TechnologyConnectivity/InterfacingData security in the cloud era – keeping one step ahead

Data security in the cloud era - keeping one step ahead

The introduction next May in Europe of the General Data Protection Regulation strengthens the case for financial services firms to utilise a cloud access security broker.

Digital strategy is driving a new era of banking. The financial ecosystem is now more competitive and fast-paced than ever before. Keen to use technology to keep up with the competition, the industry is now embracing cloud computing for everything from data storage and Office tools, to customer relationship management and HR.

However, the cloud is not without its challenges. For the financial services industry – highly regulated and security conscious – the fears surrounding data security in the cloud mean that cloud adoption is not a straightforward procedure.

The European Union (EU) General Data Protection Regulation (GDPR) has exacerbated these concerns. From May 2018, the GDPR will hold organisations accountable for data protection and customer privacy to a far stricter standard than ever before.

Not only will businesses need to have full visibility over customer data being held on premises, they will also need to understand exactly how this data is being used by cloud services providers. They will also have to take steps to ensure appropriate technical and organisations measures are in place to keep data secure, whether it is in the cloud or on premises.

The emergence of CASB

To ignore digital innovation is to fall behind the times, but keeping data secure and compliant in the cloud appears to be a significant challenge. One emerging technology being used by pioneering financial services firms is a cloud access security broker (CASB). Designed to protect data outside of the network perimeter, the technology sits between the cloud and endpoints, allowing security teams to extend the reach of their security policies beyond their on-premises infrastructure.

The CASB makes it possible for IT teams to both monitor and manage employee access to data in cloud applications. This improved visibility helps organisations to protect against attacks that target cloud data or users. Because CASBs are data centric, they are designed to protect data anytime and anywhere. This means that they go beyond simply viewing data movements in cloud applications to protecting data from accidental or malicious activity when users are working on either a managed (company-owned) or unmanaged (employee-owned) device.

CASBs help IT teams to safeguard data wherever it resides, diminishing worries about regulations such as the GDPR and improving data security. Five of the key challenges around cloud security and how CASBs can help tackle these are as follows:

• Challenge #1: Controlling employee access
When applications and data were on premises, it was relatively easy to limit access to authenticated users signing in from authorised managed devices. Now that applications and data are moving to the cloud, it’s a different story. Because apps such as Salesforce and Box allow data to be accessed anywhere and from any device, the IT team has much less control over who can access what data.

A CASB helps to put in place customisable data security standards; meaning that IT teams can decide what data each employee can access from a cloud application. The employee is still able to work in a flexible manner, but, for example, certain data may not be accessible on certain devices or the user is prevented from downloading it.

How does it work? When a user tries to log-in to a protected app, the CASB first establishes whether the device is managed or unmanaged. It then implements the prescribed policies for any device considered to be unmanaged. For example, if an employee tries to access sensitive customer data on an unmanaged device, the CASB can mask that data from them.

• Challenge #2: Keeping data encrypted
One of the biggest benefits of CASB is that it helps teams roll out full-strength cloud encryption. Many cloud app vendors encrypt data at rest in cloud infrastructures and, at some point, retain control of a customer’s encryption keys. In highly- regulated industries like finance, this is unacceptable. With a CASB, enterprises can retain control over their own encryption keys at all times, mitigating several privacy and security concerns.

• Challenge #3: Authenticating employees using cloud apps
Keeping comprehensive identity management in place is a key challenge for enterprises that that are thinking about adopting cloud applications. For example, if a user logs into the Salesforce app in Birmingham, only to log into a Box app minutes later from a different location or malicious internet protocol (IP) address, organisations need to be able to flag the suspicious activity.

Today’s leading CASB solutions feature identity and access management (IAM) capabilities. These provide enterprises with multi-factor authentication without having to deploy an additional third-party identity system. In the above example, the suspicious activity would trigger a re-authentication requirement on both devices and time out the active session. Given that phishing and compromised credentials make up one of the biggest attack vectors, having the capability to both see suspicious activity in cloud applications and ask users to re-authenticate can help to reduce the risk of data leakage.

• Challenge #4: Managing external sharing
Because of their ease of use, cloud file sync and share capabilities can present a serious threat to data security. One click of a button and data can be shared with third parties or unsanctioned employees. CASBs can greatly increase control over cloud sharing by checking for sensitive data at rest in apps. If sensitive data is found, the organisation can put in place several pre-determined policies, including: the data can be redacted, quarantined for investigation or encrypted. This functionality is key because it means organisations don’t have to put in place a company-wide “no cloud sharing” policy. If an employee needs to share some information and it is not sensitive, they still can do. The CASB is there to prevent sensitive data from either being accidentally or maliciously shared.

• Challenge #5: Creating audits of cloud data
Visibility is a large gap in many sanctioned applications, with few providing even basic audit or activity logs. CASB helps fill these gaps by providing not only audit-level logging, but alerts and reports that up-level logs into actionable security intelligence. This enables finance organisations to adhere to compliance requirements and means that audits of cloud based data can be as comprehensive as on-premises data.

These capabilities can be very helpful in a range of use cases. For example, if an employee’s mobile is lost or stolen, the CASB can identify what data is on the device and see if it is sensitive. Some CASBs can then go one step further to selectively wipe this sensitive data from the lost device.


The financial services industry is no longer a laggard when it comes to adopting the cloud. Most organisations are now looking for ways to use a wide range of cloud applications and services, whilst dealing with regulatory and security fears. CASB can help meet these requirements by delivering the visibility and control that allows financial institutions to fully leverage the cloud, without risking a loss of sensitive customer data or confidential information.

Whitepapers & Resources

Transaction Banking Survey 2019

Transaction Banking Survey 2019

TIS Sanction Screening Survey Report

Payments TIS Sanction Screening Survey Report

Enhancing your strategic position: Digitalization in Treasury

Payments Enhancing your strategic position: Digitalization in Treasury

Netting: An Immersive Guide to Global Reconciliation

Netting: An Immersive Guide to Global Reconciliation