Driving Digital Transformation While Ensuring Cloud Security and Compliance in the Financial Services Industry
Financial service organizations are experiencing a culture shift as they respond to consumer demand for improved experiences delivered when and how they want them. Building applications and migrating regulated workloads to Amazon Web Services,
Microsoft Azure, and Google Cloud Platform offers an attractive way to speed innovation, time to market, and resilience. The self-service and dynamic nature of software-defined cloud infrastructure creates unique challenges for risk and compliance professionals in
the financial services industry. Processes and tools that worked well in the traditional datacenter do not directly translate to the public cloud. Due to these concerns over regulatory compliance and security, as well as the complexity involved in migrating legacy
systems, financial institutions have taken a tentative approach to adopt public cloud–especially when it comes to implementing new technologies that could put compliance at risk. For financial service organizations to take full advantage of the opportunities public
cloud offers, they must ensure that their customers are comfortable with this shift, that clear cloud governance standards are defined, and that they can present evidence of compliance to assessors and auditors. This is an achievable objective, and this guide
explores the roadblocks to innovation, the frameworks that financial services organizations are leveraging to ensure strong governance in the cloud, a roadmap for continuous compliance in the cloud, and how DivvyCloud can help you achieve this goal.
Roadblocks to Innovation
While many financial service organizations know they have to make changes, they are often risk-averse when it comes to implementing new technology (and for a good reason). This cautious approach is driven by substantial regulatory requirements, the critical
nature of financial systems, and the sensitive nature of consumer information. The risks are not imagined, as the financial services industry experiences security incidents 300 percent more frequently than other sectors. In addition to being a giant bullseye for
hackers, the financial services industry is one of the most heavily regulated and scrutinized industries. Several regulations have been put in place to protect the privacy and security of consumers including the Sarbanes-Oxley, and Gramm-Leach-Bliley acts,
Payment Card Industry Data Security Standard (PCI DSS), and most recently the General Data Protection Regulation (GDPR) set forth by the European Union. Financial service organizations that don’t comply with these regulations face substantial penalties.
Ensuring Cloud Security and Compliance in the Financial Services Industry
The challenge is how do these regulations translate to public cloud? How do you map directives back to a novel, and ever-expanding, set of cloud services, especially relative to the set of software-defined configurations that often result in a violation of policy? How
do you do this while embracing self-service, from which the public cloud derives much of its flexibility and agility? How do you ensure continuous compliance in the dynamic and transient world of public cloud and do so on a constant and consistent basis?
In essence, how can today’s financial service organizations embrace all the many benefits of the cloud without opening up a Pandora’s box of risk relative to compliance and security?
The first part of the answer is to embrace cloud native frameworks.
Cloud Native Frameworks
The Cloud Security Alliance Cloud Controls Matrix (CSA CCM), SOC 2, and CIS Benchmarks are the trifecta of frameworks that should make up the foundation of cloud governance for financial services organizations.
Let’s explore these frameworks and the value they deliver:
Cloud Security Alliance Cloud Controls Matrix
Cloud Security Alliance Cloud Controls Matrix is the gold standard for cloud native
security assurance and compliance. It provides a cloud native controls framework with a
detailed explanation of security concepts and principles. The CSA CCM recommendations
are mapped to many other compliance standards, such as NIST, and can help companies
meet their requirements under these regulations.
The CSA CCM provides a controls framework with a detailed explanation of security concepts and principles that are alignedto the Cloud Security Alliance guidance in 16 domains:
- Application & Interface Security (AIS)
- Audit Assurance & Compliance (AAC)
- Business Continuity Management & Operational Resilience (BCR)
- Change Control & Configuration Management (CCC)
- Data Security & Information Lifecycle Management (DSI)
- Datacenter Security (DCS)
- Encryption & Key Management (EKM)
- Governance & Risk Management (GRM)
- Human Resources (HRS)
- Identity & Access Management (IAM)
- Infrastructure & Virtualization Security (IVS)
- Interoperability & Portability (IPY)
- Mobile Security (MOS)
- Security Incident Management, E-Discovery, & Cloud Forensics (SEF)
- Supply Chain Management, Transparency, and Accountability (STA)
- Threat & Vulnerability Management
As a framework, the CSA CCM provides organizations with the needed structure, detail,
and clarity relating to information security tailored to the cloud industry.
