Cloud vendor lock-in: Why it’s a security risk

by jcp
Editorial & Advertiser disclosure

David Friend, CEO and co-founder, Wasabi

Earlier this year in July, the UK’s central banking authority, the Bank of England, raised renewed concerns over the financial system’s increased reliance on a small number of unregulated cloud service providers for key parts of their operations. In particular, the Bank of England singled out the risk of concentrated power amongst certain cloud providers leading to information asymmetries that directly affected the ability of the banking system as a whole to monitor cybersecurity risks.

These aren’t small risks – in the past year alone 92% of UK businesses polled in a recent survey experienced a cyberattack in the last 12 months, and over thirds (72%) were breached at least once. British banks and insurers have experienced a staggering 74% increase in cyberattacks since the start of the pandemic, with average losses in the hundreds of thousands.

Where cyberthreats are concerned, ransomware is one of the highest priority threats to banks, and cloud vendor lock-in can exacerbate the threat ransomware poses.

Be wary of the one-stop-shop

Banks have traditionally preferred to store data and run core banking services on their own architecture for a number of reasons. Security concerns are near the top of the list, and in particular fears concerning the potential breach of third-party data stores and loss of control over security-sensitive operations. Regulatory concerns and issues of data sovereignty are also top of mind, as national regulators don’t typically like the idea of core banking data being stored in jurisdictions beyond their direct access.

The three dominant cloud providers, Amazon, Microsoft and Google, offer an almost infinite list of cloud services and, given the lack of common standards in the cloud vendor market, can strong-arm customers into retaining a number of their services at a time. For example, as of last year, AWS offered more than 175 products and services including: computing, storage, networking, database, analytics, application services, deployment, management, mobile, developer tools, and tools for the Internet of Things.

By pitching themselves as a “one stop shop” for data storage and management, bigger providers encourage developers to build their entire technology infrastructure on their platforms, while making it hard to move business to other cloud providers. Such a concentration of power lends itself to the risks identified in the Bank of England report, as it can give rise to opaque business practices whereby security information and how to monitor risks isn’t transparent.

Facing down ransomware

Just last month, several banks were targeted in the attack orchestrated by the notorious REvil cyber-criminal network which led to hackers extorting affected banks for over $70m. As banking service providers deal exclusively with data, there’s no doubt that they need to have more redundancy and more layers of data protection than nearly any other business, yet recent research has shown that nearly two-thirds (63 percent) of banks now suffer from a transformation gap, meaning that their security measures lag behind the complexity of their IT infrastructures.

There are many preventative measures that teams can take to offset the risk of ransomware – keeping systems patched, replacing obsolete systems, deploying and scaling analytics, and developing white lists for processes and apps. One way to guarantee reliable redundant back-ups is the “3-2-1” rule: keeping three separate copies of data, with two on different media formats, and one off-site.

It’s also essential for teams to practise the restoration process and frequently test it to further prepare before ransomware hits, which brings with it another problem. Large providers like AWS charge egress fees which can make this practice expensive, deterring companies from running these important tests. If you are locked in with a vendor that charges these fees you are essentially “penalised” for practising good cyber security.

However, ransomware succeeds when criminals can destroy or encrypt not only the primary data but also the backups. Once ransomware operators penetrate networks they can take their time watching how you do your backups and data storage. Therefore, ensuring data is stored in some kind of immutable manner, such as immutable cloud storage, is vital. This way no hacker can penetrate your firewalls and destroy your data or hold it for ransom.

Diversifying your cloud

Diversifying your cloud providers is important to mitigate against the security risks of vendor lock-in. It will minimise the risks of data loss and downtime while also enabling cost savings in the long-term by avoiding getting locked into long term contracts with a single vendor.

Migration to the cloud doesn’t have to be done all in one go either, but can happen piece by piece. Many companies start by simply migrating their backups to the cloud, whilst others migrate historical data but keep current data locally. For example, if you go to an ATM and deposit some checks, the likelihood is that this transaction will take place in very high speed (and expensive) memory, as those transactions need to happen in milliseconds.

However, if you are looking up a bank statement from three years ago, that data willprobably come from slower and much cheaper storage. Therefore, many organisations may want to keep current data that is likely to be needed again in local storage, while migrating older and less-likely-to-be-used data to the cloud. A hybrid cloud approach makes a huge amount of sense for this. 

Vendor-lock in nothing new for banks

Banks have run their own IT infrastructures since the early days of computers. Back then, they spent countless millions on IBM mainframe computers and associated hardware and software, and migrating to any other infrastructure was nearly impossible. So banks have been living with “vendor lock-in” for decades. Moving to the cloud might seem like a way to guard against this, but moving to one of the “walled garden” hyperscalers (Amazon, Microsoft, Google) creates a different form of vendor lock-in. Because each of the hyperscalers has their own proprietary product suite, it makes it very difficult to port production applications from one cloud to another.

Now that we know the threat this potentially poses, banks thinking prudently about their security systems should make sure their data and cloud backups are diversified among different sources both in the cloud and on premise.

You may also like