Contributed by DivvyCloud
Written by Chris DeRamus, CTO and Cofounder, DivvyCloud

Financial services organizations are experiencing a culture shift as they respond to consumer demand for improved experiences delivered when and how they want them. Building applications and migrating regulated workloads to the cloud offers an attractive way to speed innovation, reduce time to market, and increase resilience. But with this digital transformation comes risk and uncertainty.

The Risk is Real
It isn’t surprising that the financial services industry experiences security incidents 300 percent more frequently than other sectors. In addition to being a giant bullseye for hackers, the industry is heavily regulated and scrutinized. The Sarbanes-Oxley and Gramm-Leach-Bliley acts, the Payment Card Industry Data Security Standard, and most recently the General Data Protection Regulation are among the regulations in place to protect the privacy and security of consumers. Companies that don’t comply with these regulations face substantial penalties, which translate to hefty fines, legal action, and consumer distrust.

For financial service organizations to take full advantage of the opportunities public cloud services offer, they must define their cloud governance standards clearly and be well equipped to present evidence of compliance to assessors and auditors.

There are three keys to building a roadmap for compliance: culture, frameworks, and
systems. Combining these three keys helps customers achieve cloud operations maturity through automation.

  1. Culture. Organizations must modify the “command and control” mentality of traditional IT and marry it with a “trust but verify” approach when looking to take advantage of the advantages of public cloud.
  2. Frameworks. Incorporate Cloud Security Alliance Cloud Controls Matrix (CSA CCM), Service Organization Control (SOC 2) report, and Center for Internet Security (CIS) benchmarks as the foundation of your cloud governance strategy.
  3. Systems. Identify and implement the systems that are cloud-native and can help you address the unique challenges of public cloud offerings through automation. Fortunately for today’s financial institutions, there are ready-made solutions available that help organizations achieve continuous security, compliance, and governance while embracing the dynamic, software-defined, self-service nature of public cloud and container infrastructures.

Frameworks for Compliance
Build a strong foundation for a cloud governance strategy using a trifecta of frameworks.

  1. CSA CCM. This is the gold standard for cloud-native security assurance and compliance. It provides a cloud-native controls framework with a detailed explanation of security concepts and principles. CSA CCM recommendations are mapped to many other compliance standards and can help companies meet their requirements under these regulations. CSA CCM provides a controls framework with a detailed explanation of security concepts and principles that are aligned to CSA guidance across 16 domains.
  2. SOC 2 Report. Mapping cloud controls to traditional frameworks like the SOC 2 report is another essential component. Developed by the American Institute of CPAs, the SOC 2 report focuses on a business’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy.
  3. CIS Benchmarks. CIS benchmarks are secure configuration guidelines and settings created to help secure specific platforms. These benchmarks help safeguard systems against today’s evolving cyber threats and are endorsed by leading IT security vendors and governing bodies. They are prescriptive guidance that create secure baseline configurations.

Conclusion
As financial institutions move to embrace public cloud services, they must ensure that security, governance and compliance are at the foundation of all decisions. Regulatory compliance and managing cyber risk do not need to be the enemy of innovation. A combination of culture change, adoption of cloud-native frameworks, and the use of security automation tools can help financial service organizations advance innovation while protecting them against risk and ensuring that compliance standards are being met.


DivvyCloud protects cloud and container environments from misconfigurations, policy violations, threats, and IAM challenges. With automated, real-time remediation, DivvyCloud customers achieve continuous security and compliance, and can fully realize the benefits of cloud and container technology. Freedom is good. Chaos is bad. To learn more: www.divvycloud.com.