|By Kevin Nikkhoo||
|September 4, 2012 01:45 AM EDT||
Last month the Federal Financial Institutions Examination Council (FFIEC) shared an opinion on the viability and security of cloud computing. In the four-page statement, the interagency body empowered to prescribe uniform principles, standards, stated that cloud computing is “another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing.”
What they are offering is a back-handed endorsement of cloud computing with the caveat that if you perform your due diligence and the solution passes the security smell test, there is no reason why a financial institution cannot enjoy the full scope of cloud based benefits.
Like most other industries on the planet, banks, credit unions, investment brokerages, hedge funds, title and mortgage companies, credit card enterprises outsource certain parts of their business for a variety of reasons. In some cases, it is a skill that is outside their core competencies like the physical transference of currency (armored cars). For others it incorporates economic and efficiency factors like reducing and controlling costs, expanding operational capacity, and employing best-of-breed philosophies. Regardless of the reasoning, outsourcing is an integral part of international business standards.
“Outsourcing to a cloud service provider can be advantageous to financial institutions because of potential benefits such as cost reduction, flexibility, scalability, improved load balancing, and speed.” FFIEC Information Technology Subcommittee July 10, 2012
This is especially good news for credit unions and other smaller finance-centric enterprise organizations on the hook for compliance, heightened data and asset protection and access control just like their multi-national brethren. In that the FFIEC has labeled cloud computing as an acceptable practice, I want to focus on three specific callouts that directly affect how and why security managed from the cloud (aka cloud-based security) fits with the strategic technology goals of any financial institution.
- Legal and Regulatory Considerations All financial institutions operate under the heavy scrutiny of federal, state, local and industrial standards. It demands a certain degree of transparency (as well as privacy), a certain reliance on reporting and auditing, and heavy emphasis on compliance with various requirements. Although a serious and very complex issue, the ability to depend on several factors managed from the cloud, eases some of the burden. Regardless of where sensitive financial, personal and transactional data and is stored security-as-a-service typically provides the best-of-breed oversight institutions demand. Strictly from a security management perspective, understanding who and how and when any endpoint is attempting to access or ping a network asset at any time day or night is not only good practice, but a strict edict of laws like PCI and Sarbanes Oxley. But taken one step further, the ability to look beyond the obvious brute force attacks, the ability to instantly analyze traffic from a variety of silos and the ability inform, escalate and report any anomalies bases on strict interpretation of the law, creates. The cloud fits this stratagem simply by providing the additional expertise, faster and more accurate auditing and more “bang for the buck.
”I recall what a Network Apps Manager from Texas Capital Bank stated in a recent conference: "We get audited. We get audited a lot! In the span of a typical year we are audited by 6 different external and regulatory compliance groups." I get dizzy just thinking of the constant drain on resources it takes to keep up with it all. Not to put a fine point on it, but just consider the manpower, reporting and computing relief an organization can experience simply by outsourcing Identity Management to provision and de-provision users , customers and vendors...not to mention the additional control from SaaS Single Sign On.
- Holistic InfoSec All Financial institutions are typically at the center of many hacking attacks. The rule of thumb with cloud-based (or really any security strategy), is don’t worry about the attacks you can see coming. Most of the truly devastating breaches come from more insidious sources that are quiet and subtle. It is these types of assaults that look for cracks in a multitude of small, seemingly insignificant corners. This is why any strategy must contain a holistic approach. One that looks at and ties together the various and varied silos of information. This situational context approach identifies issues that might not raise red flags in one silo, but when correlated with other data points might require reporting, escalation and instant remediation.
And it’s no secret that global hackers have set their sites on American financial institutions but if you are running a credit union in Watertown, MN, do you need to fear nation-state cyber-terrorism? Probably not as much as Citibank, but shoring up your network perimeter is a must. Solutions like SIEM and Log Management have an excellent track record managed from the cloud. Other considerations such as careless third party users and employees, password mismanagement, poor vetting of third-party security protocols, access controls, must be addressed to achieve a true holistic approach strategy. But for that credit union in Watertown or the title company in Carpenteria, CA there is limited budget to apply such an enterprise strategy. And that’s where cloud security comes in as a huge benefit. Security-as-a-service is typically a cash flow positive endeavor. This means there is no capital expenditures (it’s all OpEx) and there is no ROI lag time in terms of buying an expensive server or waiting 6 months to develop and deploy and appropriate program. Zero day deployment and pay-as-you-go scalability provide immediate return and immediate coverage.
