02:55 PM
Connect Directly

What Banks Need to Know About the Cloud

The industry group Cloud Security Alliance offers resources for financial institutions looking to utilize cloud services.

In the upcoming November digital issue of Bank Systems & Technology we take a look at some of the ways banks are pursuing virtualization and using cloud services, and what the opportunities and threats are.

Recently, BS&T spoke with Dave Asprey, VP of cloud security for security firm Trend Micro, a supporter of the Cloud Security Alliance on some of the trends in the banking industry regarding use of cloud and virtualization, and things banks need to watch out for.

Asprey recognizes that some financial institutions may be hesitant to jump into the cloud, and they may have trepidation about choosing a cloud services provider. That's one of the reasons the CSA created the Cloud Controls Matrix -- a document specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.

[See Also: Can the Cloud Ever Be Safe?]

The organization also created what it calls the STAR (Security, Trust & Assurance Registry), which is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings.

"Financial institutions wanted to know what each vendor is doing in this space, and here’s a standardized list they can look at," Asprey says.

For a bank looking to take that first initial step into the cloud, Asprey recommends they look at the options for virtual private clouds.

"Instead of going out and sharing all your servers you can have a private server," he says. "It's a good way to get the benefits of a cloud. You might pay slightly more, but you'll have that physical separation between servers and that's good for compliance and peace of mind."

Though many banks might prefer to outsource cloud services to third-party vendors, Asprey says that with the emergence of VMWare and other technologies, it is easier than ever before for organizations to build these virtual environments themselves.

However, there still are some things organizations need to look out for when pursuing virtualization. One area where banks need to pay a lot of attention is encryption key management says Asprey.

"Banks are heavy users of [encryption key management]," he notes. "Once you virtualize ,it is very diff how you use them. You run into the problem where the controls around keys don’t work the way they did before, and you have to work around that.

Im general, as banks pursue more virtualization, they will also need to impose the appropriate security measures, says Asprey.

"You need the proper security tools," he says.

Bryan Yurcan is associate editor for Bank Systems and Technology. He has worked in various editorial capacities for newspapers and magazines for the past 8 years. After beginning his career as a municipal and courts reporter for daily newspapers in upstate New York, Bryan has ... View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.