Last year’s massive data breach experienced by JPMorgan Chase opened the floodgates for concerns about the security and compliance of sensitive customer and financial information being stored in the cloud. And while the very nature of financial systems requires that information about available funds must be discoverable and accurately tracked, there are a slew of government regulations such as PCI DSS that enforce customer privacy and data protection. In order to take advantage of the benefits that compliant cloud solutions offer, financial services firms need to adopt a holistic approach to data security and compliance. Following are top tips for data protection in the cloud.
Data protection begins with discovery
As cyber attacks against banks become increasingly more frequent, many financial services firms are eyeing the cloud for their data protection needs. However, before migrating all their sensitive data and applications to the cloud, organizations need to embark on a discovery process to determine the following:
- Who within the organization should have access to sensitive data – and who should not
- What existing data is sensitive, proprietary or regulated, and the means for identifying future data
- Where this data will reside in the cloud and under what compliance, privacy or disclosure laws
According to a study by Symantec and the Ponemon Institute, 64 percent of data breaches in 2012 were the result of human mistakes and system problems. Engaging in a discovery phase enables financial services firms to educate their employees about the importance of data protection – a key step in reducing data breaches.
Cloud-based solutions offer varying levels of data protection
Compliance with industry regulations for protecting sensitive data is challenging it itself. However, many financial services firms also have unique issues such as managing data that was created in one country, but stored in another, resulting in different, overlapping or conflicting laws. When researching cloud-based data protection tools, financial services firms need to confirm that they meet the following requirements:
- Data encryption keys remain exclusively with the organization. This ensures that no unauthorized outsiders can ever access or disclose sensitive data.
- The organization works with a compliant cloud service provider (CSP) to apply the appropriate level of security to specific types of data. Some of these measures include: data encryption, data loss prevention and malware protection.
- The cloud-based solution provides the necessary visibility and reporting capabilities. This is crucial for organizations that must provide an “electronic book of evidence” during a compliance audit, proving that their cloud activities are in compliance with industry regulations.
Dynamic monitoring is essential to effective security and compliance
While many cloud-based security tools tout their monitoring capabilities, few of them offer an effective means for monitoring environments on an ongoing basis. In order to maintain compliance, financial services firms must have detailed visibility and awareness into their cloud activity. When vetting compliant, cloud-based solutions, they need to ensure that they can do the following:
- Enable granular reporting and visibility into cloud application, including user roles, content and access permissions to specific types of data.
- Provide a comprehensive overview on the types of information being protected and by what security methods.
- Seamlessly integrate multiple cloud applications across the enterprise, ensuring complete visibility into the cloud environment.
HOSTING Managed Compliance Services for PCI
The financial services landscape is constantly changing, resulting in a multitude of security and compliance regulations. By leveraging compliant, cloud-based tools, financial services firms can retain control over their sensitive data, safeguard it against potential cyber attacks and data breaches, and maintain a solid compliance posture. With HOSTING Managed Compliance Services for PCI™, organizations create secure, effective PCI compliance programs based on clearly defined systems, processes and personnel that store, process or access financial data. Contact HOSTING anytime to discuss your specific data protection needs. And view our on-demand webinar, Security Challenges of Migrating to the Cloud, for additional insights.