- Data segregation and recoverability: The nature of this issue is the overall security of data regardless of where and how it is stored. There are many whose lack of trust in the cloud prevents them from seeing that just because data is sitting on a server outside their four walls, means it is any less secure. By using the advice of the FFIEC, applying risk assessments against any outsourced solution, . It’s the same for any investment. If you do poor research on a electronic lock company, there are catastrophic risks involved. Many cloud providers invest a great deal in their security features. And of course, a company the sells security-as-a-service, must be as or more bulletproof than any on premises alternative in its ability to maintain data security, IT integrity and guaranteed continued service.
Now this isn’t aimed so much at Bank of America or Goldman Sachs, but rather “Main Street” institutions who don’t have a spare $100K waiting to spend on on-premise servers, $1 million to develop and deploy a holistic security strategy and another $150K for dedicated analysts to monitor activity around the clock. Cloud-based security provides more functionality, greater scope, and greater manageability than a typical local institution can afford to do in house. Through multi-tenancy, economies of scope and leveraged enterprise best-of-breed expertise and capabilities, every financial institution can benefit from top-class security…as long as they do their homework!
As with any business decision, whether to migrate certain aspects of enterprise operation to the cloud, depends on several factors. Does it promote your strategic and tactical plans/goals? Have you done your homework and made sure both the vendor and the solution are a good (and trustworthy) fit? Does it provide ROI in a reasonable/expected time frame? Does the reward outpace the risk? Is the risk manageable? I could go on. But the argument is no longer be should I utilize the cloud. The better question is in what situations and how do cloud based solutions create benefit and advantages for my company?
If you wish to learn more about the application of holistic security, read the white paper: Applying Security Holistically from the Cloud: A Paradigm Shift Applying Situational Awareness in SIEM Deployments.
As organizations shift towards IT-as-a-service models, the need for managing and protecting data residing across physical, virtual, and now cloud environments grows with it. Commvault can ensure protection, access and E-Discovery of your data – whether in a private cloud, a Service Provider delivered public cloud, or a hybrid cloud environment – across the heterogeneous enterprise. In his general session at 18th Cloud Expo, Randy De Meno, Chief Technologist - Windows Products and Microsoft Part...
Jul. 24, 2016 02:00 AM EDT Reads: 1,809
The Internet of Things will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform. In his session at @ThingsExpo, Craig Sproule, CEO of Metavine, demonstrated how to move beyond today's coding paradigm and shared the must-have mindsets for removing complexity from the develo...
Jul. 24, 2016 01:30 AM EDT Reads: 1,097
SYS-CON Events announced today that MangoApps will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. MangoApps provides modern company intranets and team collaboration software, allowing workers to stay connected and productive from anywhere in the world and from any device.
Jul. 24, 2016 01:15 AM EDT Reads: 1,203
“We're a global managed hosting provider. Our core customer set is a U.S.-based customer that is looking to go global,” explained Adam Rogers, Managing Director at ANEXIA, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Jul. 24, 2016 12:30 AM EDT Reads: 1,547
"We've discovered that after shows 80% if leads that people get, 80% of the conversations end up on the show floor, meaning people forget about it, people forget who they talk to, people forget that there are actual business opportunities to be had here so we try to help out and keep the conversations going," explained Jeff Mesnik, Founder and President of ContentMX, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Jul. 23, 2016 11:45 PM EDT Reads: 1,198
DevOps at Cloud Expo – being held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real results. Am...
Jul. 23, 2016 11:30 PM EDT Reads: 2,101
SYS-CON Events announced today that Isomorphic Software will exhibit at DevOps Summit at 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Isomorphic Software provides the SmartClient HTML5/AJAX platform, the most advanced technology for building rich, cutting-edge enterprise web applications for desktop and mobile. SmartClient combines the productivity and performance of traditional desktop software with the simp...
