Securing Financial Applications in the CloudAugust 13, 2015
A major dilemma for financial services companies, as pointed out by Elliot Holley at Business Cloud News, is whether or not to keep an IT-service in-house or to outsource it to the public cloud. While the cloud provides immense benefits in terms of reducing costs and speeding up time to market for application developers, the perceived security risks involved in cloud technology threaten to outweigh the benefits.
Cloud Benefits vs. Security Risks
Alastair Brown, head of e-channels, Global Transactions Banking at RBS, asks “You have to ask yourself, what can cloud offer to offset the risk of consumer protection failures and the damage that it could do to your organization?” The Commonwealth Bank of Australia is a good example of the cost reductions realized when moving to the cloud. They reduced maintenance and infrastructure costs from 75% of total outgoings to a mere 25%, simply by partnering with Amazon Web Services and moving to the cloud.
Regardless of the cost benefits, there still remains the perception of security risks that could outweigh that benefits. Nevertheless, as Ian Webster, managing director for Europe at Axioma believes, it is impossible for financial services companies to noticeably cut costs without adapting their business models to the cloud.
The perception of security risks in the cloud comes from two sources: organizations that are not aware of proper security practices and expose poorly configured solutions on the cloud, and organizations that are aware of proper practices (most financial institutions), but find these practices to be labor intensive, costly, and hence dilutive of the cloud value proposition.
Balancing Developer Innovation with Security Risks
Another concern mentioned in the article is that many vendors argue that outsourcing too many services to the public cloud can cause problems with innovation. Paul Birken, CTO at Capita, offers a solution to this problem: the hybrid cloud. Minimize risk by putting more innovative applications and content on private clouds, and the less sensitive information on the public cloud. Integrating security into DevOps will enable innovation while securing the application throughout its lifecycle.
Consistent Security to Protect Data Across Private and Public Clouds
To quote the article, “what if the cloud is being used by an international organization – a large, global Tier One bank such as Citi, for example? For many, the idea that the data stored in the cloud is not safe is a major sticking point.” However, if standard security profiles are consistently and automatically applied to all assets both on the public and private cloud, then the issue of whether the data is stored on premises or internationally in the cloud is no longer a security concern.
Financial Industry Cloud Security Solution
In summary, the key challenge for financial institutions is how to cost-effectively manage security compliance risk in the cloud. This will enable them to take full advantage of the flexibility and cost benefits of the cloud, enable developer innovation, and provide consistent data protection across public and private clouds. In order to effectively manage security compliance, there are two key issues:
- Security compliance is up to 40% of the cost of managing cloud applications.
- Manual security compliance is slow, error prone, and insecure.
Using the DISA STIGs published by the US Defense Information Systems Agency as a baseline, Cloud Raxak has found that approximately 50% of the recommended security parameters are incorrectly configured “out of the box” on virtual machines provisioned on any typical cloud infrastructure provider. However, 95% of these security parameters can be configured automatically, significantly reducing security compliance costs and human error. Raxak Protect addresses the security compliance concerns of financial institution by:
- reducing costs and risk by automating security compliance and remediation throughout the lifecycle of the application.
- enabling developer innovation by applying security profiles in DevOps when the asset is created and them monitoring it throughout the app lifecycle
- protecting financial applications using leading edge data security profiles based on Defense Information System Agency Guidelines or STIGs
- applying consistent security profiles across private and public clouds enabling the same level of data protection.
- providing the flexibility to deploy cloud security as a SaaS or on-prem appliance.
- enabling any user to protect enterprise data by integrating one-touch security compliance into the IT service catalog. Select your IT service and security compliance is automatically applied.
All of these features will allow financial institutions to deploy their cloud applications securely, cost effectively, and without human error. With security being removed as a major risk, financial companies can be free to fully reap the benefits of developing on the cloud. As Alastair Brown put it, “cloud is part of the future, it provides a competitive advantage, and it is moving from a buzzword to real implementation.”
Learn how to protect your financial data and apps in the cloud by downloading our Free Guide to Securing Cloud Applications.
Read the full Business Cloud News article by Elliot Holley about cloud computing in the financial services industry.