This document in theGoogle Cloud Well-Architected Framework: FSI perspective provides an overview of the principles and recommendations to address thesecurity, privacy, and compliance requirements of financial services industry(FSI) workloads in Google Cloud. The recommendations help you build resilientand compliant infrastructure, safeguard sensitive data, maintain customer trust,navigate the complex landscape of regulatory requirements, and effectivelymanage cyber threats. The recommendations in this document align with thesecurity pillar of the Well-Architected Framework.

Security in cloud computing is a critical concern for FSI organizations, whichare highly attractive to cybercriminals due to the vast amounts of sensitivedata that they manage, including customer details and financial records. Theconsequences of a security breach are exceptionally severe, includingsignificant financial losses, long-term reputational damage, and significantregulatory fines. Therefore, FSI workloads need stringent security controls.

To help ensure comprehensive security and compliance, you need to understand theshared responsibilities between you (FSI organizations) and Google Cloud. Google Cloud isresponsible for securing the underlying infrastructure, including physicalsecurity and network security. You are responsible for securing data andapplications, configuring access control, and configuring and managing securityservices. To support you in your security efforts, theGoogle Cloud partner ecosystem offers security integration and managed services.

The security recommendations in this document are mapped to the following coreprinciples:

• Implement security by design
• Implement zero trust
• Implement shift-left security
• Implement preemptive cyber defense
• Use AI securely and responsibly, and use AI for security
• Meet regulatory, compliance, and privacy needs
• Prioritize security initiatives

Implement security by design

Financial regulations like thePayment Card Industry Data Security Standard (PCI DSS),theGramm-Leach-Bliley Act (GLBA) in the United States, and various national financial data protection lawsmandate that security is integrated into systems from the outset. Thesecurity-by-design principle emphasizes the integration of security throughoutthe development lifecycle to help ensure that vulnerabilities are minimized fromthe outset.

To apply the security-by-design principle for your FSI workloads inGoogle Cloud, consider the following recommendations:

• Ensure that only necessary permissions are granted by applying theprinciple of least privilege through granular role-based access control(RBAC) inIdentity and Access Management (IAM).The use of RBAC is a key requirement in many financial regulations.
• Enforce security perimeters around your sensitive services and datawithin Google Cloud by usingVPC Service Controls.The security perimeters help to segment and protect sensitive data andresources, and help to prevent data exfiltration and unauthorized access,as required by regulations.
• Define security configurations as code by using infrastructure as code(IaC) tools likeTerraform.This approach embeds security controls from the initial deployment phase,which helps to ensure consistency and auditability.
• Scan your application code by integratingStatic Application Security Testing (SAST) into the CI/CD pipeline withCloud Build.Establish automated security gates to prevent the deployment ofnon-compliant code.
• Provide a unified interface for security insights by usingSecurity Command Center.The use of Security Command Center enables continuous monitoring and earlydetection of misconfigurations or threats that could lead to regulatorybreaches. To meet the requirements of standards such asISO 27001 andNIST 800-53,you can useposture management templates.
• Track the reduction in vulnerabilities that are identified in productiondeployments and the percentage of IaC deployments that adhere to securitybest practices. You can detect and view vulnerabilities and informationabout compliance to security standards by using Security Command Center.For more information, seeVulnerability findings.

Implement zero trust

Modern financial regulations increasingly emphasize the need for stringentaccess controls and continuous verification. These requirements reflect theprinciple of zero trust, which aims to protect workloads against both internaland external threats and bad actors. The zero-trust principle advocates forcontinuous verification of every user and device, which eliminates implicittrust and mitigateslateral movement.

To implement zero trust, consider the following recommendations:

• Enable context-aware access based on user identity, device security,location, and other factors by combiningIAM controls withChrome Enterprise Premium.This approach ensures continuous verification before access to financialdata and systems is granted.
• Provide secure and scalable identity and access management byconfiguringIdentity Platform (or your external identity provider if you useWorkforce Identity Federation).Set up multi-factor authentication (MFA) and other controls that arecrucial to implement zero trust and help ensure regulatory compliance.
• Implement MFA for all user accounts, especially for accounts with accessto sensitive data or systems.
• Support audits and investigations related to regulatory compliance byestablishing comprehensive logging and monitoring of user access andnetwork activity.
• Enable private and secure communication between services withinGoogle Cloud and on-premises environments without exposing thetraffic to the public internet by usingPrivate Service Connect.
• Implement granular identity controls and authorize access at theapplication level by usingIdentity-Aware Proxy (IAP) rather than relying on network-based security mechanisms like VPN tunnels.This approach helps to reduce lateral movement within the environment.

Implement shift-left security

Financial regulators encourage proactive security measures. Identifying andaddressing vulnerabilities early in the development lifecycle helps to reducethe risk of security incidents and the potential for non-compliance penalties.The principle of shift-left security promotes early security testing andintegration, which helps to reduce the cost and complexity of remediation.

To implement shift-left security, consider the following recommendations:

• Ensure automated security checks early in the development process byintegrating security scanning tools, such as container vulnerabilityscanning and static code analysis, into the CI/CD pipeline withCloud Build.

