By Roy Urrico
Credit unions and other financial institutions face an increased threat regarding storage of data in the cloud. Salt Lake City-based Cloud Storage Security (CSS) wants to protect that information.
CSS serves a diverse clientele spanning commercial, regulated, and public sector organizations worldwide. The company claims to solve security and compliance challenges by identifying and eliminating threats, while reducing risk and human error. CSS's cloud-native solutions integrate into a wide range of use cases and workflows, while complementing and bolstering existing infrastructure and security frameworks.
CSS CEO Steven Hess sat down with Finopotamus to discuss how his company’s automated malware scanning and data loss prevention tools solve challenges surrounding cloud storage.
Securing and Protecting Data
“Our objective is to secure and protect the world's data. We do that by trying to answer three fundamental questions. The first is: What data do I have? The second: Is it safe to use? And then the third: Is it too sensitive to share?” said Hess.
He described how the CSS platform analyzes cloud data storage and use. Hess noted CSS also provides “incredibly robust antivirus and malware scanning capabilities.” Scanning helps monitor and evaluate the data files for corruption, Hess added.
CSS also offers data classification tools that allow organizations to identify where sensitive data resides. “That can be by standard conventions. Like PII (personally identifiable information), credit card numbers or by customer or member defined criteria.”
Hess explained for security solutions to be effective, they must be incredibly robust, as well as easy to implement, configure and run. He assured CSS does not have to “touch the data” to protect it.
Activating a Zero-Trust Approach
As more credit unions leverage the cloud for data storage, it exposes members’ financial data, possibly jeopardizing the financial institution’s cybersecurity and regulatory positions, according to Hess. He maintained the common belief that data at rest is secure data is a false argument.
Smaller regional organizations like credit unions may not have the large teams required to deploy protective data solutions. “We believe that increasingly you have to take the zero-trust approach to data.” A zero-trust approach to data is a security model that seeks to thwart unauthorized access to data and services by continuously authenticating users and devices.
“Malware and ransomware are on everyone's mind, and it is increasingly sophisticated. That is something that can lay dormant for weeks or months, “said Hess, calling attention to the sophistication of today’s threat actors. “The customers we serve routinely find malware brought into their system. In the last year alone, it is probably some 50,000 pieces of malicious code.”
Cybercriminals take advantage of sophisticated malware, social engineering, and data misconfigurations in the cloud, said Hess. “Even the best organizations, you will find that 70% of them have significant misconfigurations.”
Challenge Facing Credit Unions
Hess indicated the challenge facing credit unions moving to the cloud – whether it is Amazon Web Services (AWS), Google Cloud or Microsoft Azure – is that it is inherently secure. “That is where the problems start. As more credit unions head to the cloud, we thought it would be important to educate these organizations that it is not a given that their data is secure.”
Hess noted, regardless of where the data emanates, whether its on-premise systems, or through different APIs (application programming interfaces) or any other data feeds, data ultimately lands in one of those major repositories.
“Whether it is a small credit union or a much larger credit union, it's almost certain they're ingesting data not from those main feeds, but they're pulling from other places,” said Hess.
CSS Protects by Scanning
The CSS customer determines the parameter of the data protection, said Hess. “The end user can decide how they want to handle that data. You could say, ‘anytime any data comes into my cloud infrastructure and hits my storage, I want you to scan it. And if you find something that you question or identify, you put it into a quarantine bucket and isolate it.’”
He also noted that organizations can also customize configurations to anytime the data is accessed. “It is very robust and it is designed to work within the workflows that exists within the customer's environment,” pointed out Hess.
“It is important for credit unions to not just use one scanning engine for ransomware or malware, but multiple scanning engines. One of the things that we do is we throw multiple scanning engines against it. If you do one (scan), you catch maybe 90 to 95%. If you add a second, (you catch) 97-98%, you add a third, you are getting to where you have got very high efficacy in terms of identifying all of the malware and ransomware out there.”
Changing Data Storage
"If you go back 10, 15, or 20 years, it was easily defined where the data was and where it resided. But now the wide range of organizations up and down the value chain is in various stages. You can no longer be sure,’” maintained Hess. “You just cannot trust anything that comes into your system. You have to scan it when it comes in, at rest, (and) before you share it. And that is how you overcome the uncertainty around where the data was stored, who was able to touch it or interact with it on its way to you.”
Hess said the CSS can also quarantine suspicious data into a “dirty bucket.” Whoever is in charge will see something was flagged and they can decide how to remediate it. “It is up to them on how they want the alerts provided, but we try to hit the ‘easy button,’ and configure it so that even if you're not there to act in that very moment, you are still protected.”
“Literally half of organizations have been targeted by ransomware and between 35 and 40% have actually been impacted by it,” said Hess. “What's even more frightening is about a third of those organizations have been hit more than once.”
Added Hess, “It is like a very real prevalent problem and you have to take it seriously because if your organization has not been targeted yet, it is just a matter of time. It is very hard to overcome. The cost of a breach is tens of millions of dollars. It can take upwards of a year to successfully audit, trace and restore your data if you are impacted.
“This (data protection) might resonate particularly with the credit unions. They are ultimately about serving their members,” suggested Hess. “And a lot of that is predicated on trust. You cannot afford to lose the trust of your members.”
CSS Protects Data
“Our heritage was working within AWS. That is where we started and where we remained. But we can also protect data in Azure, and it can be adapted and deployed for use in things like on-prem or as a tool to migrate your data into the cloud. When you are taking that journey into the cloud, we can help make it safe.”
Hess also pointed out CSS has a global presence. “We serve a wide range of organizations from startups, (small and medium-sized businesses) to very large and complex organizations. We also work in healthcare, life science, and financial services.” He added, “We landed on (financial services) because it's data intensive, it's highly regulated, and the cost of a breach is almost incalculable.”