- It emphasizes business information security control requirements
- It reduces and identifies consistent security threats and vulnerabilities in the cloud
- It provides standardized security and operational risk management
- It seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud
As discussed above, one reason it is such a powerful resource is that if you are compliant
in one area, it can provide validation that you are compliant with numerous related
For example, the control ID – DIS-03 under the CCM Domain – Data Security and
Lifecycle Management for E-commerce Transactions, requires data related to e-commerce that traverses public networks to be appropriately classified and protected from fraudulent activity, unauthorized disclosure, or modification in such a manner to prevent contract dispute and compromise of data. If an organization is in compliance with DIS-03, there is a direct correlation with NIST 800-53 which addresses these same security requirements with controls including:
- AC-14: Permitting actions without identification or authentication
- AC-21: Information sharing
- AC-22: Public Accessible content
- IA-8: Identification and Authentication (Non-organizational users)
- AU-10: Non-Repudiation
- SC-4: Information in shared resources
- SC-8: Transmission confidentiality and integrity
- SC-9: Transmission confidentiality
Many financial institutions use the CSA CCM because it is also a well documented and
very accessible framework that can be communicated to customers as the standard by
which they can hold the financial institution accountable. There has also been movement
within the industry to select CSA CCM as a commonly used standard among institutions
such as banks.
Service Organization Control (SOC2) Report
Another approach financial service organizations must take, is mapping cloud controls to
traditional frameworks like the Service Organization Control (SOC2) report. Developed
by the American Institute of CPAs, the SOC 2 report focuses on a business’s non-financial
reporting controls as they relate to security, availability, processing integrity,
confidentiality, and privacy of a system.
SOC2 measures five controls that are specifically related to IT and data center service
providers which are generally referred to as the CIA Triad plus privacy:
Five SOC2 Measured Controls
- Security (protection of information and systems from damage or unauthorized access)
- Availability (reliability of customers’ access to information and systems)
- Processing integrity (completeness, validity, and accuracy of the organization’s data processing)
- Confidentiality (protection of designated confidential information)
- Privacy (limited collection and use of personal information)
Center for Internet Security (CIS) Benchmarks
CIS Benchmarks are secure configuration guidelines and settings created to help you
secure specific platforms, including AWS, Azure, and GCP. These benchmarks help you
safeguard systems against today’s evolving cyber threats and are endorsed by leading IT
security vendors and governing bodies. They are prescriptive guidance the help you
create a secure baseline configuration when operating in AWS, Azure, or GCP. In March
2018, Microsoft published the CIS Microsoft Azure Foundations Security Benchmark
which is the recognized industry-standard for securely configuring traditional IT
components. In September 2018, CIS published a new benchmark for security cloud
workloads on Google Cloud Platform (GCP). This benchmark contains dozens of security
recommendations across Identity & Access Management, Logging/Monitoring,
Networking, Storage, Compute and Kubernetes. In December 2017, CIS published the
AWS CIS Foundations Benchmark which provides prescriptive guidance for configuring
security options for a subset of Amazon Web Services with an emphasis on foundational,
testable, and architecture agnostic settings.
It is important to note that the CIS Benchmarks from each of the cloud service providers
are for a base set of cloud services and do not guide the complete and ever-expanding
collection of services offered by each provider. Therefore it is essential for each
institution to perform the legwork to expand the principles established in the CIS
Benchmark to a broader set of services or leverage 3rd party software like DivvyCloud
that provides out-of-the-box compliance capabilities.
