Welcome!

AJAX & REA Authors: Sebastian Kruk, RealWire News Distribution, Harald Zeitlhofer

Related Topics: Cloud Expo, Java, SOA & WOA, Virtualization, AJAX & REA, Web 2.0, Security, GovIT

Cloud Expo: Blog Post

FFIEC's Recognition of Cloud Security Advantages

How credit unions, smaller banks can now use outsourcing for compliance using security-as-a-service

Last month the Federal Financial Institutions Examination Council (FFIEC) shared an opinion on the viability and security of cloud computing. In the four-page statement, the interagency body empowered to prescribe uniform principles, standards, stated that cloud computing is “another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing.”

What they are offering is a back-handed endorsement of cloud computing with the caveat that if you perform your due diligence and the solution passes the security smell test, there is no reason why a financial institution cannot enjoy the full scope of cloud based benefits.

Like most other industries on the planet, banks, credit unions, investment brokerages, hedge funds, title and mortgage companies, credit card enterprises outsource certain parts of their business for a variety of reasons. In some cases, it is a skill that is outside their core competencies like the physical transference of currency (armored cars). For others it incorporates economic and efficiency factors like reducing and controlling costs, expanding operational capacity, and employing best-of-breed philosophies. Regardless of the reasoning, outsourcing is an integral part of international business standards.

“Outsourcing to a cloud service provider can be advantageous to financial institutions because of potential benefits such as cost reduction, flexibility, scalability, improved load balancing, and speed.” FFIEC Information Technology Subcommittee July 10, 2012

This is especially good news for credit unions and other smaller finance-centric enterprise organizations on the hook for compliance, heightened data and asset protection and access control   just like their multi-national brethren. In that the FFIEC has labeled cloud computing as an acceptable practice, I want to focus on three specific callouts that directly affect how and why security managed from the cloud (aka cloud-based security) fits with the strategic technology goals of any financial institution.

  • Legal and Regulatory Considerations All financial institutions operate under the heavy scrutiny of federal, state, local and industrial standards. It demands a certain degree of transparency (as well as privacy), a certain reliance on reporting and auditing, and heavy emphasis on compliance with various requirements. Although a serious and very complex issue, the ability to depend on several factors managed from the cloud, eases some of the burden. Regardless of where sensitive financial, personal and transactional data and is stored security-as-a-service typically provides the best-of-breed oversight institutions demand. Strictly from a security management perspective, understanding who and how and when any endpoint is attempting to access or ping a network asset at any time day or night is not only good practice, but a strict edict of laws like PCI and Sarbanes Oxley. But taken one step further, the ability to look beyond the obvious brute force attacks, the ability to instantly analyze traffic from a variety of silos and the ability inform, escalate and report any anomalies bases on strict interpretation of the law, creates. The cloud fits this stratagem simply by providing the additional expertise, faster and more accurate auditing and more “bang for the buck.

”I recall what a Network Apps Manager from Texas Capital Bank stated in a recent conference: "We get audited. We get audited a lot! In the span of a typical year we are audited by 6 different external and regulatory compliance groups." I get dizzy just thinking of the constant drain on resources it takes to keep up with it all. Not to put a fine point on it, but just consider the manpower, reporting and computing  relief an organization can experience simply by outsourcing Identity Management to provision and de-provision users , customers and vendors...not to mention the additional control from SaaS Single Sign On.

  • Holistic InfoSec All Financial institutions are typically at the center of many hacking attacks. The rule of thumb with cloud-based (or really any security strategy), is don’t worry about the attacks you can see coming. Most of the truly devastating breaches come from more insidious sources that are quiet and subtle. It is these types of assaults that look for cracks in a multitude of small, seemingly insignificant corners. This is why any strategy must contain a holistic approach. One that looks at and ties together the various and varied silos of information. This situational context approach identifies issues that might not raise red flags in one silo, but when correlated with other data points might require reporting, escalation and instant remediation.

And it’s no secret that global hackers have set their sites on American financial institutions but if you are running a credit union in Watertown, MN, do you need to fear nation-state cyber-terrorism? Probably not as much as Citibank, but shoring up your network perimeter is a must. Solutions like SIEM and Log Management have an excellent track record managed from the cloud. Other considerations such as careless third party users and employees, password mismanagement, poor vetting of third-party security protocols, access controls, must be addressed to achieve a true holistic approach strategy.  But for that credit union in Watertown or the title company in Carpenteria, CA there is limited budget to apply such an enterprise strategy. And that’s where cloud security comes in as a huge benefit. Security-as-a-service is typically a cash flow positive endeavor. This means there is no capital expenditures (it’s all OpEx) and there is no ROI lag time in terms of buying an expensive server or waiting 6 months to develop and deploy and appropriate program. Zero day deployment and pay-as-you-go scalability provide immediate return and immediate coverage.

  • Data segregation and recoverability: The nature of this issue is the overall security of data regardless of where and how it is stored. There are many whose lack of trust in the cloud prevents them from seeing that just because data is sitting on a server outside their four walls, means it is any less secure. By using the advice of the FFIEC, applying risk assessments against any outsourced solution, . It’s the same for any investment. If you do poor research on a electronic lock company, there are catastrophic risks involved. Many cloud providers invest a great deal in their security features. And of course, a company the sells security-as-a-service, must be as or more bulletproof than any on premises alternative in its ability to maintain data security, IT integrity and guaranteed continued service.

Now this isn’t aimed so much at Bank of America or Goldman Sachs, but rather “Main Street” institutions who don’t have a spare $100K waiting to spend on on-premise servers, $1 million to develop and deploy a holistic security strategy and another $150K for dedicated analysts to monitor activity around the clock. Cloud-based security provides more functionality, greater scope, and greater manageability than a typical local institution can afford to do in house. Through multi-tenancy, economies of scope and leveraged enterprise best-of-breed expertise and capabilities, every financial institution can benefit from top-class security…as long as they do their homework!

As with any business decision, whether to migrate certain aspects of enterprise operation to the cloud, depends on several factors. Does it promote your strategic and tactical plans/goals? Have you done your homework and made sure both the vendor and the solution are a good (and trustworthy) fit? Does it provide ROI in a reasonable/expected time frame? Does the reward outpace the risk? Is the risk manageable? I could go on. But the argument is no longer be should I utilize the cloud. The better question is in what situations and how do cloud based solutions create benefit and advantages for my company?

If you wish to learn more about the application of holistic security, read the white paper: Applying Security Holistically from the Cloud: A Paradigm Shift Applying Situational Awareness in SIEM Deployments.

Kevin Nikkhoo

CloudAccess.com

More Stories By Kevin Nikkhoo

With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Cloud Expo Latest Stories
Every healthy ecosystem is diverse. This is especially true in cloud ecosystems, where portability and interoperability are more important than old enterprise models of proprietary ownership. In his session at 15th Cloud Expo, Mark Baker, Server Product Manager at Canonical/Ubuntu, will discuss how single vendors used to take the lead in creating and delivering technology, but in a cloud economy, where users want tools of their preference, when and where they need them, it makes no sense.
SYS-CON Events announced today that Cloudian, Inc., the leading provider of hybrid cloud storage solutions, has been named “Bronze Sponsor” of SYS-CON's 15th International Cloud Expo®, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Cloudian is a Foster City, Calif.-based software company specializing in cloud storage. Cloudian HyperStore® is an S3-compatible cloud object storage platform that enables service providers and enterprises to build reliable, affordable and scalable hybrid cloud storage solutions. Cloudian actively partners with leading cloud computing environments including Amazon Web Services, Citrix Cloud Platform, Apache CloudStack, OpenStack and the vast ecosystem of S3 compatible tools and applications. Cloudian's customers include Vodafone, Nextel, NTT, Nifty, and LunaCloud. The company has additional offices in China and Japan.
The emergence of cloud computing and Big Data warrants a greater role for the PMO to successfully manage enterprise transformation driven by these powerful trends. As the adoption of cloud-based services continues to grow, a governance model is needed to orchestrate enterprise cloud implementations and harness the power of Big Data analytics. In his session at 15th Cloud Expo, Mahesh Singh, President of BigData, Inc., to discuss how the Enterprise PMO takes center stage not only in developing the appropriate governance model but also in collaborating with key stakeholders to ensure a successful transformation.
SYS-CON Events announced today that TechXtend (formerly Programmer’s Paradise), a leading value-added provider of server and storage virtualization, and r-evolution will exhibit at SYS-CON's 15th International Cloud Expo®, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. TechXtend (formerly Programmer’s Paradise) is a leading value-added provider of software, systems and solutions for corporations, government organizations, and academic institutions across the United States and Canada. TechXtend is the Exclusive Reseller in the United States for r-evolution
The consumption economy is here and so are cloud applications and solutions that offer more than subscription and flat fee models and at the same time are available on a pure consumption model, which not only reduces IT spend but also lowers infrastructure costs, and offers ease of use and availability. In their session at 15th Cloud Expo, Ermanno Bonifazi, CEO & Founder of Solgenia, and Ian Khan, Global Strategic Positioning & Brand Manager at Solgenia, will discuss this shifting dynamic with an example of a top European Telco provider. Find out how they are leveraging the power of acloud-based consumption model services to offer more value to the mass market and enable a new revenue model that embraces the true meaning of the Third Industrial Revolution.
In today's application economy, enterprise organizations realize that it's their applications that are the heart and soul of their business. If their application users have a bad experience, their revenue and reputation are at stake. In his session at 15th Cloud Expo, Anand Akela, Senior Director of Product Marketing for Application Performance Management at CA Technologies, will discuss how a user-centric Application Performance Management solution can help inspire your users with every application transaction.
Come learn about what you need to consider when moving your data to the cloud. In her session at 15th Cloud Expo, Skyla Loomis, a Program Director of Cloudant Development at Cloudant, will discuss the security, performance, and operational implications of keeping your data on premise, moving it to the cloud, or taking a hybrid approach. She will use real customer examples to illustrate the tradeoffs, key decision points, and how to be successful with a cloud or hybrid cloud solution.
Cloud computing started a technology revolution; now DevOps is driving that revolution forward. By enabling new approaches to service delivery, cloud and DevOps together are delivering even greater speed, agility, and efficiency. No wonder leading innovators are adopting DevOps and cloud together! In his session at DevOps Summit, Andi Mann, Vice President of Strategic Solutions at CA Technologies, will explore the synergies in these two approaches, with practical tips, techniques, research data, war stories, case studies, and recommendations.
The 16th International Cloud Expo announces that its Call for Papers is now open. 16th International Cloud Expo, to be held June 9–11, 2015, at the Javits Center in New York City brings together Cloud Computing, APM, APIs, Security, Big Data, Internet of Things, DevOps and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal today!
14th International Cloud Expo, held on June 10–12, 2014 at the Javits Center in New York City, featured three content-packed days with a rich array of sessions about the business and technical value of cloud computing, Internet of Things, Big Data, and DevOps led by exceptional speakers from every sector of the IT ecosystem. The Cloud Expo series is the fastest-growing Enterprise IT event in the past 10 years, devoted to every aspect of delivering massively scalable enterprise IT as a service.
Hardware will never be more valuable than on the day it hits your loading dock. Each day new servers are not deployed to production the business is losing money. While Moore’s Law is typically cited to explain the exponential density growth of chips, a critical consequence of this is rapid depreciation of servers. The hardware for clustered systems (e.g., Hadoop, OpenStack) tends to be significant capital expenses. In his session at 15th Cloud Expo, Mason Katz, CTO and co-founder of StackIQ, to discuss how infrastructure teams should be aware of the capitalization and depreciation model of these expenses to fully understand when and where automation is critical.
Over the last few years the healthcare ecosystem has revolved around innovations in Electronic Health Record (HER) based systems. This evolution has helped us achieve much desired interoperability. Now the focus is shifting to other equally important aspects – scalability and performance. While applying cloud computing environments to the EHR systems, a special consideration needs to be given to the cloud enablement of Veterans Health Information Systems and Technology Architecture (VistA), i.e., the largest single medical system in the United States.
In his session at 15th Cloud Expo, Mark Hinkle, Senior Director, Open Source Solutions at Citrix Systems Inc., will provide overview of the open source software that can be used to deploy and manage a cloud computing environment. He will include information on storage, networking(e.g., OpenDaylight) and compute virtualization (Xen, KVM, LXC) and the orchestration(Apache CloudStack, OpenStack) of the three to build their own cloud services. Speaker Bio: Mark Hinkle is the Senior Director, Open Source Solutions, at Citrix Systems Inc. He joined Citrix as a result of their July 2011 acquisition of Cloud.com where he was their Vice President of Community. He is currently responsible for Citrix open source efforts around the open source cloud computing platform, Apache CloudStack and the Xen Hypervisor. Previously he was the VP of Community at Zenoss Inc., a producer of the open source application, server, and network management software, where he grew the Zenoss Core project to over 10...
Most of today’s hardware manufacturers are building servers with at least one SATA Port, but not every systems engineer utilizes them. This is considered a loss in the game of maximizing potential storage space in a fixed unit. The SATADOM Series was created by Innodisk as a high-performance, small form factor boot drive with low power consumption to be plugged into the unused SATA port on your server board as an alternative to hard drive or USB boot-up. Built for 1U systems, this powerful device is smaller than a one dollar coin, and frees up otherwise dead space on your motherboard. To meet the requirements of tomorrow’s cloud hardware, Innodisk invested internal R&D resources to develop our SATA III series of products. The SATA III SATADOM boasts 500/180MBs R/W Speeds respectively, or double R/W Speed of SATA II products.
As more applications and services move "to the cloud" (public or on-premise) cloud environments are increasingly adopting and building out traditional enterprise features. This in turn is enabling and encouraging cloud adoption from enterprise users. In many ways the definition is blurring as features like continuous operation, geo-distribution or on-demand capacity become the norm. NuoDB is involved in both building enterprise software and using enterprise cloud capabilities. In his session at 15th Cloud Expo, Seth Proctor, CTO at NuoDB, Inc., will discuss the experiences from building, deploying and using enterprise services and suggest some ways to approach moving enterprise applications into a cloud model.