In early September, cloud computing stories finally became interesting as an apparent hacking attack on Apple’s iCloud released hundreds of photos of ‘celebrities’ in the nude. It was a perfect story for the mainstream media, combining celebrities with nudity and a bit of unintelligible (to them at least) technology thrown in for good measure. Among the headlines: Celebrity Nude Photo Hacking: Should You Be Worried? It’s unlikely that nude celebrities will hack the photos of any Sibos delegates, but the fuss associated with the story highlights once again the security fears around cloud computing.
Plenty of experts had their say following the news, warning businesses that were using cloud-based technologies about the dangers of storing confidential data in the cloud. Professor Mike Jackson from Birmingham City University in the UK said: “Whenever you place information on a computer, that information becomes less secure. If you connect a computer to the internet then the security risk grows. If you store information on a cloud service then you rely completely on the security measures of the service provider. Once on the cloud it’s these security measures which make the difference between privacy and the whole world being able to access your documents and pictures.”
Hack attacks are not the only problem for cloud computing, however. Surveillance of private individuals and corporations by national security services such as the US National Security Agency and the UK’s GCHQ, as alleged by Edward Snowden, also highlights the vulnerability of cloud computing. In November last year Switzerland’s national teleco, Swisscom, announced it was building Swiss Cloud, trading on the country’s reputation for privacy. While Swisscom’s head of IT services, Andreas Koenig, told Reuters that the decision to build the cloud was to cut costs, he said it would make more sense for firms to consider storing data in locations where strict privacy laws make it more difficult to retrieve sensitive information. For example, in the US, the 2001 Patriot Act and the 2008 Foreign Intelligence Surveillance Act give US intelligence agencies the power to carry out mass information gathering. On the other hand, Swisscom would have to receive a formal request from a prosecutor before allowing access to any data.
Financial institutions are increasingly required to collect, store, analyse and report on ever increasing volumes of data. Cloud computing is an attractive option because it enables firms to bypass sizeable investments in infrastructure, hardware, software and maintenance typically associated with data storage. The convenience and cost effectiveness of cloud computing have to be weighed against the security concerns.
“Financial services firms are still asking ‘is the cloud safe?’, fearing its ability to safely store highly sensitive data,” says Hugh Cumberland, solution manager, Colt Technology Services. “But cloud is a generic term.
The definition includes private, public, community and hybrid, each of which provides a different level of security.” It is more useful to be asking which type of cloud-based environment offers the required security for the task in hand, he says. “Due to the heightened levels of regulatory scrutiny in the industry, there are fears about whether keeping data in the cloud breaks certain regulations. Regulators need to speak publicly, as they have in the Netherlands, to allay these fears.”
In July 2013, De Nederlandsche Bank approved the use of Amazon Web Services (AWS), a public cloud, for “all facets of Dutch financial operations”. The approval included the storage and management of all levels of data on the cloud.
The most secure of all cloud options are private clouds, infrastructures operated solely for a specific entity, such as a bank. The cloud may be managed by the bank itself or by a third party and may exist onsite or offsite. In a public cloud, the cloud infrastructure is made available to the general public or a large industry group and is owned by an organisation that sells cloud services. A community cloud is a collaborative effort in which infrastructure is shared between several organisations from a specific community with common concerns and can be managed internally or by a third party and hosted internally or externally. The costs are spread over fewer users than a public cloud (but more than a private cloud), so only some of the cost savings potential of cloud computing are realised. Hybrid clouds are composed of two or more clouds (private or public) that remain unique entities but are linked in order to provide services.
Michael Cooper, chief technology officer at Radianz, BT Global Banking and Financial Markets, says financial institutions generally perceive data stored in the cloud to be safe. This is especially the case where different cloud storage models exist supporting the incremental application of different security attributes, for example encryption. Nevertheless, and despite these capabilities, it remains true that for some financial institutions, their security protocols may require physical oversight that drives ‘on premise’ storage and complete physical control in a manner that precludes the use of cloud storage, he says.
Shrinking margins and reducing return on equity are driving banks worldwide to cloud adoption, says Eugene Danilkis, co-founder and chief executive of Mambu, a developer of cloud-based technology for financial services. Mambu is also one of this year’s Innotribe Challenge finalists. “Gartner predicts that more than 60 per cent of banks will be processing the majority of transactions in the cloud by 2016. In our experience, when firms approach Mambu they have already reached the mindset that the cloud model is more aligned to their business goals than a legacy or in-house system, and work with us to understand and mitigate any potential risk or privacy concerns.”
Danilkis says the main concern the company has encountered tends to be around data sovereignty, so while it uses AWS for a large number of clients, data resides in whichever location and whichever cloud type the client is most comfortable with. “We offer our Filipino customers the option to have their data in Singapore on AWS, and our mainland Chinese customer data resides in Alibaba’s Aliyun data centre in Qingdao,” he says.
