Community
Check this list while planning a new business and putting your fintech app in the cloud. By noting these arguments you can avoid risky misconceptions of trusting too much responsibility to cloud providers and cloud environments. From our experience at Cossack Labs, we know that such an approach saves data, funds, and reputation.
First, start with reading the cloud providers’ docs on their area of security & maintenance responsibilities. In reality, you might find it much smaller than you thought it should be. Blindly trusting sensitive data to a cloud provider might be a bad idea for your risk profile.
For example, when using the IaaS platforms, you are responsible for application security, data security, middleware security, host configuration and its security. When using SaaS, you are responsible for credentials, interfaces, access, and data. And with any platform, you take responsibility for access control, identity management, data security, and configuration of the platform’s controls.
Second, learn if the cloud providers’ security promise fits your risk management strategy. For example, to what extent do providers compensate the loss in case of a breach/incident? What are the chances your business stands in such circumstances? Do you have enough resources to cover potential financial or reputational losses? Move to the next step when you are confident your business is resilient enough to get through such challenges.
Third, mind the potential cloud security gaps between your applications and the cloud platform. Some of them are quite obvious while others hide in grey areas. Let’s name a few.
The fourth point: make it clear how the cloud provider’s responsibility is implemented and enforced. For example, if you put a CI/CD pipeline in a cloud, how is it protected from advanced attacks, and do you monitor it well?
As you see, addressing security risks might be a large part of a cloud strategy in fintech. While cloud gives astonishing opportunities for business, you’re still responsible for data security, appsec, managing secrets and accesses, and configuring providers’ tools.
---
This blog post is written by Pavlo Farb, a Security Engineer at Cossack Labs, based on observations of typical cloud security issues made by Eugene Pilyankevich, CTO at Cossack Labs. We help companies to protect their sensitive and valuable data.
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Sonali Patil Cloud Solution Architect at TCS
20 December
Retired Member
Andrew Ducker Payments Consulting at Icon Solutions
19 December
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.