Check this list while planning a new business and putting your fintech app in the cloud. By noting these arguments you can avoid risky misconceptions of trusting too much responsibility to cloud providers and cloud environments. From our experience at Cossack Labs, we know that such an approach saves data, funds, and reputation.

First, start with reading the cloud providers’ docs on their area of security & maintenance responsibilities. In reality, you might find it much smaller than you thought it should be. Blindly trusting sensitive data to a cloud provider might be a bad idea for your risk profile.

For example, when using the IaaS platforms, you are responsible for application security, data security, middleware security, host configuration and its security. When using SaaS, you are responsible for  credentials, interfaces, access, and data. And with any platform, you take responsibility for access control, identity management, data security, and configuration of the platform’s controls.

Second, learn if the cloud providers’ security promise fits your risk management strategy. For example, to what extent do providers compensate the loss in case of a breach/incident? What are the chances your business stands in such circumstances? Do you have enough resources to cover potential financial or reputational losses? Move to the next step when you are confident your business is resilient enough to get through such challenges.

Third, mind the potential cloud security gaps between your applications and the cloud platform. Some of them are quite obvious while others hide in grey areas. Let’s name a few. 

• Credentials and access control. Check if your system’s design protects the admin controls, service credentials (keys, tokens, database passwords), and user credentials (passwords for authentication). Do your best to give no admin control over your console to the world.
• Cloud services configuration. Yes, cloud platforms provide numerous tools — security, monitoring & alerting, access control, audit logging. But you’re responsible for services you’ve misconfigured or were not aware that you have to configure them.
• Data security. Keep in mind that, according to GDPR, PCI, CCPA, and some other regulations, the data owner not the infrastructure provider is held responsible for the data breaches. And it’s your choice to either rely on the cloud providers’ basic controls or add more levels of protection. (Read my previous post about application-level encryption used as one of the additional data protection layers.)

The fourth point: make it clear how the cloud provider’s responsibility is implemented and enforced. For example, if you put a CI/CD pipeline in a cloud, how is it protected from advanced attacks, and do you monitor it well?

As you see, addressing security risks might be a large part of a cloud strategy in fintech. While cloud gives astonishing opportunities for business, you’re still responsible for data security, appsec, managing secrets and accesses, and configuring providers’ tools.

---

This blog post is written by Pavlo Farb, a Security Engineer at Cossack Labs, based on observations of typical cloud security issues made by Eugene Pilyankevich, CTO at Cossack Labs. We help companies to protect their sensitive and valuable data.