Data sovereignty is the concept that information that has been converted and stored in binary digital form is subject to the laws of the country in which it is located. Many of the concerns that surround data sovereignty relate to enforcing privacy regulations and preventing data that is stored in a foreign country from being subpoenaed by the host country’s government. Financial firms operating in particular countries may be required by law to keep the data within the country to which it pertains. That could present significant impediments to cloud solutions that are multinational on a virtual basis. This is a challenge that would limit certain types of datasets being put into anything other than a private or hybrid cloud offering.
National data protection laws – Switzerland, Singapore and Poland for example require customer data to reside within their borders – need to be considered when planning a move to cloud solutions.
Danilkis says it is possible that more regulations requiring data to be held in the country of residence may be formulated. On the other hand, it is encouraging to see the Netherlands and Singapore leading the way in providing regulatory approval for public clouds, he adds. “But even if some countries choose to impose tighter constrictions, the provision of cloud services is expanding all the time, so banks can choose local service providers or international providers.” It is important to keep in mind that while a local cloud solution will certainly be better than an in-house system, it may not yet be as robust, secure or cost-effective as the leading global solutions. “It’s in the banking industry’s interest to work with regulators to create a cloud-positive regulatory framework.”
Using local data centres typically means less complex regulatory issues and there are various secure and robust options available, he says. “In some cases a private or community cloud could also be an alternative. Ultimately our customers’ potential concerns about surveillance are typically outweighed by the higher operational risks, security and costs of running these systems in-house.”
Public cloud services do not provide transparency on how and by whom data is managed and routed within their services, which leads to data sovereignty concerns, says Cumberland. “This is why banks are more likely to opt for private cloud services. It is a case of using the right tool for the job.”
Data ownership is also an important issue, encompassing questions such as who owns the data and can access it, how access is controlled and whether access is a weak point of cloud computing. Cooper says there should be clarity concerning ownership and access rights (including government and legal obligations), but this is an area where legal precedent and interpretation of rights is still relatively new, and will develop and evolve as a consequence.
Once a contract for outsourcing to cloud-based services has been agreed, then details around who owns the data and who can access it should be clear, says Cumberland. Before reaching this stage, however, exact data ownership is a worry, with outsourcing firms potentially operating on standard ‘cloudification’ terms or insisting on their own, more onerous non-standard terms for vendors to meet.
Francois Bouçher, head of information systems and process automation at Societe Generale Securities Services, says financial institutions must be very careful about how they process and store data. “The trust of our customers relies on the reliability and the security we can provide to them concerning their data,” he says. “Our cloud strategy recognises that we cannot completely externalise our financial information infrastructure. We have to control client data and therefore need a cloud environment that is dedicated to our use only and that will deliver the benefits of scalability.”
Alastair Brown, head of e-channels, Global Transaction Banking at Royal Bank of Scotland, told Banking Technology* recently that the motives that drive financial institutions to cloud differ. “Tier one institutions are very much focused on reducing costs, getting to market faster, whereas tier two and three banks want to roll out services like trade finance that they wouldn’t be able to do alone. If controls on security are breached, the costs may far outweigh the benefits.”
Privacy concerns will always exist, says Danilkis, whether a system is inhouse or elsewhere, as the risk of attack from a rogue employee or other malicious element is impossible to eradicate. “The benefit of the cloud is that you can ensure a best of breed approach to risk mitigation,” he says. “Data is maintained separately – with a cloud the privacy security becomes the cloud provider’s responsibility rather than the customer’s. The cloud service provider can bring in best of breed processes, tools and technology and do it better and more effectively than if each organisation had to do it itself.”
He believes cloud privacy leaks are more publicised because of the required transparency of the service providers (and a potentially larger pool of affected customers) than numerous smaller leaks and issues which happen with in-house solutions that aren’t as ‘newsworthy’ or are not publicly disclosed.
Cloud solutions, generically, are able to support a range of data protection measures, says Cooper, but this does not translate into universal support for all possible measures by all service providers. Users will need to match their requirements to the different solutions available. “The range of measures and possibilities includes location and domain specificity (where the data resides and consequential legal state), physical characteristics and attributes (content and storage assurance, redundancy and persistence), access controls and security models (physical and logical, biometrics, firewalls, perimeter and integrity controls), encryption and data states. In short, pretty much every attribute is presented and available in the cloud somewhere.”
The concerns about cloud computing can be set against the benefits. As Banking Technology reports, cloud providers can make business processes more efficient, enabling the bank to do more with less and reducing the immense cost of in-house IT. For example, Commonwealth Bank of Australia has said through a partnership with AWS, it reduced expenditure on maintenance and infrastructure from 75 per cent of total outgoings to just 25 per cent. Glen Robinson, solutions architect at AWS, said CBA saved “tens of millions of dollars” using the cloud system and reduced the time needed to deploy a new server from eight weeks to a few minutes. DNS