Full Report
As part of our monthly CISO webinar series, Wiz’s VP of Product Strategy, Raaz Herzberg, spoke with three security experts to learn how each of them prioritize cloud security, and how they extend the reach of good security practices across their organizations.
Analysis Summary
# Best Practices: Cloud Security and Governance for Financial Institutions
## Overview
These practices are derived from insights provided by security leaders in the financial sector regarding the unique challenges of migrating to and operating securely within cloud environments, emphasizing regulatory compliance, cultural shifts, and the necessity of automation.
## Key Recommendations
### Immediate Actions
1. **Assess Current Cloud Readiness:** Do not attempt a "lift and shift" approach for critical systems; strategically plan the move to the cloud, understanding that cloud transition requires expertise and careful planning.
2. **Establish Data Governance Foundation:** Recognize that while cloud environments provide abundant data, the immediate priority is establishing robust governance to ensure that data is used well and supports sound cybersecurity decisions.
3. **Identify Key Accountability:** Formally document that even if services are outsourced or placed in the cloud, regulatory **accountability for any decision remains with the financial institution.**
### Short-term Improvements (1-3 months)
1. **Embrace Cultural Shift to DevSecOps:** Actively work to break down silos between Development, Operations, and Security teams to realize the full benefits of cloud adoption.
2. **Prioritize Automation for Policy Enforcement:** Begin identifying manual processes ("paper-pushing or human toil") and prioritize them for policy automation to eliminate divergence and improve efficiency.
3. **Intensify Regulatory Gap Analysis:** Conduct a detailed examination of current security controls against specific regulatory standards, acknowledging that compliance in finance is significantly more onerous than in other sectors.
### Long-term Strategy (3+ months)
1. **Develop Cloud-Specific Expertise:** Budget and plan for comprehensive, ongoing training, recognizing that the learning curve for modern cloud technologies is often underestimated.
2. **Integrate Security as a Business Enabler:** Strategically align cybersecurity capabilities (e.g., biometrics) to enhance the unified customer experience while simultaneously gaining a competitive cybersecurity advantage.
3. **Mature Risk Management Framework:** Develop processes where security risks are understood from a business perspective while ensuring all compliance and risk accountability remains internal, regardless of outsourcing.
## Implementation Guidance
### For Small Organizations
- **Focus on Governance First:** Given limited initial resources, prioritize establishing clear governance structures *before* large-scale migration to prevent sprawl and confusion.
- **Leverage Managed Services:** Where expertise is lacking, utilize cloud-native or managed security services, but maintain internal oversight of contracts and accountability documentation.
### For Medium Organizations
- **Pilot DevSecOps Integration:** Begin rolling out DevSecOps practices within specific, non-critical application teams to prove the cultural and operational model before enterprise-wide deployment.
- **Automate Vulnerability Remediation:** Target the automation of vulnerability management tasks (e.g., deleting known vulnerable assets) to replicate the speed advantage of the cloud environment compared to traditional 6-week on-prem testing cycles.
### For Large Enterprises
- **Standardize Tooling Alignment:** Create formal standards ensuring that new modern cloud tools integrate seamlessly and consistently with existing obligations from legacy on-premise security tooling.
- **Formalize CISO Influence:** Utilize the increased face time with executive leadership to drive cybersecurity initiatives that function as true business enablers, tying security success directly to business outcomes (e.g., faster product delivery).
## Configuration Examples
*The provided context discusses conceptual changes and priorities rather than specific technical configurations. The following recommendations are derived from the described philosophy:*
1. **Policy as Code (PaC):** Implement configuration as code (e.g., Infrastructure as Code templates) so that security policies are automatically codified and deployed, minimizing human error and achieving divergence-free policy enforcement.
2. **Automated Decommissioning Policies:** Configure systems to automatically quarantine or decommission assets flagged with high-severity vulnerabilities based on real-time scanning data, rather than relying on manual ticketing processes.
## Compliance Alignment
- **Regulatory Compliance Standards:** Recognize the need to satisfy requirements from entities examining systemic risk and adherence to specific financial regulations (e.g., GDPR, CCPA relative to privacy, and specific national financial regulations).
- **NIST CSF:** The focus on continuous monitoring, rapid response (automation), and identifying necessary cultural shifts aligns strongly with the NIST Cybersecurity Framework’s functions of Identify, Protect, Detect, Respond, and Recover.
- **ISO 27001:** Establishing clear governance and risk acceptance frameworks is critical for maintaining an accredited Information Security Management System (ISMS) in a dynamic cloud environment.
## Common Pitfalls to Avoid
1. **Underestimating Training Requirements:** Do not assume security teams will rapidly pick up new cloud technologies; concrete, dedicated training plans must be factored into the timeline.
2. **Skipping Governance Steps:** Avoid moving quickly by skipping thorough governance planning, which leads to significant cyber problems when legacy systems eventually age out or new cloud deployments become ungoverned.
3. **Treating Cloud Migration as "Lift and Shift":** Do not merely move existing on-prem processes wholesale; the cloud requires rethinking processes entirely (e.g., vulnerability management).
4. **Outsourcing Accountability:** Do not treat regulatory requirements as something that can be fully offloaded to a third-party provider; ultimate accountability always resides internally.
## Resources
- **Cloud Security Expertise Development:** Focus efforts on acquiring and retaining talent proficient in modern cloud security architectures.
- **DevSecOps Integration Guides:** Consult documentation related to integrating security practices early into CI/CD pipelines.
- **Financial Sector Regulatory Guidance:** Regularly consult authoritative sources regarding the specific mandates governing data protection and cyber resilience for financial operations.