business.

· Remove address vulnerabilities that can leave your systems exposed.

Exponential intelligence for exponential companies