11:20 AM
Connect Directly

Can the Cloud Ever Be Safe?

Can banks trust their client data to the cloud? Absolutely, say the experts, who suggest financial institutions manage the risks of cloud-based services as they would outsourcing risks -- only with more caution.

The trifecta of benefits promised by cloud computing -- cost savings, business flexibility and agility, and speed -- is perhaps the holy grail of bank IT organizations. But cloud-based services, particularly those that rely on the public cloud, have not seen widespread adoption by financial institutions, as security concerns continue to overshadow all other business drivers.


To help banks navigate the cloud more safely and profitably, the Federal Financial Institution Examination Council (FFIEC) in July released new recommendations to guide financial institutions when using third-party cloud services. The FFIEC said it considers cloud computing to be another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing. However, "Cloud computing may require more robust controls due to the nature of the service," the FFIEC noted.

"When evaluating the feasibility of outsourcing to a cloud-computing service provider, it is important to look beyond potential benefits and to perform a thorough due diligence and risk assessment of elements specific to that service," the council continued. "Vendor management, information security, audits, legal and regulatory compliance, and business continuity planning are key elements of sound risk management and risk mitigation controls for cloud computing. As with other service provider offerings, cloud computing may not be appropriate for all financial institutions."

The Evolution of Infrastructure

Financial institutions need to approach the cloud with caution, says Scott Dillon, EVP, CTO and head of technology services for San Francisco-based Wells Fargo ($1.3 trillion total assets). "Regardless of your size, the security concern is the same when it comes to the cloud," he stresses. "It is front and center."

[Cloud Computing Could Create 1.4 Million Banking Jobs by 2015]

According to Dillon, the security of its data should be paramount to any financial institution, and that should be the primary consideration for banks looking for a cloud services provider. "You have to understand how the service provider will protect your data and what's going on in its cloud," he says.

Dillon adds that banks also need to be careful of running too much in one cloud or with one cloud provider. "You have the concept of 'concentration risk' in cloud computing," he notes. "Imagine if all your compute processing is in one place that goes down. A step into the public cloud has to be thought out a lot."

For Wells Fargo, cloud computing is part of the ongoing process of virtualization and convergence of infrastructure. Dillion acknowledges that the bank uses a private cloud to run a "service-based" infrastructure, one that he says allows multiple services to be "wrapped around it." "We're committed to having a robust infrastructure, and cloud is just one part of that," he explains.

Dillon says Wells Fargo began to think about the future of its infrastructure about five years ago, and that intensified with the bank's acquisition of Wachovia in 2008. "Infrastructure is converging and needs to converge," he adds. "We began to build out capabilities to allow convergence to happen, and we're doing this with the customer at the center. Our approach to infrastructure convergence allows us to serve the customer in a channel-agnostic way."

Ultimately, Dillon says, using the cloud will become commonplace as banks continue to pursue virtualization to a greater degree. "It's an overused buzzword," he agrees. "But the cloud is here to stay."

Small banks that don't have the financial and operational wherewithal to build a private cloud infrastructure, however, need to work with third-party cloud providers in some capacity, something many smaller institutions have been reluctant to do, reports Randall Barker, director of channel strategy for the banking group at Falls Church, Va.-based CSC. "Smaller banks have avoided the whole conversation completely," he says. "They don't have that comfort level." .

Bryan Yurcan is associate editor for Bank Systems and Technology. He has worked in various editorial capacities for newspapers and magazines for the past 8 years. After beginning his career as a municipal and courts reporter for daily newspapers in upstate New York, Bryan has ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.