Financial technology (fintech) companies have gone from novelty to necessity in just a matter of years. Digital banking products, services, and usage exploded over the past decade, making customer’s lives easier and more convenient. But none of this happens without one key part of the fintech backbone: Cloud Technology.
According to PwC’s Financial Technology 2020 and Beyond report, fintech companies are embracing the cloud for scalability and growth. But the report also admits that challenges like security, data protection, and regulatory compliance will exist for the foreseeable future. Heading into 2020, successful fintech startups will need to be aware of security threats, issues, or hurdles that cloud infrastructure presents.
“Hosting our loan origination system in the cloud connects financial institutions to unlimited data access and storage,” says Har Rai Khalsa, CEO of fintech startup MK Decision. “As a fintech, ensuring cloud security is imperative to protect sensitive customer information.”
Khalsa’s company focuses on loan origination software and therefore handles sensitive customer financial data using the cloud. It’s just one example of how fintechs are becoming more cognizant of how they are leveraging the cloud.
Fintechs now recognize that threats do, in fact, exist when it comes to handling customer information in the cloud. This goes for fintech companies across the board, from lending and investing apps to payment processors and digital banks.
In 2020, cloud infrastructure will only grow in importance to the fintech ecosystem. Fintechs need to be aware of the specific threats to payment data and other sensitive information in the cloud. And they need to take the right steps to protect themselves, their customers, and their reputation.
Importance of the Cloud to Fintech
Cloud usage in fintech is already substantial, with 22 percent of all applications running on the cloud. This number will only increase in 2020 and beyond for a variety of key reasons. The cloud is indispensable for fintech company’s products to meet customer needs in terms of speed and convenience.
The cloud is flexible, scalable, and built for companies with an innovative mindset. And while there are security threats to the cloud, there are aspects of the cloud that actually do enhance security.
“To complete the loan process, we must compile mass amounts of customer data from financial institutions, credit bureaus, and other third-party data providers,” explains Khalsa from MK Decision. “The cloud allows us to safely, efficiently, and cost-effectively transfer this sensitive information between systems.”
Most fintech startups would agree with Khalsa and are experiencing similar benefits from using the cloud. Fintechs are able to handle more data, faster, sharing it with the right people. Cloud infrastructure provides an opportunity to grow and scale up quickly that simply wouldn’t exist otherwise.
“I can’t think of a Fintech, that’s starting today, that isn’t cloud-native,” says Kathryn Van Nuys from Amazon Web Service’s fintech venture capital development group.
“The cloud has significantly lowered the barrier to entry for startups as they can launch and scale products, instantly paying for IT as they consume it, as opposed to needing to make a large upfront investment in servers and infrastructure,” Van Nuys continues.
This also means that fintech startups can experiment and “fail faster” in terms of innovation. They’re unburdened by the cost and responsibility of managing their own data centers. As their business grows, they can simply add the capabilities they need via the cloud without any wasted expenses or overruns.
Along the same lines, this means that fintechs aren’t responsible for the security that comes with hosting their own data. While you might think that it’s more secure to keep an eye on your own physical data servers, most often you’re better off leaving security to a trusted cloud service provider (CSP).
“The reason the cloud is secure is that the security is all built-in,” notes Vida Ha, Director of Field Engineering at Databricks. “When using cloud storage, it’s simple to use settings to ensure all of your data is always encrypted, as opposed to doing that manually with a local server. The security features are there for you to leverage and they’re so easy to use.”
But don’t be fooled. Storing sensitive customer financial data in the cloud is far from a sure thing. Every fintech should be aware of all threats to cloud security, both current and emerging.
Cloud Security Threats to Fintech
PwC projects that the public cloud model will become the dominant infrastructure model for fintechs in 2020 and beyond. This simply means that fintechs will completely forego storing or handling any of their data on-site. And it’s not necessarily a bad thing, as top-notch CSPs like AWS and Salesforce attract some of the top cybersecurity professionals in the industry. That being said, hackers are a notoriously persistent and innovative group. This is especially true when it comes to getting their hands on valuable customer financial data or credit card numbers.
Here are some of the top cloud security threats that fintechs should wake up to in 2020:
1. Insider Attacks
Quite often one of the weakest links in the cloud cybersecurity chain comes from the inside. It could be a disgruntled ex-employee seeking to exact revenge, or simply a careless one who plays fast and loose with his or her password credentials. Hackers understand this and often target the people within an organization rather than the cloud servers themselves.
A recent survey even found that 68 percent of IT professionals considered their organizations extremely vulnerable to insider attacks. Insider threats – malicious or careless – often pose a bigger risk because external security measures don’t have to be breached. And oftentimes no red flags will be raised when sensitive data is hacked or stolen. It’s just assumed that the individual is authorized and that the person logging in with their credentials is the right person.
2. Cloud Sprawl
One of the big advantages of using a CSP is that they’re always evolving in terms of scope, services, and technologies they offer to fintechs. They’ll upgrade servers, change networks, and employ better hardware. But one of the risks of this constant evolution is that hackers will seek to exploit legacy technology that’s no longer in frequent use, that the CSP may have neglected to shore up. This phenomenon, known as cloud sprawl, provides additional endpoints that will tempt cybercriminals.
