04:04 PM
Connect Directly

Changing The Cloud Security Conversation

What are the pertinent questions banks should ask about security in the cloud?

Banks’ concerns about the security of running applications in the cloud have persisted, keeping many institutions from exploring and using public clouds. However, the cloud security conversation has shifted. It’s possible that under some circumstances there even may be improved security when operating in the cloud. What’s the cloud security reality right now? What kinds of questions should banks ask about cloud security, and are they focusing on the right issues and investments?

Chris Rezek, Consultant
McKinsey & Company

Cloud computing is being rapidly adopted by enterprise IT, but concerns about trust are still inhibiting the rate of that adoption, particularly for financial services and public cloud.

To enable prudent cloud adoption, enterprises should expand scope beyond technology-focused security questions to include key risk management issues, such as transparency, governance, and compliance.

Bank executives should ask themselves four questions: How much value do we leave on the table if we do not adopt cloud? How pervasive is unofficial cloud adoption already, across the organization? What concentration risks do we create or avoid through managing distribution of data? Can we achieve cloud scale with in-house demand alone (i.e., private cloud)?

In addition, they should also ask vendors four questions: What level of transparency and control will the provider deliver? What third-party inspections and certifications are available? How will our compliance requirements be met for each jurisdiction? What level of access to physical and logical systems do we retain?

Instead of making binary, enterprise-wide decisions about cloud, organizations should understand and balance the benefits and risks of available cloud offerings. Adoption decisions should be structured around individual workloads and data and avoid enterprise-wide blanket cloud bans.

Banks should reduce legal exposure through a prudent contracting approach, while at the same time recognizing the essential novelty of the legal environment and unavoidable uncertainty. Key contract elements include the right to audit, right to transparency and reporting, coverage of compliance requirements, and visibility and consideration of the full supply chain (i.e., the cloud provider's service providers).

Cloud can deliver new benefits, along with new risks. Cloud solutions can improve transparency, simplify log and event management and enable more centralized planning. A business- and risk management-focused approach can enable banks to take advantage of efficient, flexible cloud solutions while still protecting data and delivering security.

John Howie, COO Cloud Security Alliance

Cloud providers benefit from economies of scale and have more resources at their disposal to invest in security and privacy of customer data. Due to the diverse nature of their customer base, cloud providers invest heavily in obtaining a variety of certifications and attestations that they can rely on to prove their solutions can meet their customers' compliance obligations. Although cloud consumers cannot outsource accountability, they can negotiate responsibility with providers.

These certifications and attestations along with other transparency measures, such as publication in the Cloud Security Alliance's (CSA) Security, Trust and Assurance Registry (STAR), can provide a window into the size and scale of the investments in security and privacy made by the cloud providers. Questions that prospective consumers can ask cloud providers might include, "What certifications and attestations do you have?" The answer to this question, however, is not sufficient alone. Consumers also need to ask if certifications and attestations obtained cover the service that the consumer is interested in purchasing, and can satisfy themselves that they do by examining Statements of Applicability and the audit reports themselves. Consumers should also ask providers if they have a SOC 2 report that includes the CSA's own Cloud Controls Matrix (CCM), which is recommended by the American Institute of Certified Public Accountants (AICPA).

Mark Wood, Director of Product Management, Cloud Security Dell SecureWorks

Security in the cloud is generally more consistent, standardized and reliable than security delivered via an organization’s onsite data center, which frequently has diverse traditional networks and data center infrastructure. Due to the dynamic and de-centralized nature of cloud infrastructure, organizations delivering security through cloud environments tend to approach security with a common set of controls, policies, procedures and privileges.

Cloud Security Service Providers (CSSPs) can often provide comprehensive security controls in cloud environments less expensively than a small bank could in its own environment. CSSPs can provide security at the network, server, endpoint and application levels.

Many larger banks use the cloud for the delivery of applications that serve a bank’s internal users and customers. Larger banks often secure their own private cloud facilities in-house leveraging their CISO, IT and information security teams. Because cloud environments can support a common end-to-end set of security controls, CSSP’s can often provide a similar, or better, security-in-depth in the cloud as the bank’s own security team could provide in their traditional data centers.

Banks considering cloud deployments should ask prospective CSSPs: What specific security technologies do you deploy in your cloud infrastructure? What security options do you make available to your clients? How much control do you have over your security? Most importantly, ask where does your CSSP’s responsibilities end for your security and where do your responsibilities begin?

Matthew Neely, Director of Strategic Initiatives SecureState

The reality is that many businesses are not paying close attention to the contracts they sign with cloud providers, and don’t fully understand what the provider is responsible for and what they are responsible for.

It’s not really about the questions bank executives should be asking about cloud security, but rather the steps organizations should take.

The first step to take when you are looking to move processes or data to the cloud is to understand which controls must be in place to protect that business process or data.

Next, see if a cloud provider can implement the controls you require in order to protect your data. Depending on the size and maturity of your security program you may be able to get better security at a cloud provider then you can in house. However, these situations are rare for most financial institutions. For example, Amazon Web Services (AWS) CloudHSM allows you to implement hardware security modules (HSMs) to encrypt your data and protect the encryptions key. The ability to use HSMs to protect your data might not be an option in your current data center.

Once you have found a cloud provider that can meet your security requirements on paper, the next step is to perform an assessment to verify the controls are implemented properly.

If you do find a provider you are comfortable using, it is critical that your legal staff reviews the contract. The contract must include verbiage to ensure that it includes and implements the minimum list of controls.

Additionally, financial services institutions need to ensure they have the right to audit the cloud environment whenever they like. Organizations should perform follow-up audits at least annually to verify the required controls are still in place.


Peggy Bresnick Kendler has been a writer for 30 years. She has worked as an editor, publicist and school district technology coordinator. During the past decade, Bresnick Kendler has worked for UBM TechWeb on special financialservices technology-centered ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Nathan Golia
Nathan Golia,
User Rank: Author
11/12/2013 | 9:33:52 PM
re: Changing The Cloud Security Conversation
They might already be more secure. A cloud vendor likely has more resources to pour into security than any financial institutions' IT department.
User Rank: Author
11/11/2013 | 9:24:49 PM
re: Changing The Cloud Security Conversation
Many cloud vendors are pouring a lot of resources into security. It's generally seen as the biggest barrier to adoption of their services. With all of that focus on security, the cloud vendors will probably get to the point where their services are the most secure on the market at some point. But we're probably not there yet.
Zarna Patel
Zarna Patel,
User Rank: Apprentice
11/11/2013 | 8:27:11 PM
re: Changing The Cloud Security Conversation
That's a good point about reading the contract and making sure to find a cloud provider that fits the needs of a financial institution by Mr Neely. Making sure the right security is in place at all times is just as important as initially securing.
User Rank: Author
11/11/2013 | 4:21:05 PM
re: Changing The Cloud Security Conversation
It's interesting that these experts are suggesting there may actually be MORE security in the cloud than in alternative/traditional environments. I'm sure that's somewhat oversimplified, but it does illustrate that execs need to put aside assumptions and preconceptions about these emerging models and objectively assess what strategies truly will support business and operational requirements.
User Rank: Author
11/9/2013 | 2:19:57 PM
re: Changing The Cloud Security Conversation
Cloud services provide too much potential to completely ignore. Like Howie mentions, it's good that cloud vendors can obtain these various industry certificates, so banks can know how legitimate of a cloud vendor they are dealing with.
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.