23 September 2017
Stephan Kotze

Stephan Kotze

Stephan Kotze - GFT

1Posts 6,067Views 9Comments

Why migrating to the cloud offers more security than you might think

21 August 2017  |  6068 views  |  10

Earlier this year my bike was stolen from my apartment block in London. Sadly I was not the only victim as a number of my neighbours also had their bikes stolen from the bike rack inside the gated basement of the building. You can imagine our anger and distress that such a crime had been committed, especially when we assumed that the security measures in place to protect our bikes were more than adequate. Despite appearances, the truth was that our bikes were not secure and there was a fundamental fault in the way they were supposedly being protected.

The security arrangements in place focussed on preventing people from entering the complex; however, there were no security measures to stop people already inside the security gates from removing bikes and taking them outside the apartment block. When I considered this, it reminded me of a similar situation that I have witnessed inside a number of banks.

Managing and maintaining data centres

Security will clearly always be a major concern for financial institutions. Maintaining appropriate levels of security whilst managing and maintaining vast infrastructures continues to be a difficult, onerous and expensive task. Banks need to manage security over an infrastructure that includes data centres, computers, hardware and storage facilities. The complexity of this challenge is increased due to the scale that banks need to work at.

In addition to this, the day-to-day running of data centres and infrastructure requires the installation of new hardware and operating systems, the configuration of routers and firewalls along with numerous updates. These actions need to be undertaken whilst still ensuring that applications, software and hardware are updated and remain available and responsive at all times. Unfortunately banks are struggling to keep their software and hardware assets updated and ‘patched’ whilst remaining available at the rate needed to keep them safe.

In their Data Breach Investigation Report published earlier in 2017, Verizon revealed that in the financial sector, a third of published vulnerabilities are patched within 12 weeks - whilst two thirds of vulnerabilities remain unpatched 3 months after being published. The most enlightened take a proactive ‘vulnerability management’ approach to managing network security that includes processes for: identifying, verifying, mitigating and patching vulnerabilities.

Google regularly publishes industry reports that identify vulnerabilities which may affect other companies and third parties. Normally these reports are published after attempts have been made to ‘patch’ the affected software or hardware. What is clear is that even after vulnerabilities are highlighted, financial institutions are struggling to keep up in maintaining the necessary security measures to ensure adequate protection.

Many banks are falling into the trap of believing that their security measures are appropriate and up to date. The reality is that they are not; and a number of vulnerabilities still persist inside many organisations. There continues to be a false sense of security amongst senior figures within many banks who believe that their organisation is safe because they have large firewalls in place.

Why cloud improves security measures

Migrating to the cloud provides a number of distinct advantages for banks that directly address many of the highlighted infrastructure problems and security issues. Cloud providers will ‘patch’ routers automatically, as well as keep software up to date for the good of all their clients. On their own, banks simply cannot provide this service as well as the likes of Google, Amazon, and Microsoft. Unlike the individual bank with its bespoke IT infrastructure, each of the cloud providers provides enormous economies of scale in the provision of their service.

Banks experience an implicit benefit when they migrate to the cloud. There are greater levels of transparency, as cloud providers explain to banks how the multiple layers of security are implemented and maintained. This is critical in appreciating the value of a cloud infrastructure, as banks are able to see and understand how security measures actually work, creating a greater level of confidence and trust.

The more enlightened banks who are more inclined to migrate to the cloud are those that understand that previous concerns over security have been sufficiently answered. Banks will not trust placing their core systems into the cloud unless it has been explicitly explained to them how their businesses are being secured.

We have identified three main reasons why a data centre run by the likes of Google or Amazon is more secure than a stand-alone centre operated by the bank itself.

  1. The cloud is technically better
  2. Cloud provides more transparency
  3. Cloud forces banks to pay more attention to security matters

From a technical point of view, cloud is far more secure than anything banks currently have; in addition to the ongoing requirement to maintain software updates, cloud providers simply have more scale and backup resilience built into the system. Cloud vendors also provide more transparency by advising users how they should manage their security and utilise the cloud for maximum benefit. Security measures for cloud are publicly available yet remain highly secure, and there are no examples of security through obscurity.

