If you’re a financial services organization, data is your business. Whether you’re in banking, insurance, wealth management, mutual funds or advisory services, everything centers around collecting, generating, moving, managing, analyzing and acting upon copious amounts of data – much of which is sensitive.
The move to SaaS
There’s been a move to transform that data from paper-based to digital for some time. The pandemic greatly accelerated that shift, with financial services professionals working remotely and customers needing online access to their information.
Now, more and more organizations are using cloud-based, SaaS applications to not only manage electronic financial data but also run their business. For instance, Salesforce helps manage sales and customer data and enables insights for product and service innovations.
SaaS complicates compliance
SaaS provides numerous advantages. There are significant cost savings that come from not having to invest in, maintain or update supporting IT infrastructure. You can operate with much more agility, and easily and cost-effectively scale data and users. And since many users access the same application, they can easily share information and be sure they’re accessing the latest version.
But there are also complications, particularly when it comes to ensuring compliance in such a highly regulated industry. Consider the Gramm-Leach-Bliley Act, which requires financial institutions to “safeguard sensitive data, know where sensitive customer information is stored, and store it securely.” Or the SEC’s Regulation S-P, that mandates “protecting against hazards to the integrity, unauthorized access to, or use of customer records and information.” And then there’s the need to be WORM-compliant, meaning records must be “Write Once Read Many” to ensure they’re not altered or deleted.
When you use SaaS applications, your data resides in the app vendor’s infrastructure. Essentially, they own your data. However, the vendors operate under a shared responsibility model. This means they’re obligated to protect the SaaS app itself, but they’re not responsible for safeguarding your data. That’s your responsibility.
Because of this, some organizations use backup vendors to help protect their SaaS app data. But even this causes complications because that data typically resides in backup vendor’s infrastructure under that vendor’s control, not theirs.
How to reduce risk
Where data is stored is critical to how accessible and vulnerable it is. One key way financial services organizations can mitigate risk and enhance compliance is by bringing SaaS app data storage under direct ownership – and making sure to capture and retain all changes made to the data, as well as information about who made those changes. This includes not only who they are, but also where they were located, their IP address, device used to access data, and so on.
To take back ownership of data, organizations can back up and archive all historical data directly into their own cloud storage environment. With 69% of financial companies using AWS and 79% using Microsoft Azure even prior to the pandemic, it’s extremely likely that most organizations today already use cloud storage. And both AWS S3 and Azure have WORM compliant offerings, meaning organizations can make the data non-erasable and non-modifiable for a time interval that they specify.
By centralizing data into an owned data lake, organizations can then create “watering holes” of data access for authorized users – instead of gatekeeping information in a vendor-owned and controlled repository or providing access with relaxed risk management processes.
Mitigating data sprawl
Reducing data sprawl is another essential component of compliance. Today, to access the data needed to perform their jobs, many employees copy data from SaaS applications into their own systems. This creates myriad problems, from inaccuracies caused by data being changed in one version of copied data and not others, to the more straightforward issue of not knowing everywhere data is stored – and who is accessing it.
The more copies there are and the more potential touch points, the greater opportunities for unauthorized access and the harder access and changes can be to trace. These issues can put an organization at risk for breaches, intentional and inadvertent data corruption, and penalties when auditors come knocking.
By capturing every single data change and storing all that historical data in the secure AWS or Azure enclave an organization is already investing in, they can get all the benefits of SaaS while enabling the granular traceability and digital chain of custody required for compliance.