In the Wake of the Capital One Breach, Can CUs Trust ‘the Cloud’?

cloud with lock on it
Chris Sachse Photo

5 minutes

Businesses today have little choice but to use the public cloud. But they must do so within thoughtful IT governance parameters.

By now everyone has read about the security breach involving Capital One that affected more than 100 million customers. The thing that made this breach stand out from all the others in the news is that the hacker accused of breaking in was a former Amazon employee that worked on Amazon Web Services—the cloud service storing the Capital One data when it was compromised.  

Whether or not the hacker was granted access to the data because of her position at Amazon, as some theories have suggested, is somewhat irrelevant. Rather, the deeply relevant follow-up question to this breach that everyone using cloud services should be asking is: “Can I trust ‘the cloud’?” 

The answer is “you have to today.” But you shouldn’t do so blindly.

The reality is that virtually all of today’s organizations already live in the cloud—oftentimes, many clouds. The benefits offered by the cloud are so great that no company can survive in today’s competitive business environment without leveraging this powerful tool.

However, understanding the cloud, and how your organization manages itself in it, can be a complex challenge. In the simplest terms, the cloud is somebody else’s computers and equipment housed off site and available for you to use. 

Cloud Security Illustrated

Let’s consider an illustration of how security must be handled when an organization has data in the cloud. Picture your IT infrastructure as your home and your data as the members of your family. You and your family live in your home; you choose who visits and who works with you. No matter where your home is located, it is your responsibility to manage, maintain and secure it. 

This is similar to how credit unions used to run their own data centers. They’d fill them with tech, run lines and manage the center’s destiny. They and they alone had the responsibility of managing, securing and maintaining their data centers. The benefit was freedom and control. The issues were expense, speed and flexibility. Any time a problem arose, it took attention away from the core credit union business and meant lost revenue.

As cities developed, people moved closer to their neighbors. In doing so, opportunities opened up to share in the responsibility of providing common resources. This allowed us to reduce the cost of these resources by taking advantage of economies of scale. We shared our water, power and telecom lines. We began outsourcing and sharing in maintenance and security. But we still owned our homes. As times continued to change, the modern sharing economy gave rise to the idea of Airbnb. Airbnb offers all of the benefits of a home in a city, with the added flexibility of being able to move from location to location at a moment’s notice, whether you need to upsize, downsize or move to another neighborhood.

Similarly, using the cloud allows credit unions to take advantage of lower costs, thanks to the economies of scale that come with a large, shared data center. You can rely on the cloud provider to ensure that your operating system is patched with the latest security updates. And like with Airbnb, you can leverage the flexibility that comes from not owning the resource. If you need to scale up or down, you can do it dynamically at any time.

But just because you are staying in an Airbnb in a city with police, doesn’t mean you can completely let your guard down. As the head of the household, security, strategy and management are still your responsibilities. While the police will do their best to protect you, it is important that you stay aware of possible threats in your area because no one loves your family members like you do. You must pick the right neighborhood, the right type of home and secure that home while you are there. You must maintain the house (or pay someone to do it for you), do the dishes and clean the bathrooms. The ultimate responsibility rests with you. 

Similarly, when dealing with cloud vendors like AWS, Azure and others, you need to keep your guard up. The vendors have a lot of amenities built in and most will do their best to protect you and your data. But it is still your data. No one will care as much about it as you. The maintenance and security falls to you. It shouldn’t be assumed that the cloud vendor will handle it. In fact, someone that works there could be a really bad person. We don’t know. But, with the right strategy, you can protect yourself and you can leverage this ecosystem for the benefits it provides, so long as you understand the burden you carry. 

It takes different strategies to keep safe in this evolving world. We used to build fences and walls for protection. Now we must get more creative and have an adaptive security plan that relies on identity and access management. And, unfortunately, we must trust no one. 

You Can Take Action

Your credit union’s data is already in the cloud. Here are four questions you should answer for your organization:

  1. What clouds are you are in?  
  2. Who can come into your cloud? Why? 
  3. What processes run on your cloud? 
  4. What is your risk tolerance and how does using the cloud fit into that?

With those questions answered, you can design an architecture that will protect you, based on the core tenets of data security: 

  1. Zero trust network (requiring strict identity verification for every person and device trying to access resources on your private network)
  2. Identity and access management 
  3. Maintenance and monitoring 
  4. Resiliency (ability to continuously deliver the intended outcome despite adverse cyber events)
  5. Vendor management 
  6. Risk management 

Don’t wait, your family (aka your data!) is at risk no matter where it is. 

Chris Sachse is CEO of CUES strategic provider for IT governance technology Think|Stack, Baltimore. 

CUES Learning Portal