What You Need to Know About Storing Financial Data in the Cloud
In light of recent malware attacks that affected financial services customers' data stored in the cloud, organizations should take a hard look at how they're securing their financial information.
One notable example, as discussed in a CIO Dive article, was a data breach at Capital One that exposed the cloud-stored data of 106 million customers. It's certainly not the only one; according to an SC Media article, the number of compromised credit cards increased 212% in 2019, compared with the prior year. Additionally, instances of malicious apps more than doubled.
Data protection is an ongoing process. Hackers continue to develop new malware and rely on old attack methods, such as social engineering, to uncover and gain access to critical authentication information. Therefore, financial services firms and other organizations must continually examine and strengthen their security precautions to thwart as many of these threats as possible.
'Bare Metal' Computers at Risk
Hackers can slip malware into bare metal cloud computers, cautioned a recent Wired article. Researchers rented a computer from a cloud-computing provider, changed its firmware and hid the changes before returning the computer. Though the researchers made non-malicious changes, they cautioned that an unscrupulous person could do the same thing and embed malware before returning the rented computer. To protect against such issues in the cloud, the financial services firm should confirm that the cloud provider "sanitizes" virtual machines to remove any malware from a previous user prior to use.
Misconfigured Servers Unveil Sensitive Data
One of the biggest vulnerabilities for data stored in the cloud comes from misconfigured servers. Misconfigured servers were blamed for exposing more than 2.3 billion public files, many with sensitive information such as credit card numbers and medical information, according to ZDNet.
Financial services firms should encrypt stored data and take other security precautions in the cloud as they do with storage on premises. That includes reviewing how servers are configured to avoid accidentally exposing sensitive data when making other files publicly available.
Misconfigured S3 'Buckets' Put Data at Risk
Similarly, other malware targets S3 storage "buckets" that have configuration errors in order to steal the information, as discussed in a Wired article. The S3 buckets are similar to computer file folders, and are used to store objects, consisting of data and its descriptive metadata. Over the span of several months, a theft ring used this method to breach 17,000 domains in order to steal credit card numbers.
Financial services firms need to work with their cloud storage provider to ensure that storage protocols are correctly configured and constantly monitored.
Protection at Three Levels
Entrepreneur.com recommends that financial services and other organizations use programming standards designed to protect data at the application, cloud service middleware and infrastructure levels. For example:
- At the application level, use individual cryptographic algorithms with strong Secure Shell (SSH) to access the hosts to protect data.
- At the cloud service middleware level, cloud users need to take precautions to protect against spam snooping and sniffing. To protect against such threats, a cloud service provider will be able to help you follow best practices.
- At the infrastructure level, organizations should use efficient, secure cloud authentication and user abstraction. Additionally, authenticate virtual machines working together — any unauthenticated virtual machine is a threat to any authenticated virtual machine.
Work with a Seasoned Cloud Security Expert
As you seek to re-examine and strengthen your cloud security efforts, work with a well-seasoned cloud security partner who follows industry security procedures and can also advise you on best practices. A good partner ensures that malware and other threats won't find an opportunity to compromise both your company's and customers' sensitive data.