AWS Security for Financial Institutions
On several occasions, at BigCheese, we have been presented with the challenge that a financial entity (a local Bank, or an e-wallet, or an e-biller, or a wire transfer processor) requires support to solve two related problems:
- To be able to be in the AWS cloud and at the same time be in compliance with local regulations (e.g. those of the Central Bank of Uruguay).
- Rest assured that the level of compliance “keeps up” as AWS usage grows and new components are developed.
In both cases, the challenge was not only to meet compliance, but also to contemplate the highest security standards in AWS for financial institutions.
The second point is almost as important as the first, because although a security audit can be performed on the entity to assess compliance at any given time, all systems are dynamic and change all the time, which would imply a regular audit. For example, one of our customers releases new features and “major” components every 2 months. This would imply an audit with the same regularity: unfeasible.
For this, we will rely on automated services and mechanisms that follow BCU’s recommendations and give us peace of mind that if “something is out of line” with the established parameters, we will know quickly.
The recommendations of the financial regulator – Example: Banco Central del Uruguay
Although many times being in “compliance” with a regulator or auditing entity seems to be tedious or an unnecessary overhead, we have learned that the vast majority of the requirements that these entities ask us to comply with follow general and internationally shared good practices, whether security or data protection, even with the specific laws of each country.
Aligned with this, we have worked on identifying which of these requirements are specific and which are not, in order to understand if “being in compliance with the BCU” could be similar to being in compliance with any known international standard, seeking to take advantage of automatic controls that are already implemented in AWS to contemplate those standards.
Compliance in AWS.
AWS allows us to use a series of services that review the best practices of our AWS resources in an automated way, which are integrated under a single service: AWS Security Hub.
Security Hub dashboard. AWS security for financial institutions.
Security Hub allows us to enable certain groups of controls (or rules) to be performed on our accounts or organization, and gives us a score associated with each set of rules. In the example above, we have enabled:
Both sets of rules yield a score and a set of findings, which are self-explanatory about what they control/recommend in each case:
Example findings Security Hub
As you can see above, in some of the example accounts we do not have an MFA enabled, in at least 1 security group we are allowing unrestricted access to a dangerous port (e.g. port 3389), or our S3 buckets do not have the “block public access” option enabled.
These security hub controls work in conjunction with AWS config, guardduty, control tower, and other prevention and control services that are already embedded in our AWS deployed resources.
In this way, monitoring the health or security controls in AWS for financial institutions is easier and it is possible to detect changes in these controls immediately thanks to the alerts integrated to them.
The maturity model/matrix
Both BCU and AWS have their own security maturity matrix/model, for which there are many overlaps.
First, we present the maturity model at the abstract level, in terms of security policy and best practices according to the BCU.
BCU maturity model (December 2022)
After defining the monitoring policies and security objectives, we move on to the implementation of controls in an automated way, where a maturity model appears again, this time applied to specific AWS services and functions that allow us to support the above.
AWS Security Maturity Model (December 2022, source here)
Following this maturity model, it is possible to control in an automated way our level of security compliance, using tools such as Security Hub, AWS Config, IAM, GuardDuty, and configurable alerts that give us peace of mind and allow us to evolve without “leaving security behind”.
References for this publication on “AWS Security for Financial Institutions” (December 2022):
- Central Bank of Uruguay (2017). Minimum Management Standards For Institutions
Financial Intermediation. Retrieved from: https://www.bcu.gub.uy/Servicios-Financieros-SSF/Documents/estandares_minimos_010717.pdf
- AGESIC (2018). Cybersecurity framework. Frame of Reference. Version 4.0.
Retrieved from: https://www.gub.uy/agencia-gobierno-electronico-sociedadinformacion-conocimiento/comunicacion/noticias/leer-confianza-nueva-version-delmarco-ciberseguridad - NIST (2018). NIST Framework for Improving Critical Infrastructure Cybersecurity.
Retrieved from: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - UNIT-ISO/IEC (2013). UNIT-ISO/IEC 27001:2013 NORM – Information Technology
- Security Techniques – Information Security Management Systems – Information Security Management Systems – Security Management Systems – Information Security Management Systems – Information Security Management Systems – Information Security Management Systems – Information Security Management Systems – Information Security Management Systems
Requirements. Retrieved from:
https://www.unit.org.uy/normalizacion/norma/100000740/
- NIST (2013). NIST Special Publication 800-53. Revision 4. Security and Privacy Controls
for Federal Information Systems and Organizations. Retrieved from:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Other articles related to the financial sector and BigCheese:
Innovation in financial services with AWS and BigCheese: from idea to implementation.
