The Pros and (Mostly) Cons of RIAs Moving to the Cloud
The “cloud” has revolutionized computing as we know it, providing SEC registered financial institutions with the ability to quickly deploy an online presence, scale as demand ebbs and flows, and provides the foundation for a remote workforce.
However, this convenience comes with its own set of challenges, and the race to “move to the cloud” has frequently left registered firms and their clients with an entirely new set of security challenges, data-privacy issues, and a significant regulatory compliance workload that they aren’t prepared to face. In this article, we will explore the pros and cons of moving to the cloud as an RIA.
These issues will be even more pronounced with the introduction of the SEC’s new cybersecurity regulation, 206(4)-9.
The Pros of Moving to the Cloud
There are many reasons why RIAs choose to move to the cloud. Perhaps the most appealing reason is the convenience factor. With the cloud, organizations can quickly deploy an online presence without having to invest in on-premises infrastructure. Additionally, the cloud provides organizations with the ability to scale as demand ebbs and flows. For example, during a pandemic when many employees are working remotely, a company may need to increase its cloud capacity to accommodate the influx of traffic.
Another advantage of moving to the cloud is that it can help organizations save money. With on-premises infrastructure, companies have to pay for hardware, software, maintenance, and energy costs. However, with cloud computing, these costs are often included in the monthly service fee. Additionally, because cloud providers frequently offer pay-as-you-go pricing models, companies only have to pay for the resources they use – making it a more cost-effective option in the long run.
The Cons of Moving to the Cloud
However, there are also some disadvantages of moving to the cloud that financial institutions need to be aware of before making the switch. One of the biggest lies ever told is that the cloud provides security. It doesn’t. When data is stored off-site on servers that are managed by a third-party provider, there is always a risk that sensitive information could be compromised. And cloud compromises happen frequently. Additionally, because cloud environments are often complex and dynamic (with multiple users accessing data from different locations), it can be difficult for IT teams to monitor for potential security threats. These cloud providers usually don’t bother checking for breaches/compromises proactively and in many cases, they won’t even tell their customers about notifications of these problems from external researchers.
What problems do I find most frequently when performing security audits for clients?
I have found countless VM images with unpatched vulnerabilities and some that contain malware or coin miners. Furthermore,
Cloud marketplaces are replete with pre-built VMs for customers to use, and while this is a convenient method, it often opens the door for an attack. These images can be outdated or have overly permissive firewall settings which make them an easy target. Another problem has been the introduction of VM images that come pre-installed with malware or crypto-currency miners.
While these attacks are threatening, they’re only the beginning in terms of what’s possible. An attacker that is properly motivated could create a VM image that would contact the malware operators and establish a command-and-control connection after a set amount of time has passed.
Furthermore, with the rise in hybrid-cloud deployments and point-to-point VPNs connecting cloud environments to a customer’s on-premises network, a vulnerability on a cloud VM could easily become a pathway to the heart of an organization’s network.
While cloud providers do scan VM images for malware before allowing them to be used, these scans only detect KNOWN and UNALTERED malicious code. This is not a complete defense against all threats and doesn’t protect from real-world threats. For example, a simple cron job on a Linux VM or scheduled task in Windows could easily download secondary payloads days or weeks after provisioning and never be detected.
Not only this, but cloud providers such as AWS often allow any user to share a VM image in the marketplace. Similar to the risk mobile app stores pose, using these types of VMs can have dangerous enterprise consequences if utilized.
Client privacy issues are a huge concern when moving to the cloud. Because data is stored off-site on servers that are managed by a third-party provider, there is always a risk that sensitive information could be accessed by unauthorized individuals. Cloud deployments are a frequent source of data leaks (S3 buckets, open databases, SQL servers ) for otherwise secure organizations.
Given that security is of utmost importance for the companies sustaining major clouds, such as Azure, AWS, Google Cloud Platform (GCP), etc., said companies have implemented extremely well-developed processes to secure their hypervisor layers. However, because these organizations provide infrastructure/platform/software solutions a majority of the work falls on the customer’s shoulders to secure their particular environment.
Lastly, most cloud providers collect broad swaths of user data (e.g., usage statistics and personal information) for either marketing efforts or third-party sales without users’ prior consent. This should cause anyone to pause about how our (and our client’s) sensitive information is being used and by whom, especially when it’s stored off-site on servers we don’t have control over.
Although cloud networking is not automatically insecure, organizations should understand that their security strategy for the cloud needs to be as strong as an on-premises environment. With the world moving towards a remote workforce operating in a hybrid or cloud-centric environment, these companies cannot believe that added security comes along when you are working with Seattle, Redmond or Bay Area tech giants.
There are both advantages and disadvantages to moving to the cloud, which organizations should weigh carefully before making a decision. Some benefits of moving to the cloud include convenience and cost savings, while some risks include data security threats associated with storing data off-site on servers managed by a third party.
If you do decide to go to the cloud, make sure your are comparing your configuration settings against a known benchmark, such as the CIS AWS Foundations Security Benchmark.
Need help auditing your cloud environments? MTradecraft can help. We are not affiliated with any cloud services which allows us to act as a true consultant to our clients.