|Clouds in that cloud? (April 2011)|
As cloud computing becomes the next big thing, security issues have to be dealt with
By John Ginovsky, contributing editor
First it was software off a shelf. Then it was solutions developed, installed and maintained by providers. The current hot topic in business technology is software as a service, or some other form of cloud computing. They all represent leaps forward in productivity, capability and profitability to banks. What they all have and continue to require, however, is an acute focus on and control of risks.
It is pretty much a given that the use of outsourced services delivered over the internet, as opposed to maintaining software and other infrastructure in-house, will grab hold of business.
“It’s a tidal wave that’s going to engulf us all within the next five years,” predicts Ron Catrone, senior vice-president and chief information officer, Farmington Bank, Farmington, Conn.
Peter Graves, CIO, Independent Bank, Ionia, Mich., says in his blog “Tech Without Hype,” on ababj.com, that cloud services will be a $160 billion industry by the end of 2011.
“There are a lot of positive reasons to adopt cloud computing as a technology or to add functionality,” says L. Randy Marsicano, manager of professional services for WolfPAC Solutions Group, and a speaker at this year’s ABA Risk Management Forum. “It reduces cost in your organization. You don’t have to take on additional hardware. You don’t have to have additional resources. Your time to market is quicker. It’s a way to implement cutting-edge technology without the cost associated with it.”
Risks, but known risks
As with all technology, there are risks involved. The fortunate thing, though, is that with cloud there are no new risks involved.
“The worst-case scenario doesn’t change, regardless of infrastructure,” says Brett Wilson of Trustwave, an information technology and compliance company that offers cloud services for merchant banks. “The worst-case scenario for any organization around IT security are breaches, the notifications that go along with those, financial loss, reputational damage and regulatory actions that might result.”
Marsicano, in a presentation, listed seven cloud-computing risks that banks and other businesses have to be aware of:
• Increased dependency on a third-party provider
• Loss of control over the physical and/or logical environment affecting data.
• Loss of availability should the cloud provider have a service interruption.
• Privacy and legal liability in the event of a security breach.
• Difficulty defining exact locations of data.
• Commingling of data.
• Difficulty of protecting trade secrets.
“It really boils down to three things: privacy, availability and obsolescence,” says Marsicano. “Is the information secure? Is the information always available to customers, clients, internal operations that rely on that information? Are you making sure that the systems don’t get old and outdated?”.
But there are specific threats with the cloud. A not-for-profit organization called the Cloud Security Alliance focuses on this issue. In a very general sense, it lists seven top threats involving cloud computing: abuse and nefarious use; insecure application programming interfaces; malicious insiders; shared technology vulnerabilities; data loss or leakage; account, service and traffic hijacking; and other, unknown risks.
Dan Fisher, another ababj.com blogger (“Beyond the Bank”), warns about risks as well. “Where is your data stored? How is it being cared for? What firewalls are in place?” he asks. He recommends banks perform due diligence to answer such questions.
No banking regulator has yet to issue any formal guidance or policy statement regarding cloud computing. “It’s that new of a phenomenon,” says Catrone. When he brought the issue to his state and federal examiners, he says: “They will tell you that you need to take precautions in terms of using a reputable provider, that you document their security precautions and their security controls.”
One government agency, at least, has started formalizing security controls for cloud computing—the National Institute of Standards and Technology (www.nist.gov), part of the Department of Commerce. In February NIST issued two proposed documents—a definition of cloud computing, and, most notably, guidelines on security and privacy in public cloud computing.
The basic points of this latter draft document are:
• Entities, including private businesses, should carefully plan the security and privacy aspects of cloud computing solutions before engaging them.
• They should understand the public cloud computing environment offered by the cloud provider and ensure that a cloud computing solution satisfies organizational security and privacy requirements.
• They should ensure that the client-side computing environment meets organization security and privacy requirements for cloud computing.
• They should maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.
