The advent of cloud technology has been a boon for many businesses. The appeal is obvious: faster deployment, less maintenance, increased computing power with the ability to scale according to demand. The net effect of flexible cloud computing is that it enables companies to drive digital transformation and innovation projects.

This has been particularly apparent in the Financial Services where FinTech companies have significantly disrupted existing business models, forcing long-standing incumbents to adapt or suffer digital darwinism.

Commercial threats have called for IT leaders to drive digital transformation, plan out a roadmap, reduce tech debt, whilst maintaining competitiveness in the short term – it’s a tall order.

Transitioning from on-prem to the cloud

Traditionally, FS companies have been wary of the public cloud, instead continuing with the on-prem approach or adopting private cloud. Outsourcing means diminished control and in a tightly regulated sector where non-compliance can result in hefty fines, this can be more control than businesses are willing to relinquish. The Capital One, Tesco Bank and Experian data breaches have done little to alleviate concerns about going all in on cloud.

To complicate matters, moving to the cloud is not a case of simply pressing a button and voila, legacy systems have been migrated to the cloud; on-prem infrastructure and security is vastly different to its cloud equivalent.

Cloud infrastructure requires a great deal of planning from a business and IT perspective, it’s an opportunity to retire outdated legacy technologies and plan for a more streamlined infrastructure. Technologies, policies, procedures and skillsets all need to be considered as part of the process.

53% of companies report a problematic shortage in cybersecurity skills according to a survey. There is an obvious shortage in skills, but also documentation of best practices; IT departments are having to navigate choppy waters whilst being under resourced.

Despite the above, confidence in the cloud is growing. Security has improved, CSPs are meeting global compliance requirements, thereby partially alleviating internal headaches, and with clear responsibility frameworks in place like Amazon’s Shared Responsibility Model, IT teams have a better understanding of what is expected.

Access was much easier to manage when all applications, devices, systems and employees sat onsite, protected by a firewall. But mobile and cloud technologies, as well as the slew of data breaches hitting headlines, have forced companies to reconsider their approach to security.

The perimeter-less era is here and here to stay. Zero Trust has been touted as the next model for cybersecurity best practice., applying far more scrutiny to who or what is allowed access to corporate resources. But, we also have to be practical. There are very few (known) Zero Trust examples in the wild, and companies in all industries are in the process of transitioning to this new model, working out the best blend of technologies; it’s not going to happen over night, especially with sparse resources.

Rather than a site-centric approach being the default setup, infrastructure and security needs to be based on the premise of an inherently mobile workforce as well as data flows. To this end, how Financial Services companies approach mobility will ultimately dictate how secure they are in the cloud.

Understanding where data is located is an important first step. Does your organization have visibility over where data is stored? It’s a difficult question to answer given the growing prevalence of shadow IT, you can’t protect what you don’t know exists.

Shadow IT is a common problem with cloud technologies. Business units are no longer compelled (despite what written security policies say) to work with IT teams to start using their own solutions, which they can be set up in a matter of minutes. Workstations are typically well fortified with web filtering solutions to block inappropriate and unsanctioned services as well as what can be installed, but what about mobile?

Unified Endpoint Management (UEM) tools can mitigate the installation of unsanctioned applications on devices, but that’s easy enough to circumvent using the browser. A UEM can’t extend acceptable usage policies to mobile, it needs a helping hand. This is all on the premise that a business has some control over the device.

Read More: What’s the difference between a UEM and MTD?

BYOD is a commonly used ownership model in the Financial Services, company data continues to flow to unmanaged, unsanctioned devices and applications sitting beyond the corporate perimeter, which undoubtedly raises compliance concerns.

With unmanaged BYODs, there’s less control, less visibility, so how can sysadmin determine whether an access request is legitimate? Whether a device is in a suitable state to be granted access? There are a number of contextual factors that need to be considered that sit beyond the native capabilities of UEM. If left completely unmanaged, shadow IT can creep in, inevitably leading to data leakage.

But even in more managed environments, there can be security problems, our latest Mobile Security in the Financial Services report details how much of a target the Financial Services is across threat vectors.

One telling stat for mobile phishing, shows that 57.33% of Financial Services companies have experienced a mobile phishing attack. The danger is that endpoint-only mobile security solutions don’t offer the necessary protection, and with publicly open cloud applications, this can leave companies under threat of account hijacking.

Under the Zero Trust network access model, security strategists need to forget the idea of implied trust, assumptions can’t be made on location, device, even user credentials. Robust Identity & Access Management controls are needed to more accurately determine identity; applications can’t be left protected with just password based authentication.

Download: Mobile Security in the Financial Services Report

Understanding the risk posture of a device is an important part of provisioning access. Yes, we may be able to accurately determine someone’s identity, but that shouldn’t implicitly vouch for the risk state of their device. An outdated OS, malicious or risky app, jailbroken/rooted device, risky network connection may be present so the context of a session is important.

But an assessment shouldn’t be just at the start of a session, it should be continuous. Single Sign On (SSO) has eliminated the need to constantly re-authenticate, offsetting the more burdensome initial login process, but a lot can happen in a session. Users can get phished, download risky apps, connect to a dodgy network connection, so a continual assessment of the risk posture of a device is essential for good cyber hygiene.

Additionally, we need to move to a stricter model of access control. Users with escalated privilege need to be minimized; employees shouldn’t be granted with unfettered network access.