Cloud providers are simply better at security than banks, and many people throughout the financial services industry are beginning to recognise and understand this. Before banks existed, the safest place to keep one’s money was under the mattress of a bed, guarded by one’s own lock and key. Nowadays, most of us realise that banks are much safer places to store our money; they are better suited to protecting our savings at a reasonable cost. Migrating to the cloud is similar; we need to overcome our fears and recognise that moving to the public cloud is a similar philosophical journey. A massive part of the security burden that banks already have to deal with is being moved to cloud-based platforms that are better equipped to manage this pressure.

However, banks are still reticent about migrating their business to the cloud. In the past they have adopted cumbersome solutions that were easy to circumvent because they simply adhered to existing company security policies; despite the fact that such solutions were not solving underlying security issues. This practice can no longer continue.

Banks who do not migrate to the cloud and who fail to take advantage of the most secure and transparent computing platform in the world today are actually undermining their security, and if they continue in this manner they will continue to be a target for innovative cyber criminals.

In my situation, I ‘only’ lost my bike after trusting in what I thought was a secure local on-premise solution. Banks with a lot more to lose should take steps to move to the most secure solution currently being offered; and with scale, focus and best practice this can only mean cloud.

 

TagsRisk & regulationInnovation

Comments: (19)

Kishore Meda
Kishore Meda - PGS Software - Reading | 22 August, 2017, 09:19

Points well made Stephan. The increasing adoption of cloud shows the direction of travel

1 thumb up! 1 thumb up! (Log in to thumb up)
Stephan Kotze
Stephan Kotze - GFT - London | 22 August, 2017, 17:08

Ta sir!

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 22 August, 2017, 17:41

All technically valid points but things can take on a different color when the commercial angle is introduced. That's because, just because cloud can automate backup does not mean that it will - most entry-level cloud plans don't include backup. If you want backup, you need to pay more. There are many more gotchas like that w.r.t. security, uptime, etc. I've covered them on the post entitled Thriving On Chaos Of SMAC Architecture on my company blog. As Gartner Research Director Yvette Cameron noted, SaaS deployments may require more resources than onprem deployments.   

When all these hidden costs are loaded, cloud can get quite expensive, as we've observed in many real-life migration proposals.

1 thumb up! 1 thumb up! (Log in to thumb up)
Graham Seel
Graham Seel - BankTech Consulting - Concord | 22 August, 2017, 19:51

Good post. The DTCC published quite a useful white paper in May in which they concluded that they couldn't afford not to move to the cloud, given the gap in security knowledge and capability. Having said that, particularly for smaller banks the complexity and impact on the current IT person/group shouldn't be underestimated. There is a good business opportunity for consultants who really understand a particular cloud platform (e.g. AWS), cybersecurity, and community banks or credit unions.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Stephan Kotze
Stephan Kotze - GFT - London | 23 August, 2017, 11:01

Hi Ketharaman

I hear you! :)

That being said though, same goes for on-prem really, backup doesn't come free here either. You still need to budget, build and support your backup infrastructure. You'll pay for it whichever option you choose (and hey, cloud storage is pretty cheap and you can replicate to so many locations (of your choice) across the globe at the click of a button (I'm slightly simplifying here I know) that you can have orders of magnitude more redundancy than with on-prem). Same goes for all the other aspects you mentioned (security, uptime...).

You are 100% that there is no free lunch here and a naive cloud implementation will leave you with suboptimal cost/benefits, however I suppose this is partly the point: the added transparency and tools available allow us (if done correctly) to not have a false sense of security (or efficiency).

Worth adding that this was written with more of an IaaS angle than SaaS, with SaaS being it's own beast (and pricing, support,... aspects).

