US Treasury Department warns of cloud risks.
the cyberwire logoFeb 13, 2023

Treasury sees obvious benefits to the cloud, but counsels financial institutions to migrate to the cloud with all deliberate caution.

US Treasury Department warns of cloud risks.

The US Treasury Department has issued a report looking at challenges associated with the adoption of cloud technology by the financial industry.

Benefits and drawbacks of cloud technology.

The report found that financial firms can benefit from cloud technology, and that in some cases, “cloud services represent a significant evolution in the back-end processing for financial services transactions.” Treasury adds, however, that “these benefits can only be harnessed if the selected services are adequately designed and managed for the appropriate level of security and resilience.”

The Treasury Department outlined the following challenges that come with cloud adoption:

  1. “Insufficient transparency to support due diligence and monitoring by financial institutions. Community banks expressed concerns that they do not often receive details of incidents or outages impacting their systems. It is essential that financial institutions fully understand risks associated with cloud services so they can build their technology architecture with appropriate protections for consumers. While recognizing that CSPs provide significant information to financial institutions already, Treasury believes that further efforts are needed to achieve the right balance of information sharing between CSPs and financial institutions. 
  2. “Gaps in human capital and tools to securely deploy cloud services. The current talent pool needed to help financial firms tailor cloud services to better serve their customers and protect their information is well below demand. CSPs need to increase employee engagement experts, and to improve supportive technological tools and adoption frameworks that can help ensure that financial service firms design and maintain resilient, secure platforms for their customers.
  3. “Exposure to potential operational incidents, including those originating at a CSP. Many financial institutions have expressed concern that a cyber vulnerability or incident at one CSP may potentially have a cascading impact across the broader financial sector. While cloud services can have potential benefits for resilience and security, financial institutions are still exposed to risks associated with technical vulnerabilities at CSPs and face practical challenges to mitigating such risks or migrating their operations to another provider.
  4. “Potential impact of market concentration in cloud service offerings on the financial sector’s resilience. The current market is concentrated around a small number of CSPs, which means that if an incident occurs at one CSP, it could affect many financial sector clients concurrently. This concentration likely exists across banking, securities, and insurance markets, but Treasury and the financial regulators need to close significant data gaps to assess how the sector might be affected by this type of incident. Nonetheless, Treasury believes that there are opportunities to enhance cooperation among financial regulators and between the public and private sectors.
  5. “Dynamics in contract negotiations given market concentration. The limited number of CSPs may give CSPs outsized bargaining power when contracting with financial institutions. This outsized negotiating advantage could limit the ability of financial institutions, particularly smaller financial institutions, from negotiating advantageous contractual terms for cloud services.
  6. “International landscape and regulatory fragmentation. The patchwork of global regulatory and supervisory approaches to cloud technology can make it nearly impossible for U.S. financial institutions to adopt cloud consistently at a global scale, reducing CSP use in the market and raising costs for cloud adoption strategies, which ultimately impacts consumers. Additionally, changes in regulations abroad may subject CSPs to direct oversight by foreign financial regulators, which could create regulatory conflicts negatively impacting the quality and security of services to all CSP clients.”

The Treasury Department added that it will establish a Cloud Services Steering Group “to promote coordination and collaboration among U.S. financial regulators on these challenges.”

Industry Comment.

James Campbell, CEO of Cado Security, offered the following comments:

“It's great to see the Treasury raising this agenda, although adopting multi-cloud can often further complicate cloud security efforts. For example, multi-cloud environments can make incident investigations much more complex due to data silos; and further, often adds frustration to the skills/resource gaps that many organizations — especially those on the smaller side — face (i.e. each cloud provider has their own terminology, tooling, logs, and APIs, etc.) When even the most advanced banks get it wrong sometimes (example) it can be particularly difficult for smaller regional banks to find staff that understand the complexities of security in the cloud.

“Some things for financial firms to consider:

  • “Shared responsibility model: It's important to understand and recognize the shared responsibility model between Cloud Service Providers (CSPs) and the organization's internal security function. Adopting security technology that addresses all stages of the attack lifecycle from vulnerability management to prevention, detection and incident response is key. 
  • “Cloud-specific technology is required: Migrating to the cloud is often a risky journey, as many existing security solutions built for on-premise networks can't operate in the cloud. The rapid migration to cloud, container and serverless environments require a modern approach — one that harness automation at the core (ephemeral resources continuously spin up and down and incident data can disappear in the blink of an eye), and provide security teams with the ability to seamlessly analyze data gathered across multi-cloud environments in a single pane of glass. 
  • “Preparedness is critical: The growing number and scope of incident reporting mandates across the world means incident response plans – often originally written for an on-premises era – are coming under increased scrutiny from the business, their compliance teams as well as auditors. Having a robust, comprehensive and documented incident response plan in the event malicious activity is detected (setting up accesses, automation rules, and integrations with third party systems like incident management platforms, XDR, SOAR, CNAPP, and SIEM) and testing your preparedness / understanding your risk posture/knowing where your gaps are and where you need to invest is critical.”