IT Security for hosted SaaS infrastructures in the Luxembourg financial industry

IT Security for hosted SaaS infrastructures in the Luxembourg financial industry

A guide by our CISO Stéphane Chmielewski

Software-as-a-service (SaaS) businesses are growing at a sky-high pace and they are increasingly becoming the first choice because of easy up-gradation, scalability, and low infrastructure needs. SaaS is poised to take over the cloud market, and nearly 75% of apps would be SaaS-powered by 2021.

Over the course of recent decades, cyber incidents have become more frequent as well as increasingly costly and damaging. The rising digitisation of financial services combined with the presence of high value assets and data make the financial system vulnerable to cyber incidents. Therefore, SaaS application security is one of the growing concerns amongst startups, tech and financial businesses.

In this article, we highlight some of the critical challenges, and draw out a SaaS security guide that applied on a day-to-day basis can help you protect your infrastructures and applications from incessant cyber threats.

1. Acknowledge that the IT Security landscape changes with an increase of cyberattacks and tighter regulations.

Banks and financial institutions are more-and-more interconnected, and technology-driven. Digitisation and globalisation are impacting both company culture and technology, as well as all the processes that those entail. New trends and technologies have emerged, such as Artificial Intelligence (AI) or Robotic Process Automation (RPA), radically transforming the way business is conducted.

At the same time, Cybercrime and IT deficiencies have been identified by the European Central Bank (ECB) as one of the three most prominent risk drivers to affect the euro area with cyber-threats growing exponentially day by day as well as the cost of cyber breaches. In the past months, cyberattacks have continued to target a wide range of industries like Financial Services (Travelex), Construction (Bouygues) or even Health (WHO, hospitals fighting COVID-19).

Cyberattacks are becoming gradually more sophisticated no matter the industry or the size of the company, and can have a tremendously damaging impact on all aspects of the business: operational and financial mainly, but also impact in terms of company reputation by breaking the customers’ trust and/or legal requirements (e.g. GDPR’s charges if a data breach occurs).

Cybercrime is also getting very lucrative, the damage related to such an offence is projected to hit $6 trillion annually by 2021. For example, ransomware damage costs exceeded $5 billion in 2017, 15 times the cost in 2015. A ransomware is a type of malicious software that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. A recent report showed that ransomware attacks were growing more than 350% annually.

On the other hand, there is an intensification of the regulatory pressure for topics related to cybersecurity. Data protection or anti-money laundering require banks and financial institutions to strengthen their controls as the agents of cybercrime are quickly adapting and increasing their level of sophistication. Financial institutions must question their traditional security approaches to ensure operational resilience.

As a regulated company in the Luxembourg financial industry, you should rely on strong security mechanisms to ensure the confidentiality of information in order to minimise the risk of data corruption and unauthorised access, as well as prevent information leakage to maintain data privacy. Also, you should continuously train your company’s staff, raise awareness about cyber threats and strengthen your business continuity plan.

2. Continuously monitor cyber risks. Both internally, as well as all third-party risk across the outsourcing chain, to be able to adapt quickly to new cyberattacks and fraud attempts.

As the threat landscape evolves very quickly, practices should be constantly aligned to protect infrastructures and applications. Your security posture shall be based on a continuous risk analysis of your external exposure in order to be proactive in the face of new cyber threats.

It is important to understand that the risk exposure can change very quickly, that is why you should continuously discover, monitor, assess and prioritise risk, proactively and reactively.

Security cannot be a one-time activity, therefore it’s crucial to perform risk assessments on an ongoing basis, early and continuously. Taking very special care of the technology you choose and the way you use it to make sure those technologies integrate perfectly together from a security perspective across user, device, logging and connectivity.

Continuous third-party risk assessment and monitoring is also a big part of a cyber risk framework: streamline due diligence to focus on critical risks or create automated monitoring controls.

3. Pivot to a full-stack security approach and automate it to improve the protection of your environments

Adopt a security-by-design approach to build applications. During the development process of the applications, monitor everything in order to minimise the risks associated to the processing of highly sensitive information, especially in a significantly regulated environment. Closely supervise:

  • Application and infrastructure architecture
  • Development and testing
  • Deployment and the running of applications

A security-by-design approach is based on:

  • Using proven technology with a good level of security
  • Controlling the way applications and infrastructures are built and updated
  • Integrating privacy concerns from the beginning

At this point, train the developers in your company to make them aware of the new cyber threats and vulnerabilities in relation with software development.

Subsequently, and to continue to accelerate and innovate safely, incorporate security directly into DevOps automation practices:

  • First and foremost, apply strict policies for the selection of automation tools and pay special attention on the correct configurations of those tools. Tight access controls to DevOps tools should also be in place, for example: access segregation, protection of secrets via encrypted vault, through strong authentication (MFA), monitoristaion of hosted infrastructures, etc.
  • Integrate automated controls directly in the DevOps & CI/CD pipelines as well as security vulnerabilities scanning for source code or testing behavior to identify and close vulnerabilities as soon as possible.
  • One last aspect would be to regularly challenge the security of hosted infrastructures through penetration testing, looking at the security of the full technological stack as cyber criminals need only one vulnerability to be successful.
4. Detect “live” cyberattacks more quickly to reduce the negative impact

Having the ability to reduce the time to detect a cyberattack is vital to limit the damage that could be caused by such an invasion. Build infrastructures that can be continuously monitored in order to react as quickly as possible.

Furthermore, rely on several layers of modern network and firewall components to protect the integrity of your network and data with strong network segmentation that will limit the spread of an attack. Leverage additional layers of security to protect infrastructures and applications from Distributed of Denial of Service (DDoS) or against web-based attacks.

5. Build a business with cyber resilience foundations to maintain business continuity

It is important to understand that a single cyberattack can have dramatic consequences. Therefore, we constantly look to build an increasingly resilient organisation by trying to push your limits, by rethinking processes, by challenging existing technologies and by testing your capacities under extreme or unusual conditions.

Each organisation can be the subject of a cyberattack regardless of the controls in place. The challenge lies in the ability of this organisation to resume its activity as quickly as possible and limit the impact on business.

Aim at putting cyber resilience as a foundation of your controls by constantly challenging the layers of protection that are in place. Because at the end, cyber resilience really means business resilience.