Public Cloud Security Benefits for Community Banks and Credit Unions

Security in the public cloud can be beneficial to community banks and credit unions.  I hope to take some time in this blog post to expand a bit on this concept and provide some good links to documentation. For the purposes of this blog when I refer to “major cloud providers” I am referring to the “big 3” AWS, Azure, and Google (GCP).  Other providers may well adhere to and meet many of the standards I will discuss but they are not included in my assessment.  
 
When we are talking about security in terms of cloud computing it is helpful to understand that all the major public cloud providers operate under what they call a “shard responsibility model.” (AWS Azure GCP)  The three major providers all have slight differences in what they consider customer responsibility vs. provider responsibility, but the general premise is the same with the cloud provider taking on responsibility for underlying infrastructure and application components with increasing levels of accountability as we move up the service stack from IaaS to SaaS. 

Figure 1 - Microsoft Shared Responsibility Matrix 

In all cases consumers maintain responsibility for securing the information, endpoints outside of the cloud datacenter, along with Identity and Access Management (IAM).  This model lays the foundation for both operational transformation along with how organizations approach audit and regulatory compliance. 

From a practical and operational standpoint, it is relatively self-evident that the more responsibility that can be turned over to the cloud provider for lower-level services and things such as physical security of the data center the better.  Microsoft, AWS, and Google are all in the business of running cloud data centers as part of their core mission.  Their level of attention to things such as physical access control, maintenance of the physical components, including critical patching of those components, will in nearly all cases be far more stringent than most organizations whose mission and core business are not running secure data centers at scale.  (Not to mention the staffing levels devoted specifically to cloud security) freeing your security teams to focus more myopically on IAM and protection of your information-based assets. 

Figure 2- Google Infrastructure Security Model 

In areas where the consumer shares a level of responsibility with the cloud provider or owns it completely there are still significant benefits to public cloud offerings. All major providers have built a robust set of services that can be subscribed to for things such as secrets management (AWS Azure GCP), distributed denial of service protection (AWS Azure GCP), IAM solutions (AWS Azure GCP), encryption, and VPN services just as a few examples.  These services provide platform specific tooling for organizations to maintain the strongest possible security posture as they move up the as-a-Service stack and greatly reduce the complexity of securing your organizations data.  These services are both readily available and can be easily implemented to enhance the security of your cloud-based IT environment. 

Up to this point I’ve been looking at the proactive side of how public cloud can help streamline an organization’s IT security.  We’ve discussed how the public cloud secures physical data center access, and the underlying infrastructure for your workloads, along with providing integrated tooling for securing shared and consumer specific areas such as identity/access, and data.  Equally important is how do organizations approach the more reactive concepts of threat detection and response in their environments.  In an on-prem world this involves the vetting of software suites and in many cases implementing a combination of tools to secure various environments and workloads.  This requires ongoing diligence and maintenance of reasonably complex systems crossing multiple domains in your environment.  Here too the public cloud providers can streamline your security operations with a set of tools that are purpose built and leverage the extensive AI/ML capabilities of their cloud ecosystems to monitor and respond intelligently to threats in an automated and repeatable fashion (AWS Azure GCP).

Figure 3 - Amazon GuardDuty logical diagram 

Even when looking outside the cloud datacenter at what has become known as “Edge Computing” the major players in the public cloud provide tooling to assist in maintaining a secure posture either with native tools or with a multitude of purpose-built 3rd party offerings available via their cloud marketplaces (AWS Azure GCP). 

It is clear that public cloud can relieve some of the burden from an organization’s IT Security teams through both the shared responsibility model and robust tooling, but for highly regulated industries, such as banking, where does that leave your organization from an audit and compliance perspective?  Does leveraging public cloud automatically check the box for your regulators?  The answer here is “no.”  This is due to the shared responsibility model – there is no scenario that absolves your organization from accountability for your security protocols.  That said, the “big 3” meet, for their part, nearly all of the requirements for the most stringent security and privacy certifications from FedRAMP to SOX to PCI and many others.  They also have well documented lists of their compliance, complete with Audit Documentation (AWS Azure GCP).  In addition, many of the services I spoke to earlier in the blog come with or have additional services available for logging and reporting on multiple levels of change tracking and access.  These can be used as an extremely solid foundation for your organization to meet its requirements in this area, again relieving your organization of some of the burden of both maintaining your organizational security as well as of the audit tracking and compliance aspects specific to highly regulated industries. 

In this brief blog I hope that I’ve sowed some seeds for contemplation and perhaps given you a bit more clarity on the relative security advantages that public cloud can bring to your organization.  I’d love to hear from you or have a deeper discussion on these concepts.  You can leave your comments below, email me directly at gcolburn@thesummitgrp.com.

Learn more and hear from Greg by joining our discussion on leveraging the cloud in 2024: