In the upcoming November digital issue of Bank Systems & Technology we take a look at some of the ways banks are pursuing virtualization and using cloud services, and what the opportunities and threats are.
Recently, BS&T spoke with Dave Asprey, VP of cloud security for security firm Trend Micro, a supporter of the Cloud Security Alliance on some of the trends in the banking industry regarding use of cloud and virtualization, and things banks need to watch out for.
Asprey recognizes that some financial institutions may be hesitant to jump into the cloud, and they may have trepidation about choosing a cloud services provider. That's one of the reasons the CSA created the Cloud Controls Matrix -- a document specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.
The organization also created what it calls the STAR (Security, Trust & Assurance Registry), which is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings.
"Financial institutions wanted to know what each vendor is doing in this space, and here’s a standardized list they can look at," Asprey says.
For a bank looking to take that first initial step into the cloud, Asprey recommends they look at the options for virtual private clouds.
"Instead of going out and sharing all your servers you can have a private server," he says. "It's a good way to get the benefits of a cloud. You might pay slightly more, but you'll have that physical separation between servers and that's good for compliance and peace of mind."
Though many banks might prefer to outsource cloud services to third-party vendors, Asprey says that with the emergence of VMWare and other technologies, it is easier than ever before for organizations to build these virtual environments themselves.
However, there still are some things organizations need to look out for when pursuing virtualization. One area where banks need to pay a lot of attention is encryption key management says Asprey.
"Banks are heavy users of [encryption key management]," he notes. "Once you virtualize ,it is very diff how you use them. You run into the problem where the controls around keys don’t work the way they did before, and you have to work around that.
Im general, as banks pursue more virtualization, they will also need to impose the appropriate security measures, says Asprey.
"You need the proper security tools," he says.