The Risks And Rewards Of Cloud-Based Security Services

Banks are exploring the cost and flexibility benefits of cloud-based security services. But to gain the advantages of using outside providers for security, they'll have to boost their vendor management capabilities.

Cloud-based services are increasingly attractive to banks seeking cost-effective ways to handle the pace of change in technology and regulation. That interest is extending to some of the most sensitive parts of financial institutions' IT organizations, including security services such as email security, website protection, Web application firewall and application security testing -- even as fraudsters' ability to find new ways to circumvent banks' defenses and the headlines surrounding distributed denial-of-service (DDoS) attacks are presenting a challenging new threat landscape.

Digital BankingThe July/August 2013 digital issue of Bank Systems & Technology examines trends in enterprise risk management, with a special focus on the IT challenges and lessons learned from the initial round of Fed-mandated stress testing. July/August 2013 digital issue now.

The incentive is that the cloud offers banks flexibility in meeting security threats at a low up-front cost, experts say. A Gartner study released earlier this year, "Demand for Cloud-Based Offerings Impacts Security Service Spending," predicts that 10% of all security enterprise product capabilities will be delivered in the cloud by 2015. The analyst firm estimates that the overall market for cloud-based security services will grow to $4.2 billion by 2016.

However, as banks become more reliant on the cloud to provide security services, they'll face new challenges around vendor management and how they view their IT organizations.

Most of the interest in security-as-a-service offerings is coming from midtier and community banks, says Mark La Penta, former CIO of MetLife Bank and now a practice manager and senior consultant for CCG Catalyst. Many of the advantages of cloud-based services -- such as the ability to comply quickly with regulations, easy deployment and lower cost of ownership -- are important for smaller institutions squeezed by small IT budgets and staffs, La Penta says. And although the DDoS attacks that have gained wide attention this past year have mostly targeted larger banks, smaller banks have taken notice and want to improve their security capabilities.

"Given the regulatory churn and the headlines around DDoS attacks, board members [at banks] are nervous about security and what protections are in place," La Penta notes.

Multichannel Security Benefits

The advantages of flexibility and low cost of ownership that cloud services offer can help smaller banks compete with bigger institutions as well, La Penta says. In today's omnichannel-oriented consumer banking environment, banks need to provide secure access to customers through a number of devices and channels. Security-as-a-service offerings can help smaller banks that might not have the specialized IT talent to provide that secure access.

"How do I provide secure access [for customers] from a number of different form factors? Security providers will know how to manage that and have the talent to do so," La Penta observes.

[3 Keys To Success For Banks Amid An Operational Risk Renaissance ]

He adds, however, that most banks are still just evaluating security-as-a-service offerings. But he expects to see growing adoption in the next few years as more financial institutions express interest in the idea of outsourcing everything they can.

One bank that's taking advantage of security-as-a-service offerings is Novagalicia Banco, based in A Coruña, Spain. The bank ($95 million in assets) was created in a merger of two savings banks two years ago and had to complete a complex IT integration involving different architectures and applications, says Roberto Baratta, Novagalicia's CISO. In order to get a view of the security in these applications, the bank's IT team had to review a great deal of code that had been written in different languages, Baratta says. Novagalicia chose Hewlett-Packard's Fortify on Demand cloud-based service to help review the code and test the security of its applications.

"We're always looking for as-a-service solutions, even more than our CIO is used to," Baratta says. "In our case, we have restrictions in budget and staff, and EU and Spanish regulators have a view of our capital. We need to be cost-effective."

Novagalicia chose Fortify on Demand because of the number of coding languages it could cover, and started reviewing the code in its most exposed applications (such as its mobile banking app and its website) about a year ago, Baratta reports. An HP analyst reviewed the results of each test for the bank, which Baratta says the bank didn't have the staff to do itself. Any vulnerabilities found in the source code can be corrected quickly, Baratta notes, and the product provides specific guidance on fixing vulnerabilities that allows the bank to train its application developers in security.

That security training also has helped with Payment Card Industry compliance, which requires banks to educate staff about security best practices. "Our last PCI audit recognized the success of the solution, … and our developers are much more mindful of security than before," Baratta says.

Using a cloud service has given the bank much-needed resources and talent at a low cost, but it has also presented new challenges. Novagalicia's IT group has to be more mindful of vendor management as it relies more heavily on the cloud, Baratta says, adding that it has to focus on ensuring the clarity of contracts with providers and the security of those providers.

The challenge around vendor management will require banks' IT organizations to change the way they view themselves, CCG's La Penta says. "IT will have to change; they will have to be more vendor managers. IT staff [at banks] will have to fancy themselves more integrators than developers." This will force IT to change its skill sets over time to focus on streamlining different products from different providers across the enterprise.

La Penta says banks will have to ensure that protocols are up front in service provider contracts around control and backup of data, as well as privacy protection.

Whom Do You Trust?

North American banks have less-strict regulations around data privacy than do European banks such as Novagalicia, and have adopted cloud-based security offerings at a quicker pace than their European counterparts, says Jason Schmitt, director of product management for HP's enterprise security products. But data protection is still a very high priority for banks looking at cloud-based services, he adds. "The bank has to trust you [the vendor] with its data, and in some cases they are trusting you with the source code to their most precious intellectual property," Schmitt says.

But as banks look to the cloud for more services, they'll be writing less of their own code and will have to review the code of their service providers to ensure security, for which in-house software security products aren't always best, Schmitt says. Just like Novagalicia Banco, banks partnering with several service providers that use different code could find that a cloud offering is more up to the task of reading code in different languages. Consequently, banks will have to be more reliant on the cloud to secure their cloud-based services.

Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio