Banks’ concerns about the security of running applications in the cloud have persisted, keeping many institutions from exploring and using public clouds. However, the cloud security conversation has shifted. It’s possible that under some circumstances there even may be improved security when operating in the cloud. What’s the cloud security reality right now? What kinds of questions should banks ask about cloud security, and are they focusing on the right issues and investments?
Chris Rezek, Consultant
McKinsey & Company
Cloud computing is being rapidly adopted by enterprise IT, but concerns about trust are still inhibiting the rate of that adoption, particularly for financial services and public cloud.
To enable prudent cloud adoption, enterprises should expand scope beyond technology-focused security questions to include key risk management issues, such as transparency, governance, and compliance.
Bank executives should ask themselves four questions: How much value do we leave on the table if we do not adopt cloud? How pervasive is unofficial cloud adoption already, across the organization? What concentration risks do we create or avoid through managing distribution of data? Can we achieve cloud scale with in-house demand alone (i.e., private cloud)?
In addition, they should also ask vendors four questions: What level of transparency and control will the provider deliver? What third-party inspections and certifications are available? How will our compliance requirements be met for each jurisdiction? What level of access to physical and logical systems do we retain?
Instead of making binary, enterprise-wide decisions about cloud, organizations should understand and balance the benefits and risks of available cloud offerings. Adoption decisions should be structured around individual workloads and data and avoid enterprise-wide blanket cloud bans.
Banks should reduce legal exposure through a prudent contracting approach, while at the same time recognizing the essential novelty of the legal environment and unavoidable uncertainty. Key contract elements include the right to audit, right to transparency and reporting, coverage of compliance requirements, and visibility and consideration of the full supply chain (i.e., the cloud provider's service providers).
Cloud can deliver new benefits, along with new risks. Cloud solutions can improve transparency, simplify log and event management and enable more centralized planning. A business- and risk management-focused approach can enable banks to take advantage of efficient, flexible cloud solutions while still protecting data and delivering security.
John Howie, COO Cloud Security Alliance
Cloud providers benefit from economies of scale and have more resources at their disposal to invest in security and privacy of customer data. Due to the diverse nature of their customer base, cloud providers invest heavily in obtaining a variety of certifications and attestations that they can rely on to prove their solutions can meet their customers' compliance obligations. Although cloud consumers cannot outsource accountability, they can negotiate responsibility with providers.
These certifications and attestations along with other transparency measures, such as publication in the Cloud Security Alliance's (CSA) Security, Trust and Assurance Registry (STAR), can provide a window into the size and scale of the investments in security and privacy made by the cloud providers. Questions that prospective consumers can ask cloud providers might include, "What certifications and attestations do you have?" The answer to this question, however, is not sufficient alone. Consumers also need to ask if certifications and attestations obtained cover the service that the consumer is interested in purchasing, and can satisfy themselves that they do by examining Statements of Applicability and the audit reports themselves. Consumers should also ask providers if they have a SOC 2 report that includes the CSA's own Cloud Controls Matrix (CCM), which is recommended by the American Institute of Certified Public Accountants (AICPA).
Mark Wood, Director of Product Management, Cloud Security Dell SecureWorks
Security in the cloud is generally more consistent, standardized and reliable than security delivered via an organization’s onsite data center, which frequently has diverse traditional networks and data center infrastructure. Due to the dynamic and de-centralized nature of cloud infrastructure, organizations delivering security through cloud environments tend to approach security with a common set of controls, policies, procedures and privileges.
Cloud Security Service Providers (CSSPs) can often provide comprehensive security controls in cloud environments less expensively than a small bank could in its own environment. CSSPs can provide security at the network, server, endpoint and application levels.
Many larger banks use the cloud for the delivery of applications that serve a bank’s internal users and customers. Larger banks often secure their own private cloud facilities in-house leveraging their CISO, IT and information security teams. Because cloud environments can support a common end-to-end set of security controls, CSSP’s can often provide a similar, or better, security-in-depth in the cloud as the bank’s own security team could provide in their traditional data centers.
Banks considering cloud deployments should ask prospective CSSPs: What specific security technologies do you deploy in your cloud infrastructure? What security options do you make available to your clients? How much control do you have over your security? Most importantly, ask where does your CSSP’s responsibilities end for your security and where do your responsibilities begin?
Matthew Neely, Director of Strategic Initiatives SecureState
The reality is that many businesses are not paying close attention to the contracts they sign with cloud providers, and don’t fully understand what the provider is responsible for and what they are responsible for.
It’s not really about the questions bank executives should be asking about cloud security, but rather the steps organizations should take.
The first step to take when you are looking to move processes or data to the cloud is to understand which controls must be in place to protect that business process or data.
Next, see if a cloud provider can implement the controls you require in order to protect your data. Depending on the size and maturity of your security program you may be able to get better security at a cloud provider then you can in house. However, these situations are rare for most financial institutions. For example, Amazon Web Services (AWS) CloudHSM allows you to implement hardware security modules (HSMs) to encrypt your data and protect the encryptions key. The ability to use HSMs to protect your data might not be an option in your current data center.
Once you have found a cloud provider that can meet your security requirements on paper, the next step is to perform an assessment to verify the controls are implemented properly.
If you do find a provider you are comfortable using, it is critical that your legal staff reviews the contract. The contract must include verbiage to ensure that it includes and implements the minimum list of controls.
Additionally, financial services institutions need to ensure they have the right to audit the cloud environment whenever they like. Organizations should perform follow-up audits at least annually to verify the required controls are still in place.
Peggy Bresnick Kendler has been a writer for 30 years. She has worked as an editor, publicist and school district technology coordinator. During the past decade, Bresnick Kendler has worked for UBM TechWeb on special financialservices technology-centered ... View Full Bio