The news pouring out of the newspaper daily, media outlets, and communication departments of businesses tied to Capital One on 29th July left everyone in frenzy. Credit card information, social security numbers, personal account details including transaction histories, credit risk scores and hordes of other personal data was lost and valuable customer data – generally meant for better customer intelligence was with the wrong hands due to a cloud misconfiguration. This just proves what financial security experts have been saying for the past few years.
“In the new digital era, data is currency, and when it falls into the wrong hands it can spread like wildfire throughout the criminal community”
-Justin Fier, Director of Cyber-Intelligence, Darktrace
Two years on, from the Equifax debacle in 2017, have banks learnt anything? The truth is ugly and it clearly points to banks relying heavily on their cloud service providers (CSP) like Amazon Web Services (AWS) in this case. There exists the Shared Responsibility Model for cloud services where the CSP are responsible for any sort of security of the cloud, while the customers are responsible for security in the cloud. However, there has been no sharing of security responsibilities and no sharing of the blame.
An alarming statistic by Fague, a cloud security provider causes the alarm bells to ring more loudly. According to Fague, 9 in every 10 enterprises including a large number of banks and financial institutes have real concerns about security concerns related to cloud misconfiguration, however only 1 in every 3 enterprises continuously monitor these issues. When banks are aiming to collect enough information on customers to improve their customer intelligence program, is it not important that they focus to secure the data that they want to use?
The Mistake – Not following the Shared Responsibility Model
According to the Shared Responsibility Model, it’s the customer’s duty to secure their configurations and resources in cloud. For starters, banks need to look at authorizing access permissions to data in a better manner. Banks currently do not have adequate access restrictions and safeguarding measures, which puts the bank at risk of data breaches. Secondly, banks need to ensure more visibility within their cloud infrastructure. Banks, themselves aren’t sure of the assets that are available to them. Inventory management within their cloud infrastructure has been one of the major pitfalls and hence securing them has been out of question. Another major reason for the Equifax and Capital One headlines are the lack of continuous monitoring within banks. When there are chances of several cloud misconfigurations on a daily basis due to the access provided to a large number of users, isn’t it conceivable that a human error is waiting to happen?
The Lesson to be learnt
Banks like Capital One in an act to clean up their mess and as a part of the damage limitation process, should look to DevSecOps and automation as their immediate solution. Securing cloud configurations through human consoles are more likely to constitute an error when compared to automating your security measures. Automating, increases consistency, where banks can validate the misconfiguration against an existing set of rules, based on previous events.
The Equifax debacle affected 150 million customers in 2017. The Capital One fiasco targeted 106 million customers in the US and Canada. If banks are capturing customer experiences through extensive analysis of customer data, but are not securing the data and offering them as free candy to hackers, then banks don’t deserve to serve customers any longer. Customer Experience and Security have to go hand-in-hand. Banks, including Capital One have to look at ensuring better security, increase responsibilities and more visibility in cloud. Data governance will be taking the front seat as the US government scrutinizes the happenings at Capital One and banks will look to brush off the negative effects of the data breach. It remains to be seen whether banks will seal the loopholes in their cloud infrastructure or whether we will have to witness anything similar to the quagmire, which we just witnessed in the near future.