The Real Security Risks of Running Finance Apps in the Cloud (Business Finance Magazine)

img_2013-11-01_Business-Finance-MagazineNEWS | SECURITY | POLICY

Read the full article at Business Finance Magazine.

When using sensitive accounting and financial systems in the cloud, worry less about where data lives and more about how users access it.

Finance teams have been relying on web services since before the cloud was the cloud. Tasks such as banking, payroll processing and benefits administration have been online for several years. These days, though, CFOs are embracing web apps more widely, including accounting, budgeting, ERP, bill pay and more. This shift is happening for many reasons, not least of which is the effectiveness of cloud apps to support flexible and decentralized workforces, including outside consultants and temporary workers.

Nonetheless, some CFOs remain fearful about the security of their data in the cloud. But where do the risks really lie, and what can CFOs do to embrace the cloud while containing their exposure?

Let's start somewhere incontrovertible; in terms of access to sensitive information, finance teams have the keys to the kingdom. Along with being the custodians of the financial assets, these users also have access to customer details, employee records, legal documents and regulatory information. In many organizations, the CFO is ultimately responsible for protecting this data even though the CIO may deliver the overarching information security framework.

It’s therefore unsurprising that for every CFO that has embraced the cloud, there are others who remain skeptical. Despite core services like online banking that are already delivered over the web, there is understandable caution in pushing broader classes of data online for storage on someone else’s servers. But in reality, an average-sized organization with limited budget and manpower is typically much better off leveraging security-capable cloud vendors that must make data security their business.

The best providers take a holistic view to securing customer data, including protecting the server from penetration, encryption of the data at rest, secure storage and retrieval of encryption keys, enforcement of internal access rights, data redundancy and backup/restore processes. What’s more, the over-fixation on data location seems out of line with the reality of where breaches typically occur. For the most part, data is safe sitting on servers you don’t own. Rather, it’s when your users access that data that things can get messy.

The methods by which users access data over the web is much more fertile ground for compromise regardless of where the data resides. In many instances the risks lie beyond the reach of corporate IT. Let’s take a look at the reasons why.

Data Compromise through Exploit

Using a web application or cloud service relies on the local browser on the user's device; yet this local browser remains an impossible application to secure. Users often mix both work and personal browsing regardless of corporate policy. Browsers indiscriminately download and execute web code both benign and malicious and cache sensitive data like cookies and browser history.

Unfortunately the promiscuity of browsers when it comes to fetching dynamic content has made it easy for hackers to distribute exploits within web code. New web standards such as HTML5 are helping hackers further by expanding the capability for web-delivered code to interface with and potentially compromise users’ systems. Meanwhile, client software used to detect and prevent malware propagation has struggled to stay effective.

For finance organizations the risks have been material. Malware authors have targeted the online financial accounts of businesses given their lucrative account balances. Zeus and Spyeye are just two examples of malware that compromise browsing sessions when users access banking portals; the exploits have affected the customers of major financial brands. Finance leaders may not be expert in understanding and mitigating the risk of these attacks, but they have been forced to incorporate them into their lexicon and add them to their list of worries.

Despite steps by banks and e-commerce companies to shore up their web applications and authentication mechanisms, they can’t address the risks that live with the user and their device. For instance, an infected machine might capture keystrokes as users login, or a hacked browser might redirect them to a fraudulent web page to gather account information there. All of this happens before any level of security validation by an online service ever comes into play.

IT teams do what they can to minimize exposure by running antivirus software on company computers and perhaps installing a filtering solution to keep inappropriate content off the network. These tools aren't often up to the task of thwarting the most insidious hacks which might leverage nascent malware. Worse, as users increasingly work from anywhere using any device, these basic security controls may not be present at all. This is particularly onerous for finance teams because of their dependence on employees and financial consultants working off-site and using a range of unknown devices and sometimes insecure networks to access sensitive accounts.

But there is another source of risk when accessing online data which is harder for business leaders to offload to the IT department: data compromise as a result of user behavior or weak business processes.

