kentoh - Fotolia

AWS re:Inforce bares financial firms' cloud security challenges

Cloud security concerns have ebbed among financial services providers, as the panoply of presenters like Capital One, Discover, Barclays and AQR showed at AWS re:Inforce.

BOSTON -- Presentations from several well-known financial services providers at the AWS re:Inforce conference this week suggest concerns over cloud security challenges in the highly regulated industry may not be a thing of the past, but have faded significantly.

Finserv companies featured at the event include Capital One, Discover, the U.S. Financial Industry Regulatory Authority (FINRA), Barclays and the large hedge fund AQR Capital Management. Representatives from these firms described a range of approaches, from more general discussions of migrations to AWS, to details of how they've built new security-related software on top of the cloud platform.

Such a lineup was unthinkable just four or five years ago, but time, experimentation and cloud-provider maturity have changed the dynamics.

"This is a very careful set of folks who make decisions deliberately over time," AWS Chief Information Security Officer Stephen Schmidt said in an interview. "It's been proven they can meet their regulatory demands [in the cloud]." Ones slower to take the leap now recognize the competitive advantage to do so, he added.

Companies in the space are also concerned they'll be disrupted by upstarts, much like Airbnb and Uber shook the foundations of the hospitality and private transportation industries, said Doug Cahill, an analyst at Enterprise Strategy Group in Milford, Mass.

Many financial services companies initially went the private cloud route, but the timing wasn't right, Cahill said. "A lot of [them] invested some time in OpenStack to see if it would hunt. It didn't."

Many skipped over the first generation of public clouds, but have now adopted second-generation cloud technologies, such as microservices and containers, he added.

Capital One is amid a wholesale move to AWS that began several years ago and is a prominent reference customer for AWS. The bank has targeted millennial customers with snazzy new mobile apps and spruced-up retail locations. It now refers to itself as a technology company that offers financial services.

In a re:Inforce keynote, Capital One Chief Information Security Officer Michael Johnson said the cloud is better for security, thanks to the more ephemeral nature of IT resources, which reduces the attack surface, and faster innovation in security by cloud providers compared with on-premises ones.

Discover, FINRA use AWS to build new security tools

Financial services firms haven't just moved workloads to clouds like AWS. They've also used cloud services to stitch together brand-new security software.

Discover used AWS to build Warden, a compliance engine that incorporates AWS offerings such as Lambda, CloudTrail, S3, CloudWatch and Simple Notification Service. Warden ensures Discover employees tap AWS offerings that adhere to the credit card provider's security requirements.

Doing this with a collection of old-school security products wasn't desirable, said Kyle Sheldon, director of cloud security at Discover, in a re:Inforce presentation.

"We learned very quickly that we needed to use the cloud to protect the cloud," Sheldon said. Discover plans to open-source Warden at some point, Sheldon said.

Representatives from FINRA, a private nonprofit that seeks to keep securities brokerages honest and fair, also presented at re:Inforce.

We learned very quickly that we needed to use the cloud to protect the cloud.
Kyle SheldonDirector of cloud security, Discover

FINRA has 30 PB of data and more than 150 applications in the cloud, said Daniel Koo, senior director of DevOps products and engineering. Koo and a colleague described how FINRA has developed a holistic security strategy that also helped speed up its DevOps processes.

Like Discover, FINRA saw a need to build new security tools that augment AWS' core capabilities. One result of this was Gatekeeper, which uses Systems Manager and AWS Run Command.

Gatekeeper provides safeguards when FINRA users want to use EC2 resources. Users can search for the resources they want and ask for temporary access, whereupon Gatekeeper approves or denies that access based on preestablished rules. FINRA predominantly uses AWS, but also has a small presence on Microsoft Azure due to associations with some Microsoft applications, Koo said in an interview after his talk.

Five years ago, it would have been surprising to see so many companies like FINRA present at a show like re:Inforce, but this has changed for valid reasons, according to Koo.

"AWS' security has improved a lot, and there's a lot of trust," Koo said. Also, on-premises data centers can't meet FINRA's current needs, he added. "With the amount of data we have to handle, it was just not enough. It's 30 PB and [tracking] 135 billion transactions in a single day. We had to use cloud computing; otherwise, we couldn't do our job."

AQR rewrites IAM strategy to solve DevOps paradox

AQR Capital Management didn't build its own tooling with AWS, but instead redesigned its methodology around identity access management (IAM) through AWS to resolve one of the hallmark cloud security challenges: tight controls vs. developer freedom.

Like most financial services firms, the global investment management firm based in Greenwich, Conn., is inherently risk-averse. It leans toward more preventative controls and strict permissions over enabling developers to experiment and implement policy as they create app stacks in AWS, said Alan Garver, vice president of cloud engineering at AQR, in a presentation. "When you experience this tradeoff, the developer always loses," he said.

However, an inability to go fast, experiment and possibly oppose a problem or vulnerability actually undercuts security, said co-presenter Fritz Kunstler, principal consultant at AWS. "Not only for the sake of the business, but also for the sake of security, it's important to be able to experiment, to move fast and do it in a safe way," he said.

AQR's methodology replaces the mentality of IT security groups as traffic cops and instead treats IAM security as its own product -- a set of capabilities that establish a security baseline, provided and managed in AWS, Garver said. This configuration of a security controls framework relies on AWS Organizations and fine-grained permissions to apply services control policies across multiple AWS accounts. This IAM methodology provides all the strong controls AQR wants in an AWS operating environment, but also lays out clear boundaries so developers can move freely, without security specialists as a bottleneck, Garver said.

At the same time, AQR's developers should be empowered to push back occasionally for additional permissions or to question a boundary's restrictions. That's why AQR's IAM in AWS is managed by an internal product team, that can handle and even anticipate such requests, and quickly make changes and deliver them to the live environment, he said.

Senior News Editor James Montgomery contributed to this report.

Dig Deeper on AWS infrastructure