Stephan

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Stephan Kotze
Stephan Kotze - GFT - London | 23 August, 2017, 11:04

Hi Graham, thanks!

Oh yes for sure, there is no magic fairy dust here! And if you do it badly, you're setting yourself up for a bruising.

Stephan

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 23 August, 2017, 11:23

@StephanKotze:

I agree but with onprem, customers are conditioned to budget separately for backup, uptime, and so on. With cloud, there's so much hype that cloud relieves customer of backup, and other infra hassles etc. that customers are lulled into a false sense of belief that cloud automatically means backup, etc. Hence the need to specifically reiterate this only for cloud. And to highlight that, when these costs are loaded up, cloud TCO can exceed onprem TCO in a hurry.

2 thumb ups! 2 thumb ups! (Log in to thumb up)
Stephan Kotze
Stephan Kotze - GFT - London | 23 August, 2017, 13:09

@Ketharaman

Indeed! and we ("Cloud enthusiasts") would be peddling snake oil if we did not give this due considderation when designing/selling public cloud solutions.

Stephan

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 23 August, 2017, 13:41

@StephanKotze:

That's precisely my point.

Not referring to present company but many cloud enthusiasts do seem to be peddling snake oil. Let me copy / paste the relevant passage from my aforementioned blog post to explain why I say this:

=====

#5. Excessive Hype

Hype is no stranger to the IT industry. However, in the case of SMAC architecture, it’s gone a bit too far and is causing a lot of operational chaos.

I got a glimpse of this when I recently visited a healthcare center in my neighborhood. I was asked to fill a registration form. I told the receptionist that I’d already registered with them during my previous visit. He told me that they’d lost all customer data when their server crashed two months before without any backups. But he assured me that they won’t have any problem from now onwards because they’d “shifted everything the cloud”. Obviously, he assumed that the cloud service provider would take care of backups and make the data available 24/7/364.

Big mistake.

View image on Twitter FollowGTM360 @GTM360

If ever you forgot it's *your* job to backup your cloud data, @HostGator will remind you.

I hope the CIO of this company knows better. But I strongly doubt it. Because it’s not just this random healthcare center.

Australian ATM networks recently went down because their cloud service provider suffered an outage. According to Finextra, there was no backup. Apparently, the leading banks to whom the ATM network belonged thought it was the responsibility of the cloud service provider to take the backup. And the cloud service provider countered by saying the banks’ hosting plan didn’t include a backup.

When such things happen even to seasoned technology users like banks, you know that the “cloud gets rid of all infrastructure worries” hype has gone a bit too far.

=====

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Stephan Kotze
Stephan Kotze - GFT - London | 23 August, 2017, 14:09

@Ketharaman

It does scare the feathers out of me when I think of all the "Cloud experts" potentially out there that may be doing just that and putting their clients (or their own organisations) at massive risk.


Though I suppose, the problem lies with people (assumptions, lack of skill, experience, current place on the tech curve and whatnot) rather than the underlying technologies.

I'd not want someone designing and building my on-prem solutions either if they "assumed" issues like Security/Backups etc. were magically taken care of by the infrastructure.

So perhaps the challenge is finding the right people/partners? which is tricky given the current supply/demand/hype cycle.

Stephan

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 23 August, 2017, 15:02

@StephanKotze:

IMO, the challenge is slightly different. The principles (i.e. PaaS / SaaS product vendors) are the ones creating the excessive hype. If implementation partners - who are agents of the principles - try to inject a dose of reality into customers, they'd be ones risking rejection by customers drunk on the Kool-Aid supplied by the principles.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Stephan Kotze
Stephan Kotze - GFT - London | 23 August, 2017, 15:59

@Ketharaman

Ooooweee, I like that!, very succinctly put and a heck of a way of looking at it!

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 23 August, 2017, 18:49

@StephanKotze:

TY for your kind words.

