FSI perspective: Security, privacy, and compliance

This document in the Google Cloud Well-Architected Framework: FSI perspective provides an overview of the principles and recommendations to address the security, privacy, and compliance requirements of financial services industry (FSI) workloads in Google Cloud. The recommendations help you build resilient and compliant infrastructure, safeguard sensitive data, maintain customer trust, navigate the complex landscape of regulatory requirements, and effectively manage cyber threats. The recommendations in this document align with the security pillar of the Well-Architected Framework.

Security in cloud computing is a critical concern for FSI organizations, which are highly attractive to cybercriminals due to the vast amounts of sensitive data that they manage, including customer details and financial records. The consequences of a security breach are exceptionally severe, including significant financial losses, long-term reputational damage, and significant regulatory fines. Therefore, FSI workloads need stringent security controls.

To help ensure comprehensive security and compliance, you need to understand the shared responsibilities between you (FSI organizations) and Google Cloud. Google Cloud is responsible for securing the underlying infrastructure, including physical security and network security. You are responsible for securing data and applications, configuring access control, and configuring and managing security services. To support you in your security efforts, the Google Cloud partner ecosystem offers security integration and managed services.

The security recommendations in this document are mapped to the following core principles:

• Implement security by design
• Implement zero trust
• Implement shift-left security
• Implement preemptive cyber defense
• Use AI securely and responsibly, and use AI for security
• Meet regulatory, compliance, and privacy needs
• Prioritize security initiatives

Implement security by design

Financial regulations like the Payment Card Industry Data Security Standard (PCI DSS), the Gramm-Leach-Bliley Act (GLBA) in the United States, and various national financial data protection laws mandate that security is integrated into systems from the outset. The security-by-design principle emphasizes the integration of security throughout the development lifecycle to help ensure that vulnerabilities are minimized from the outset.

To apply the security-by-design principle for your FSI workloads in Google Cloud, consider the following recommendations:

• Ensure that only necessary permissions are granted by applying the principle of least privilege through granular role-based access control (RBAC) in Identity and Access Management (IAM). The use of RBAC is a key requirement in many financial regulations.
• Enforce security perimeters around your sensitive services and data within Google Cloud by using VPC Service Controls. The security perimeters help to segment and protect sensitive data and resources, and help to prevent data exfiltration and unauthorized access, as required by regulations.
• Define security configurations as code by using infrastructure as code (IaC) tools like Terraform. This approach embeds security controls from the initial deployment phase, which helps to ensure consistency and auditability.
• Scan your application code by integrating Static Application Security Testing (SAST) into the CI/CD pipeline with Cloud Build. Establish automated security gates to prevent the deployment of non-compliant code.
• Provide a unified interface for security insights by using Security Command Center. The use of Security Command Center enables continuous monitoring and early detection of misconfigurations or threats that could lead to regulatory breaches. To meet the requirements of standards such as ISO 27001 and NIST 800-53, you can use posture management templates.
• Track the reduction in vulnerabilities that are identified in production deployments and the percentage of IaC deployments that adhere to security best practices. You can detect and view vulnerabilities and information about compliance to security standards by using Security Command Center. For more information, see Vulnerability findings.

Implement zero trust

Modern financial regulations increasingly emphasize the need for stringent access controls and continuous verification. These requirements reflect the principle of zero trust, which aims to protect workloads against both internal and external threats and bad actors. The zero-trust principle advocates for continuous verification of every user and device, which eliminates implicit trust and mitigates lateral movement.

To implement zero trust, consider the following recommendations:

• Enable context-aware access based on user identity, device security, location, and other factors by combining IAM controls with Chrome Enterprise Premium. This approach ensures continuous verification before access to financial data and systems is granted.
• Provide secure and scalable identity and access management by configuring Identity Platform (or your external identity provider if you use Workforce Identity Federation). Set up multi-factor authentication (MFA) and other controls that are crucial to implement zero trust and help ensure regulatory compliance.
• Implement MFA for all user accounts, especially for accounts with access to sensitive data or systems.
• Support audits and investigations related to regulatory compliance by establishing comprehensive logging and monitoring of user access and network activity.
• Enable private and secure communication between services within Google Cloud and on-premises environments without exposing the traffic to the public internet by using Private Service Connect.
• Implement granular identity controls and authorize access at the application level by using Identity-Aware Proxy (IAP) rather than relying on network-based security mechanisms like VPN tunnels. This approach helps to reduce lateral movement within the environment.

Implement shift-left security

Financial regulators encourage proactive security measures. Identifying and addressing vulnerabilities early in the development lifecycle helps to reduce the risk of security incidents and the potential for non-compliance penalties. The principle of shift-left security promotes early security testing and integration, which helps to reduce the cost and complexity of remediation.

To implement shift-left security, consider the following recommendations:

• Ensure automated security checks early in the development process by integrating security scanning tools, such as container vulnerability scanning and static code analysis, into the CI/CD pipeline with Cloud Build.

