The transition to cloud computing is a tide; there is no stopping it. If they have not done so already, all enterprises will inevitably migrate most, if not all, of their IT delivery and operations to the cloud. The economics – paying only for needed capacity as opposed to up-front investment in expensive data centers whose capacity may sit unused -- are simply irresistible; companies can’t afford to say no. Trying to fight it is like building your sand castle by the seashore during a rising tide.

All firms are already utilizing the cloud in some way, whether through software-as-a-service (SaaS), platform-as-a-service (PaaS) or, the one that is moving fastest and has profound implications for financial services, infrastructure-as-a-service (IaaS). Everyone is going through a period of adjustment, trying to figure out how best to use the cloud to suit their business needs. The transition can be especially fraught for financial services, which has many legacy systems built around on-premise data centers. Migrating to the cloud is much more than a simple change in where data is stored. It is a total paradigm shift in how systems are built and technical support operations are done, which has profound implications for cybersecurity resilience.

Cloud providers tout that the cloud is a more secure way of computing. In reality, it has the potential to be more secure, but is by no means inevitable. CISOs must reckon with several key factors to successfully manage the transformation to the cloud:
  1. Cloud architecture
  2. Accountability model
  3. Organizational structure for support
From Industry Standards to Individual Decisions

The architecture of the cloud is fundamentally different than an on-premise model. Cloud providers are correct that the underlying operating system, the bare metal so to speak (the layer they are responsible for), is more controlled, replacing components when they fail with minimal impact. However, the logical layer is controlled by the client. In the on-premise world, well-established standards determine which applications to run, as well as what servers and which configuration tools to use. In a cloud scenario, these are decisions that must be made by the firm; there are infinite combinations to be customized to their needs. The reality is that the individual firm may not know what the best combinations are. So, while the individual components may be more secure, it is not guaranteed that the assembly of components into a complete system will be.

Who is Responsible for Security? 

Further, the cloud accountability model is much more difficult to assess from a controls perspective. Instead of one entity (the firm) being responsible for all data, infrastructure and operations, the activities are divided between the cloud provider, the application developer and the client -- each with different and overlapping responsibilities for resiliency. It is not always clear who is accountable for security in a given app, with a given client, at a given point in time.

In the on-premise world, the SOC2 (security operations center for physical assets) is assessed by a visit to the data center. In a cloud model, no one visits the data center; in fact, there may be multiple data centers distributed around the world. For example, take Zoom, which uses Amazon Web Services for hosting its infrastructure. In any given Zoom call, each individual user is routed to a virtual data center near their location to stand up the infrastructure to support the call. Whose controls should be assessed? Zoom is just providing the software that allows the data streaming. The hardware that spins up capacity is in regional data centers worldwide. So, the traditional way of looking at data centers to assess controls does not really apply. Conventional IT support teams in an on-premise model do not have the skills to support the different approach to software development (known as the Continuous Improvement/Continuous Delivery or CI/CD pipeline) and DevSecOps required by a cloud-first model, which can itself create friction in terms of adoption. Cyber professionals must ensure governance and controls fit the organizational delivery model for a cloud-first model.

In fact, one reason for the reluctance of top-tier financial institutions to fully adopt the cloud is not because of the technical challenges; they are comfortable that they have the expertise to devise resilient cloud models. It is because regulators around the world have not yet found an accountability model that accommodates the new cloud reality that the institution does not always control all the systems through which customer data must pass. Many recent privacy regulations are geographically and economically oriented; for example, in the EU, customer data must be stored within an EU member country. This is completely contrary to the essential premise of cloud computing -- that data goes where the applications go, which could be anywhere in the world. The machinery of regulation, set by lengthy legislative processes and often taking years to enforce, is moving too slowly for the oncoming tide. In the meantime, companies are finding workarounds that take advantage of the economic drivers to the cloud as best they can, like hosting virtual instances of customer data in the cloud instead of the data itself and using the cloud for everything besides customer data.

The Org Chart is Not Fit for Purpose

In recent years, we have seen the emergence of digital organizations, overseen by a Chief Digital Officer, which exist outside of the central IT function of firms. Digital teams are usually responsible for websites and mobile apps, and sometimes even customer service. They tend to use cloud-based capabilities, including the new approaches to software development that enable continuous improvement and delivery as opposed to older methodologies used in the on-premise model. They are also often unencumbered by the governance requirements of central IT.

The CISO must decide if and how to get involved in the digital world. While some are most comfortable with the traditional way and therefore stay within the remit of the main IT organization, those who recognize that their cybersecurity responsibilities extend to the digital sphere (especially now, with the shift to digital banking and remote working accelerated by the pandemic) will tend to have more exposure to the innovation in controls design necessary to effectively secure the new approaches, techniques, tools and infrastructure of the cloud. Since they can be radically different, and in some ways antithetical to on-premise modalities, they can be difficult for security professionals to get their heads around. But they must. Those CISOs who steer their teams towards understanding this paradigm now are going to be the ones best prepared for the cloud’s inevitable takeover of all IT operations, whether that is one, five, or ten years in the future.

Most CISOs believe that their job is to reduce risk. The best CISOs know their job is to manage risk. Enterprises must take risks to be competitive, certainly to be industry leaders. What separates great CISOs apart is effective risk management, which increasingly requires an in-depth understanding of the evolution of computing technology. Only those who embrace the cloud and all the new paradigms that come with it will be able to surf its rising tide.

The Insight

The shift of all computing to the cloud is as inevitable as the tides, but the transition is fraught with challenges from a security perspective. To effectively manage the risks that come with cloud migration, CISOs must understand cloud architecture, the challenges in accountability that come with having multiple entities handle data, and how they fit into their firm’s organizational structure. The pipeline based development model for cloud requires skill from cyber security professionals to instrument controls into the pipeline within a governance model that emphasizes software quality. Only those who embrace the fundamental differences of the cloud paradigm will be successful as it increasingly takes over in coming years.

July 2020

© 2020 FS-ISAC, Inc. All rights reserved.

The FS-ISAC Intelligence Exchange is the new platform for members to utilize our services and collaborate with their fellow members. This will allow quicker, seamless access to all of FS-ISAC’s capabilities, while also providing more control and customization of your engagement with FS-ISAC. 

Learn More

FS-ISAC members around the world receive trusted and timely expert information that increases sector-wide knowledge of cybersecurity threats.

Learn More