Data Compromise through User Misstep

Users look for the path of least resistance when performing their jobs and security considerations get trumped for convenience across a range of areas. Consider how most users manage credentials, download or upload data, jump on public WiFi networks or click on links in emails. In finance departments, the situation is further muddied by the need to delegate account access to third parties such as tax accountants, resulting in very little control over the use of business data available online.

Typically, online account access is delegated to users who are then responsible for managing their own login credentials. This includes setting them to be strong and unique, storing them safely and ensuring they aren’t entered in the wrong places. Unfortunately phishing scams remain effective, where even savvy users follow links in emails to fraudulent web pages and enter login information.

Sometimes, multiple users share a common login to an account, requiring the same care when handling credentials but with additional coordination challenges as users leave the group and credentials need to be updated for all. This situation is greatly exacerbated when certain classes of user need temporary access to key accounts--such as when a BPO team operates internal shifts to support customers, requiring credential rotation among a pool of workers. Granting and revoking access across a number of accounts can become arduous, as users come and go. Mistakes inevitably happen, as when a terminated user retains access beyond their last day.

Another key source of vulnerability is data leakage: users logging in to business apps from anywhere and any device have free rein to download and upload data to places beyond the organization’s reach. Examples include a finance employee downloading sensitive content to a unsecured home PC, or a contract accountant downloading it to their personal laptop or uploading to a cloud storage folder like Dropbox. In most cases these actions are not nefarious but rather the result of innocuous user activity; printing a document or using a cloud folder to access files from different machines. Nonetheless, once the information is out, the likelihood of it ending up in the wrong place is much more likely—stolen laptops are a common source of data breach.

The Role of the Finance Leader

So what should finance leaders do to realize the benefits of web apps in light of the data access risks outlined above? Here are some things to consider:

Dedicated computers for certain jobs: Reserve one computer for nothing else but accessing the company banking portal. It’s a bit crude, but if your team is small, and you don’t need to grant third-party access it can reduce the likelihood of an online exploit.

Basic endpoint security: Install and regularly update anti-virus tools and hard disk encryption software on all company-issued computers. It’s the bare minimum for any finance organization, although it does not address the prevalence of employees and contractors logging into corporate systems from unmanaged and often unsecure personal devices.

Virtual containers for secure browsing: A more robust solution for larger, distributed teams is to access key accounts from within virtual containers. Think of these as segregated areas of a computer that are isolated from general browsing activity. Local virtualization is a little cumbersome especially as users roam across different devices, but a new class of technology is emerging that virtualizes the browser in the cloud and offers a centralized way to grant secure access to any user from any device.

Get serious with your BPO partners: Sit down with your vendors and understand their IT security and business processes, particularly in the areas of shift management, credential sharing and access revocation. You might find that they welcome the conversation given the liability they bear with their customer accounts. There are also technical solutions to consider that can enable both parties to share account access without exposing user names and passwords.

Move away from simple logins: Think about two-factor authentication solutions that are practical. Having a separate method for every account quickly becomes a nightmare. Yet there are ways to implement a common strong authentication and single sign-on framework that can apply across all accounts.

Insist on user training: Put your team through actionable security training, particularly with regard to the latest social engineering exploits. Instituting a policy of never clicking on a link in email is a good first step.

Enforce device and data access controls: Determine what level of data access you are comfortable allowing when users login from different machines. Consider solutions that can allow you to contain or restrict company data from reaching unauthorized devices and which can enforce remote data wipe when devices are stolen or go missing.

Audit your web logs: Business data is commingled with personal browsing. Look at logs of web activity to see where users go and get a picture of suspicious or objectionable content on your network.

Partner with IT: Sit with the IT team and work collaboratively to define responsibilities. The buck may stop at the CFO, but both parties share a role in protecting company data. The best solution will likely be a by-product of the two perspectives.

There is no panacea to the risks of doing business online. Yet by re-focusing our attentions from the storage of data to how users access it from the browser, we can get considerably more bang for our security investment buck.

Read the full article at Business Finance Magazine.

Ramesh Rajagopal - Ramesh is Co-Founder and President of Authentic8. Before, he was VP Corporate Development at Postini, heading up strategic planning and business development until its acquisition by Google in 2007.

Topics: News, Security, Policy