Developing a Roadmap for Compliance
There are three keys to building a roadmap for compliance: culture, frameworks, and
systems. Combining these three keys allows customers to build cloud operations maturity
First, organizations must modify the command and control mentality of traditional IT and
marry it with a “trust but verify” approach when looking to take advantage of the
advantages of public cloud.
Second, incorporate CSA CCM, SOC 2, and CIS Benchmarks as the foundation of your
cloud governance strategy.
Third, identify and implement the systems that are cloud-native and can help you address
the unique challenges of the public cloud through automation. Fortunately for today’s
financial institutions, there are ready-made solutions available that help organizations
achieve continuous security, compliance, and governance while embracing the dynamic,
software-defined, self-service nature of public cloud and container infrastructure.
DivvyCloud is a leader in this space. DivvyCloud’s software appliance performs real-time,
continuous discovery and monitoring of resources in Amazon Web Services, Microsoft
Azure, Google Cloud Platform, Alibaba Cloud, and Kubernetes. This data is distilled into
actionable insights and presented through a single-pane-of-glass console that provides an
assessment of your holistic security and compliance posture.
DivvyCloud offers more than 165 out-of-the-box policies that map to best practices and
standards including SOC 2, CSA CCM, PCI DSS, NIST CSF, NIST 800-53, ISO 27001, CIS,
FedRAMP CCM, HIPAA, and GDPR. Customers enable these out of the box or configure
custom, cloud-native policy guardrails (“Insights”). Policy violations are flagged in
real-time, and customers can automate remediation with out-of-the-box, or custom,
workflows (“Bots”) that integrate with 3rd party systems like Splunk and ServiceNow.
These workflows are fully configurable and can incorporate a full range of lifecycle actions
that are contextually allowed by the resource in violation. For example, the workflow may
Modify Security Groups, Disassociate Public IP, or Terminate Instance when remediating a
compute instance in violation of policy.
Embracing Cloud Automation
Financial services organizations use DivvyCloud to automate the detection and
remediation of cloud and container infrastructure misconfigurations that violate policy.
DivvyCloud enables these industry leaders to take full advantage of agility and speed of
cloud and container technology, while actually strengthening their security and
compliance posture. This is a double win that increases productivity, innovation, and
profitability while decreasing risk.
DivvyCloud has a secondary benefit of making the audit process less time consuming and
therefore more efficient. First, companies should conduct their own “internal audit” on a
regular basis to help identify any potential noncompliance issues — before auditors do.
Companies often cite “lack of resources” as the reason they fail to perform these proactive
spot checks, but the costs of failing a regulatory compliance audit are likely to be far
greater than devoting time and resources to confirm the organization isn’t making any
The good news is that DivvyCloud helps financial organizations identify any potential
noncompliance issues enabling easier “internal audits” for financial organizations. Second,
financial institutions spend millions of dollars annually on auditors to ensure compliance.
DivvyCloud automation helps reduce auditor hours through reporting and evidence of
As financial institutions move to embrace public cloud, they must ensure that security,
governance, and compliance is at the foundation of all decisions. Regulatory compliance
and managing cyber risk do not need to be the enemy of innovation. A combination of
culture change, adoption of cloud-native frameworks, and the use of tools like DivvyCloud
can help financial service organizations advance innovation while protecting them against
risk and ensuring that compliance standards are being met.
DivvyCloud enforces security and compliance policies in real-time, empowering customers to give developers the freedom to innovate using AWS, GCP, Azure, Kubernetes, and Alibaba. Customers like Spotify, 3M, Fannie Mae, Autodesk, Discovery, and Pizza Hut use DivvyCloud to automate the detection and remediation of cloud and container infrastructure misconfigurations that violate policy and security risk. DivvyCloud enables these industry leaders to take full advantage of the agility and speed of cloud and container technology, while actually strengthening their security and compliance posture. This is a double win that increases productivity, innovation, profitability, and security. DivvyCloud is designed for cloud infrastructure, security, compliance, and governance professionals who want to identify risks in real-time and take automatic, user-defined action to fix problems before they’re exploited.