Fintechs need to work with their CSPs and strive for operational discipline to combat cloud sprawl. Create defined processes and clear boundaries for all services you’re using a CSP for. Keeping up with all recommended firewall settings and software patches is also critical. You’ll want open lines of communication with your CSP to observe and protect all endpoints.
A botnet is simply an array of connected computers or devices that are coordinated by software to carry out a specific task or function. Botnets don’t have to be malicious; it just means that a group of devices is working in unison. But when malware infects a cloud system of computers, servers, and routers, it creates a botnet that can be extremely harmful and put customer data in jeopardy. Hackers take command of an entire group of devices and gain access to a treasure trove of financial data.
In 2016, for instance, botnets carried out a variety of attacks on fintech and payment processing providers. Huge brands like PayPal, Braintree, Credit Karma, and Shopify were all targeted by botnets in a Designated Denial of Service (DDoS) attack. One way that cloud providers are vulnerable to botnets is through fraudulent accounts and sign-ups. Hackers will create an account and employ software that will scan the entire cloud infrastructure for unprotected devices.
Insider attacks, cloud sprawl, and botnets are just a few of the major threats that fintechs should be aware of in the cloud. New threats will continue to emerge. But you can take steps now to make sure that your risk is minimized when it comes to fintech data in the cloud.
Cloud Security Best Practices
Now you know why the cloud is so crucial to fintechs of all shapes and sizes. And you’re also aware that – despite CSP’s best efforts – hackers are still working day and night to infiltrate the cloud. Thankfully, there are steps you can take to keep up with threats and reduce the risk so that customer payment and cardholder data stays secure in the cloud.
Here are four best practices that your fintech should strongly implementing (if you haven’t already);
- Password Management. As mentioned, one of the easiest ways for a hacker to break into the cloud is from the inside. This includes anyone in your organization accessing CSP systems like AWS or Azure. Make sure to configure password settings mandating high levels of length and complexity, as well as changing passwords every 90 days at least.
- User Activity Monitoring. Another proper precaution is the use of software tools to monitor the activity of cloud users within your fintech company. If you see any suspicious or careless activity, make sure it’s brought up and addressed. More broadly, you want to monitor user activity to help create a strong culture of cloud security. Work collaboratively with employees to make sure they’re accessing the cloud in a safe way.
- Cloud Encryption. What many cloud users don’t realize is that data is often decrypted when it travels to and from devices to cloud servers. So although your customers’ sensitive payment or cardholder data is encrypted on your laptop – as well as in the cloud – it’s still vulnerable while it’s in motion. Complete cloud encryption is possible, you’ll just want to seek out the right technology and cybersecurity partner to coordinate with your CSP and implement it properly.
- CSP Vetting. Take a cautious, thorough, and detail-oriented approach when choosing a CSP for your fintech. Every CSP has its own set of strengths and weaknesses, and it’s important to find out the details of their cybersecurity practices. Do they support end-to-end encryption? Are they compliant with industry cybersecurity regulations that you’re subject to? Most CSPs take cybersecurity more than seriously – it’s their reputation on the line – but as the saying goes: “Trust, but verify.”
Finally, it’s also wise to bring in an objective, third-party partner that can help bridge the cybersecurity gap between you and your CSP. This often comes in the form of what’s known as a Qualified Security Assessor or QSA for short. The role of a QSA is often two-fold. First and foremost, your QSA will inspect both the cybersecurity environment of your company, as well as how it interacts with any CSPs or cloud services you use. Second, the QSA will make sure that all of your technologies and best practices are in alignment with any relevant regulations.
For fintechs, this typically means one or more of the following:
- Payment Cardholder Industry Data Security Standard (PCI DSS)
- Financial Industry Regulatory Authority (FINRA) Compliance
- European Union General Data Protection Regulation (GDPR)
“To be a credible player in the fintech industry, you need a Qualified Security Assessor to regularly inspect your data environment for potential weaknesses,” concluded Khalsa from MK Decision.
“We’re grateful to have partnered with RSI Security as our QSA because their team has helped us ensure our cloud security measures are Payment Card Industry compliant, up-to-date with third-party integration standards, and so much more.”
Anyone in fintech knows that cloud technology has been a huge plus for the industry, startups in particular. The cloud lowers the cost and technology burden for fintechs and provides unprecedented flexibility and scalability. Fintech companies don’t need to be tech behemoths to store, process, and handle payment and financial data of millions of customers. Loan decisions and e-commerce payments can be handled in a matter of minutes thanks to the latest innovative fintech company.
But as fintechs have risen to prominence, so has the motivation for hackers to get their hands on customer data by any means necessary. This includes breaking into cloud servers using botnets, malware, insider attacks, or whatever else they can come up with. The good news is that there are common-sense precautions that you can take. A collaborative approach and open communication with your employees, CSP, and QSA will go a long way towards building an impenetrable cloud defense.