In financial services, with the hundreds of complex regulations that apply to data, private cloud adoption is still more common than the public cloud to date. However, that is changing quickly.
Cloud adoption has driven innovation to solve barriers to adoption, but not all are created equal and enterprises needs to be wary about claims of security over data which seem too good to be true. A fundamental question that needs to be asked is exactly how data is protected, on what basis are risk reduction claims made, and with what evidence to prove any claims of security.
The cost reduction benefit of cloud to be able to maximize profits is very attractive, but the regulatory and risk environment is complex to say the least. In the broader financial services market, investment banking is certainly in the forefront of adopting cloud, often in specific high value use cases.
Being able to provision cloud based services in an instant to secure business collaboration is seen as hugely beneficial to taking compliance issues off the table and enabling a mobile and cloud enabled workforce at the same time.
The security barrier
There are three issues which come up in every conversation that are the “big 3 barriers”:
1. Data risk in the cloud and control. How can data still be controlled under complex regulatory frameworks in a low trust environment?
2. How can my application still extract value from data if it is protected in the cloud without exposing live data in a low trust system?
3. How can I retain total control over data in respect to data residency and legal search requests to a cloud provider and give total control back to the data owner?
These barriers are very real. Industry regulators such as PCI SSC, FFIEC in the US, ICO in the UK in the UK have issued cloud guidance to enterprises relating to regulatory risks that stem from security concerns in the cloud. The advice is mostly pragmatic, but it signals the need for organizations to think carefully about how they are going to maximize the value from information in the cloud without increasing regulatory compliance costs at the same time.
The data residency issue
What is more, global financial institutions spanning different regulatory frameworks like the US and EU have to address complex data-residency issues. There are even challenges within the EU itself too. For example, a central bank based in Luxembourg with operations across Europe, was challenged by data residency issues in-country. A multi-million dollar core banking application update could not proceed to production deployment due to the complex regulatory requirements related to where live customer data was accessible under Luxembourg’s CSSF regulations. Traditional access control based approaches couldn’t protect the actual data – and thus meet the regulatory need. The problem was solved by securing data at a data field level as it moved in and out of the private cloud architecture in Luxembourg, enabling the core banking investment to be used across multiple geographies while staying CSSF compliant.
Outside Luxembourg, the applications function on de-identified versions of the data – and are thus compliant. Likewise, the same data-centric service framework for security is being applied by global banks to blend of SaaS, IaaS and PaaS as an extension of core financial services organizations processing environments, bridging mission critical Mainframe processing systems to least cost cloud services to create new, quick to market services and applications – again without exposing live data to low trust cloud environments.
How to overcome the security barrier
Ask for the proofs. Ensure independent validation of the approach is available. If it isn’t, don’t trust it. These have to also be relevant and from trusted sources. Incomplete tests, or claims which don’t really have full transparency don’t cut it. For instance, solutions which claim to enable protection using new encryption techniques without security proofs and relevant independent validation by experts are worthless in the event of a breach. Even worse, they may not offer any security in the first place. Independent verification is critical.
That’s why new data security standards such as NIST Format Preserving Encryption and FFX mode AES are so important. They have the founation of security proof and standards body.
Data risk and compliance barriers can be solved by leveraging a “data-centric” approach in the enterprise cloud stack to enable data protection, de-identification and data masking in tandem with Identity, Authentication and Authorization service layers. This enables the CISO and CIO to enable business adoption of new competitive applications by aggregating business services and data sources rapidly without exposing live data to new threats or insider attack.
The spotlight is now on CISO’s to determine the architecture and strategy to make it happen, not to say no to the business. Otherwise the business will adopt it anyway – the train’s already rolling.