In general, the draft report notes: “Cloud computing technologies can be implemented in a wide variety of architectures, under different service and deployment models and can coexist with other technologies and software design approaches. The security challenges cloud computing presents, however, are formidable, especially for public clouds whose infrastructure and computational resources are owned by an outside party that sells those services to the general public.”
Back to basics
One point to note here is that there is no single form of cloud computing. Marsicano lists three service models: software as a service; platform as a service; and infrastructure as a service. These types of cloud computing service models can be delivered using four different deployment models: private cloud; community cloud; public cloud; and hybrid cloud. What this means is that bankers seeking the advantages that some form of cloud computing could provide them must know, at the least, what questions to ask when they approach a provider.
“You want to make sure you have adequate policies and procedures in place,” says Marsicano. “You want to make sure that you will perform your risk assessments on your technology and on your business processes and business functions from a customer information standpoint. You want to make sure you do your vulnerability scanning like you normally would do as part of your regular audit cycle.”
Says Brett Wilson: “It comes back to the standard way that banks are going to do operational risk management and information security in the first place. What are the functions of the application that are manipulating the data? What would happen if this data became public? What would happen if a cloud vendor had access to this data in a way that [the bank] didn’t control? What would happen if the application itself became unavailable because it was in the cloud?”
A major point Wilson makes is the need to make sure both the bank and the vendor are crystal clear on who is responsible for what.
Catrone—whose bank has yet to adopt cloud computing but has considered it—says, “It comes down to some degree of trust.” He notes that the vendors he’s approached provide extensive and convincing documentation about security measures and procedures. “Look at [a vendor’s website] and see what they do concerning security. It’s their business. It’s their reputation. If they have a breach or if they have a failure that causes losses to hundreds or thousands of customers, they are out of business.”
Still, he notes, “You can do all those precautionary steps but you never really know what happens inside the black box. We have to work that out as an industry and as a regulatory issue. The economics of it are going to force it.” •
Electronic means no paperWhen ACNB Bank in Gettysburg, Pa., decided it wanted to make its account-opening process as paperless as possible, it adopted the mantra “What starts electronic should stay electronic.”
Dorothy Puhl, senior vice-president and information systems manager, says her bank wanted to cut out as many paper-based steps as possible whenever a new customer opened an account. The bank had upgraded several years ago to an image archive system from Fiserv called Nautilus Enterprise Content Management.
“The paperless part came when we wanted to be able to save the documents that are generated in the account-opening process through the desktop software to our image archive,” says Puhl. “In order to be able to do that we also had to come up with a process for capturing the customer’s signature on the new-account documents.”
The bank and the vendor solved that by adding the functionality to capture signatures electronically on deposit account documents and upload them into Nautilus.
The benefit to the bank is definite, but hard to quantify. “We save on paper. We’re saving on printer toner. We’re saving on somebody else’s time to scan and index,” says Puhl. Cost, also, is hard to pin down although Puhl says the outlay was “relatively inexpensive.” For example, the signature pads themselves cost a few hundred dollars each.
Significantly, the new system addressed the former paper shuffle engendered at the back office.
Previously, “those new-account documents had to be printed out, signed and a package put together that would be couriered to a central location where someone would perform that review process,” she says. “Now we’ve kept it electronic. The folks in our back room can go into the archive and call those documents up and do the review.”
When it came time to transition from the old system to the new, Puhl diplomatically termed that period “interesting.”
“People needed to get used to the new flow of getting that account opened without having to print all that paperwork,” she says. That issue was addressed when users got used to the immediacy of response the system gave them.
Customers have generally been impressed. “I think customers were intrigued; here we were, the community bank, implementing a technology that is not quite cutting edge, but is a little bit beyond the ordinary,” says Puhl.
The main technical lesson learned has been to make sure network bandwidth was sufficient to push the data around the bank’s 19 branches.
— John Ginovsky
The electronic version of this article available at: http://www.nxtbook.com/nxtbooks/sb/ababj0411/index.php?startid=20
| TechTopics Plus