2019 saw two major attacks within the banking sector, one on Capital One and the other was on the Desjardins Group. Besides the loss of customer trust and business, both banks are looking at hundreds of million in damage control costs.  Capital one is expecting around $150 million in damage. In July credit bureau Equifax settled claims from a 2017 data breach that exposed sensitive information of over 147 million consumers, costing it about $650 million.

As the attacks are becoming sophisticated, the fines are getting heftier for data breaches pointing out the need for fintech industry to closely review their cloud workloads and the state of the data security mechanisms that are deployed.

What happened?

In the case of Capital one a software engineer broke into a server and gained access to 140,000 social security numbers, one million Canadian Social Insurance numbers and 80,000 bank account numbers. She obtained credentials for WAF (Web Application Firewall) -- which then allowed her to pull up a list of more than 700 AWS S3 buckets and folders and extract data from them.

Status check of the Fintech industry

Fintech industry is growing on a global scale. CB Insights report suggests in 2018, US alone has generated 659 investments worth $11.89B in venture capital (VC) funding. There are currently 48 VC-backed fintech unicorns worth a combined $187B.

What are the biggest risks?

The biggest risk is the good old conundrum to balance innovation needs and data security as most of these solutions are Cloud native by nature as the pace of innovation in this highly competitive industry can only be supported by Cloud.

Some of the specific challenges faced by cloud users include data breaches, data loss, account hijacking, insecure interfaces, denial of service attacks, masquerading and phishing sites.

We are all aware that the security controls organizations implement on Public Cloud should be no lesser than what they implement in their own Datacenters. An understanding among the entire IT staff and the responsibility split between their own organization and cloud providers is paramount to keep the house in order. 

Who is liable?

Cloud service providers have made it a point time and again that the liability of your data lies with you and not with them.

Let’s look at this from a more technical perspective. In the case of Capital One, we have heard discussions from industry experts saying that one could do the following:
Cloud service providers have made it a point time and again that the liability of your data lies with you and not with them.

• AWS could have maintained better default firewall configuration settings.
• AWS could have addressed known weaknesses in its API-handling feature known as the Metadata service (such as requiring two-factor authentication for access, requiring that temporary credentials issued by the service be only used within the customer's VPC network or requiring a special HTTP header to communicate with the AWS metadata service).
• Or AWS could have issued better customer communication and alerts.

All of which are valid arguments. However, it would be hard to establish any of these arguments in the court of law as the Cloud Service Providers draft their contracts to protect themselves against such situations.

In any case, by the time the matter is resolved, both the companies would have lost millions of dollars in reputational damage and consecutive business.   

Two golden rules to secure your cloud data and workloads

>> Understand who has access to the data

Public cloud deployments should have similar or even more stringent authentication and authorization mechanisms. Some best practices include Syncing your on prem AD to cloud and implementing RBAC (role-based access control) so that employees only have curated access to data according to their assigned privileges.    

>>Protect your data both in transit & at rest

Selective encryption or tokenization is the way to go here. You need to make sure the data is unreadable to anyone but yourself. The control should remain with you and you only.

What is eperi?

eperi encryption works seamlessly with all hyperscale cloud providers like Azure and AWS. Be it AWS S3 buckets or Azure Blob storage eperi enables you to be in control of your data, wherever it might reside. eperi Cloud Data Protection provides encryption APIs to secure your most critical workloads in the cloud.

With eperi, you alone control the whole encryption process and therefore the encryption keys to unlock your data. eperi is a market leader for providing encryption gateways for major SaaS services like Salesforce and O365. The virtually zero-footprint architecture enables eperi to easily integrate in complex network landscapes and encrypt or tokenize data before it reaches the CSP. With eperi solutions you make sure that even stolen data sets are useless to the potential hacker.

Learn more about eperi gateway for Salesforce and O365 here.

Contact us: abhishek.das@eperi.com
Author: Abhishek Das - Vice President Customer Success

To know more follow the author on LinkedIn