• Ensure that only secure artifacts are deployed by using Artifact Registry to provide a secure and centralized repository for software packages and container images with integrated vulnerability scanning. Use virtual repositories to mitigate dependency confusion attacks by prioritizing your private artifacts over remote repositories.

• Automatically scan web applications for common vulnerabilities by integrating Web Security Scanner, which is a part of Security Command Center, into your development pipelines.

• Implement security checks for the source code, build process, and code provenance by using the Supply-chain Levels for Software Artifacts (SLSA) framework. Enforce the provenance of the workloads that run in your environments by using solutions such as Binary Authorization. Ensure that your workloads use only verified open-source software libraries by using Assured Open Source.

• Track the number of vulnerabilities that are identified and remediated in your development lifecycle, the percentage of code deployments that pass security scans, and the reduction in security incidents caused by software vulnerabilities. Google Cloud provides tools to help with this tracking for different kinds of workloads. For example, for containerized workloads, use the container scanning feature of Artifact Registry.

Implement preemptive cyber defense

Financial institutions are prime targets for sophisticated cyberattacks. Regulations often require robust threat intelligence and proactive defense mechanisms. Preemptive cyber defense focuses on proactive threat detection and response by using advanced analytics and automation.

Consider the following recommendations:

• Proactively identify and mitigate potential threats, by using the threat intelligence, incident response, and security validation services of Mandiant.
• Protect web applications and APIs from web exploits and DDoS attacks at the network edge by using Google Cloud Armor.
• Aggregate and prioritize security findings and recommendations by using Security Command Center, which enables security teams to proactively address potential risks.
• Validate preemptive defenses and incident response plans by conducting regular security simulations and penetration testing.
• Measure the time to detect and respond to security incidents, the effectiveness of DDoS mitigation efforts, and the number of prevented cyberattacks. You can get the required metrics and data from Google Security Operations SOAR and SIEM dashboards.

Use AI securely and responsibly, and use AI for security

AI and ML are increasingly used for financial services use cases such as fraud detection and algorithmic trading. Regulations require that these technologies be used ethically, transparently, and securely. AI can also help to enhance your security capabilities. Consider the following recommendations for using AI:

• Develop and deploy ML models in a secure and governed environment by using Vertex AI. Features like model explainability and fairness metrics can help to address responsible-AI concerns.
• Leverage the security analytics and operations capabilities of Google Security Operations, which uses AI and ML to analyze large volumes of security data, detect anomalies, and automate threat response. These capabilities help to enhance your overall security posture and aid in compliance monitoring.
• Establish clear governance policies for AI and ML development and deployment, including security and ethics-related considerations.
• Align with the elements of the Secure AI Framework (SAIF), which provides a practical approach to address the security and risk concerns of AI systems.
• Track the accuracy and effectiveness of AI-powered fraud detection systems, the reduction in false positives in security alerts, and the efficiency gains from AI-driven security automation.

Meet regulatory, compliance, and privacy needs

Financial services are subject to a vast array of regulations, including data residency requirements, specific audit trails, and data protection standards. To ensure that sensitive data is properly identified, protected, and managed, FSI organizations need robust data governance policies and data classification schemes. Consider the following recommendations to help you meet regulatory requirements:

• Set up data boundaries in Google Cloud for sensitive and regulated workloads by using Assured Workloads. Doing so helps you to meet government and industry-specific compliance requirements such as FedRAMP and CJIS.
• Identify, classify, and protect sensitive data, including financial information, by implementing Cloud Data Loss Prevention (Cloud DLP). Doing so helps you to meet data privacy regulations like GDPR and CCPA.
• Track details of administrative activities and access to resources by using Cloud Audit Logs. These logs are crucial for meeting audit requirements that are stipulated by many financial regulations.
• When you choose Google Cloud regions for your workloads and data, consider local regulations that are related to data residency. Google Cloud global infrastructure lets you choose regions that can help you to meet your data residency requirements.
• Manage the keys that are used to encrypt sensitive financial data at rest and in transit by using Cloud Key Management Service. Such encryption is a fundamental requirement of many security and privacy regulations.
• Implement the controls that are necessary to address your regulatory requirements. Validate that the controls work as expected. Get the controls validated again by an external auditor to prove to the regulator that your workloads are compliant with the regulations.

Prioritize security initiatives

Given the breadth of security requirements, financial institutions must prioritize initiatives that are based on risk assessment and regulatory mandates. We recommend the following phased approach:

1. Establish a strong security foundation: Focus on the core areas of security, including identity and access management, network security, and data protection. This focus helps to build a robust security posture and helps to ensure comprehensive defense against evolving threats.
2. Address critical regulations: Prioritize compliance with key regulations like PCI DSS, GDPR, and relevant national laws. Doing so helps to ensure data protection, mitigates legal risks, and builds trust with customers.
3. Implement advanced security: Gradually adopt advanced security practices like zero trust, AI-driven security solutions, and proactive threat hunting.