• Ensure that only secure artifacts are deployed by usingArtifact Registry to provide a secure and centralized repository for software packages andcontainer images with integrated vulnerability scanning. Use virtualrepositories to mitigatedependency confusion attacks by prioritizing your private artifacts over remote repositories.

• Automatically scan web applications for common vulnerabilities byintegratingWeb Security Scanner,which is a part ofSecurity Command Center,into your development pipelines.

• Implement security checks for the source code, build process, and codeprovenance by using theSupply-chain Levels for Software Artifacts (SLSA) framework. Enforce the provenance of the workloads that run in yourenvironments by using solutions such asBinary Authorization.Ensure that your workloads use only verified open-source software librariesby usingAssured Open Source.

• Track the number of vulnerabilities that are identified and remediatedin your development lifecycle, the percentage of code deployments that passsecurity scans, and the reduction in security incidents caused by softwarevulnerabilities. Google Cloud provides tools to help with this tracking fordifferent kinds of workloads. For example, for containerized workloads, usethecontainer scanning feature of Artifact Registry.

Implement preemptive cyber defense

Financial institutions are prime targets for sophisticated cyberattacks.Regulations often require robust threat intelligence and proactive defensemechanisms. Preemptive cyber defense focuses on proactive threat detection andresponse by using advanced analytics and automation.

Consider the following recommendations:

• Proactively identify and mitigate potential threats, by using thethreat intelligence,incident response,andsecurity validation services ofMandiant.
• Protect web applications and APIs from web exploits and DDoS attacks atthe network edge by usingGoogle Cloud Armor.
• Aggregate and prioritize security findings and recommendations by usingSecurity Command Center,which enables security teams to proactively address potential risks.
• Validate preemptive defenses and incident response plans by conductingregular security simulations and penetration testing.
• Measure the time to detect and respond to security incidents, theeffectiveness of DDoS mitigation efforts, and the number of preventedcyberattacks. You can get the required metrics and data fromGoogle Security Operations SOAR and SIEM dashboards.

Use AI securely and responsibly, and use AI for security

AI and ML are increasingly used for financial services use cases such as frauddetection and algorithmic trading. Regulations require that these technologiesbe used ethically, transparently, and securely. AI can also help to enhance yoursecurity capabilities. Consider the following recommendations for using AI:

• Develop and deploy ML models in a secure and governed environment byusingVertex AI.Features like model explainability and fairness metrics can help to addressresponsible-AI concerns.
• Leverage the security analytics and operations capabilities ofGoogle Security Operations,which uses AI and ML to analyze large volumes of security data, detectanomalies, and automate threat response. These capabilities help to enhanceyour overall security posture and aid in compliance monitoring.
• Establish clear governance policies for AI and ML development anddeployment, including security and ethics-related considerations.
• Align with the elements of theSecure AI Framework (SAIF),which provides a practical approach to address the security and riskconcerns of AI systems.
• Track the accuracy and effectiveness of AI-powered fraud detectionsystems, the reduction in false positives in security alerts, and theefficiency gains from AI-driven security automation.

Meet regulatory, compliance, and privacy needs

Financial services are subject to a vast array of regulations, including dataresidency requirements, specific audit trails, and data protection standards. Toensure that sensitive data is properly identified, protected, and managed, FSIorganizations need robust data governance policies and data classificationschemes. Consider the following recommendations to help you meet regulatoryrequirements:

• Set up data boundaries in Google Cloud for sensitive and regulatedworkloads by usingAssured Workloads.Doing so helps you to meet government and industry-specific compliancerequirements such asFedRAMP andCJIS.
• Identify, classify, and protect sensitive data, including financialinformation, by implementingCloud Data Loss Prevention (Cloud DLP).Doing so helps you to meet data privacy regulations likeGDPR andCCPA.
• Track details of administrative activities and access to resources byusingCloud Audit Logs.These logs are crucial for meeting audit requirements that are stipulatedby many financial regulations.
• When you chooseGoogle Cloud regions for your workloads and data, consider local regulations that are related todata residency. Google Cloud global infrastructure lets you choose regionsthat can help you to meet your data residency requirements.
• Manage the keys that are used to encrypt sensitive financial data atrest and in transit by usingCloud Key Management Service.Such encryption is a fundamental requirement of many security and privacyregulations.
• Implement the controls that are necessary to address your regulatoryrequirements. Validate that the controls work as expected. Get the controlsvalidated again by an external auditor to prove to the regulator that yourworkloads are compliant with the regulations.

Prioritize security initiatives

Given the breadth of security requirements, financial institutions mustprioritize initiatives that are based on risk assessment and regulatorymandates. We recommend the following phased approach:

1. Establish a strong security foundation: Focus on the core areas ofsecurity, including identity and access management, network security, anddata protection. This focus helps to build a robust security posture andhelps to ensure comprehensive defense against evolving threats.
2. Address critical regulations: Prioritize compliance with keyregulations like PCI DSS, GDPR, and relevant national laws. Doing so helpsto ensure data protection, mitigates legal risks, and builds trust withcustomers.
3. Implement advanced security: Gradually adopt advanced securitypractices like zero trust, AI-driven security solutions, and proactivethreat hunting.