Jul. 23, 2016 11:30 PM EDT Reads: 812
Internet of @ThingsExpo has announced today that Chris Matthieu has been named tech chair of Internet of @ThingsExpo 2016 Silicon Valley. The 6thInternet of @ThingsExpo will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Jul. 23, 2016 11:15 PM EDT Reads: 1,851
"When you think about the data center today, there's constant evolution, The evolution of the data center and the needs of the consumer of technology change, and they change constantly," stated Matt Kalmenson, VP of Sales, Service and Cloud Providers at Veeam Software, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Jul. 23, 2016 11:15 PM EDT Reads: 1,217
When people aren’t talking about VMs and containers, they’re talking about serverless architecture. Serverless is about no maintenance. It means you are not worried about low-level infrastructural and operational details. An event-driven serverless platform is a great use case for IoT. In his session at @ThingsExpo, Animesh Singh, an STSM and Lead for IBM Cloud Platform and Infrastructure, will detail how to build a distributed serverless, polyglot, microservices framework using open source tec...
Jul. 23, 2016 11:00 PM EDT Reads: 2,220
The 19th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Digital Transformation, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportuni...
Jul. 23, 2016 10:15 PM EDT Reads: 2,426
“Being the one true cloud-agnostic and storage-agnostic software solution, more and more customers are coming to Commvault and saying ' What do you recommend? What's your best practice for implementing cloud?” explained Randy De Meno, Chief Technologist at Commvault, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Jul. 23, 2016 10:00 PM EDT Reads: 1,572
From wearable activity trackers to fantasy e-sports, data and technology are transforming the way athletes train for the game and fans engage with their teams. In his session at @ThingsExpo, will present key data findings from leading sports organizations San Francisco 49ers, Orlando Magic NBA team. By utilizing data analytics these sports orgs have recognized new revenue streams, doubled its fan base and streamlined costs at its stadiums. John Paul is the CEO and Founder of VenueNext. Prior ...
Jul. 23, 2016 09:30 PM EDT Reads: 1,944
Let’s face it, embracing new storage technologies, capabilities and upgrading to new hardware often adds complexity and increases costs. In his session at 18th Cloud Expo, Seth Oxenhorn, Vice President of Business Development & Alliances at FalconStor, discussed how a truly heterogeneous software-defined storage approach can add value to legacy platforms and heterogeneous environments. The result reduces complexity, significantly lowers cost, and provides IT organizations with improved efficienc...
Jul. 23, 2016 09:30 PM EDT Reads: 1,875
Continuous testing helps bridge the gap between developing quickly and maintaining high quality products. But to implement continuous testing, CTOs must take a strategic approach to building a testing infrastructure and toolset that empowers their team to move fast. Download our guide to laying the groundwork for a scalable continuous testing strategy.
Jul. 23, 2016 09:00 PM EDT Reads: 1,809
A critical component of any IoT project is what to do with all the data being generated. This data needs to be captured, processed, structured, and stored in a way to facilitate different kinds of queries. Traditional data warehouse and analytical systems are mature technologies that can be used to handle certain kinds of queries, but they are not always well suited to many problems, particularly when there is a need for real-time insights.
Jul. 23, 2016 08:45 PM EDT Reads: 1,652
"My role is working with customers, helping them go through this digital transformation. I spend a lot of time talking to banks, big industries, manufacturers working through how they are integrating and transforming their IT platforms and moving them forward," explained William Morrish, General Manager Product Sales at Interoute, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Jul. 23, 2016 08:30 PM EDT Reads: 2,025
CenturyLink has announced that application server solutions from GENBAND are now available as part of CenturyLink’s Networx contracts. The General Services Administration (GSA)’s Networx program includes the largest telecommunications contract vehicles ever awarded by the federal government. CenturyLink recently secured an extension through spring 2020 of its offerings available to federal government agencies via GSA’s Networx Universal and Enterprise contracts. GENBAND’s EXPERiUS™ Application...
Jul. 23, 2016 08:30 PM EDT Reads: 1,771
Internet of @ThingsExpo, taking place November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with the 19th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world and ThingsExpo Silicon Valley Call for Papers is now open.
Jul. 23, 2016 08:00 PM EDT Reads: 2,414
Big Data engines are powering a lot of service businesses right now. Data is collected from users from wearable technologies, web behaviors, purchase behavior as well as several arbitrary data points we’d never think of. The demand for faster and bigger engines to crunch and serve up the data to services is growing exponentially. You see a LOT of correlation between “Cloud” and “Big Data” but on Big Data and “Hybrid,” where hybrid hosting is the sanest approach to the Big Data Infrastructure pro...
Jul. 23, 2016 08:00 PM EDT Reads: 1,793