Since you liked that, here's another one: Whenever a cloud provider says "security", it means keeping customer's data secure from unauthorized third parties. That's the popular notion of security. But what about keeping customer's data secure from first party i.e. itself? IOW, what stops a cloud provider from using Bank A's data to provide insights to Bank B? How many banks will accept this? This surely can't happen in onprem.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Stephan Kotze
Stephan Kotze - GFT - London | 24 August, 2017, 08:33

Solid question.

The answer has a few layers to it.

First, a disclosure (Snake oil, transparency due diligence and all that ;))
If this was for a client project,

  • I would need to understand the actual use case to understand what is/is not possible/feasible.
  • I'd work with our security team and do more research as pertains to the requirements to make sure we the fully understand the solution and it's implications.


But since this is not the case, I'll do some rambling below.. (Again, mostly a IaaS slant on this, SaaS and PaaS will obviously encompass additional aspects)

This is where things like Google CSEK and AWS KMS come into play.
You encrypt your data using your own keys.


A quote from the Google CSEK page above "Google does not store your keys on its servers and cannot access your protected data unless you provide the key. This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key."

So that's one part of the equation.

Next part
They providers are all very transparent about how they manage, distribute keys and implement security (even internally) via white papers, audit reports, conferences etc.
The reputational and legal fallout of a public cloud provider sharing your data without your consent/knowledge given their assurances would be immense and immediate.

So between the tools made available to users of their services and the risk posed to the providers themselves (+ their various auditers/certifiers) this is actually of less concern to me than things like the poorly architected solutions we talked about earlier.

Stephan

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 24 August, 2017, 09:34

@StephanKotze:

I'm copying / pasting my comment from another Finextra post entitled The Cloud is ready for Banks but are Banks ready for the Cloud?:

If I understand this and this FORTUNE magazine articles correctly, Salesforce and Oracle are planning to do something like this. Nature of insights include:

  • Is there a major client that you haven’t heard from in awhile or who has been name-dropping your competitor in email or on social media? It’s time to reach out.
  • If you have hundreds or thousands of sales prospects on a list, how do you tell the potential winners from the duds?
  • Detect if a competitor is mentioned on an email thread.
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Stephan Kotze
Stephan Kotze - GFT - London | 24 August, 2017, 09:47

@Ketharaman:

Aye,  but like I said, I'm talking more about IaaS here, SaaS/PaaS are different beasts and depending on the exact product you use, due diligence is needed in terms of Ts&Cs etc.

Stephan

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 24 August, 2017, 10:54

@StephanKotze:

Oh, yes, I remember you said IaaS before. For IaaS, the Google CSEK and AWS KMS extracts cited by you make it amply clear a PaaS provider can't even access Bank 1's data - let alone use Bank 1's data to provide insights to Bank 2.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Stephan Kotze
Stephan Kotze - GFT - London | 24 August, 2017, 13:44

Indeed!  

But then at the SaaS layer is where it gets more complicated again :)

Some SaaS products will hold and manage the keys for you. In which case the the IaaS "layer" (AWS/Google/Azure) vendors may not be able to see the data, but the SaaS vendor sure can.

And then some SaaS products do not keep the keys, the users have full controll and neither the SaaS provider nor Google/AWS can access it.

So here again it depends on how they've built their architecture, how transparent they are and what their Ts&Cs say.

Stephan

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 24 August, 2017, 14:13

Actually, since the end customer's data is held by the SaaS vendor, it will be the SaaS vendor - and not the end customer - who will be the PaaS vendor's customer and, therefore, the receiver and owner of the AWS / Google keys in the first place.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Stephan

Why migrating to the cloud offers more security than you might think

21 August 2017  |  6068 views  |  10 comments | recomends Recommends 0 TagsRisk & regulationInnovation

Stephan's profile

job title Solutions Architect
location London
member since 2017
Summary profile See full profile »

Stephan's expertise

Member since 2017
0 posts9 comments
What Stephan reads
Stephan writes about
Risk & regulationInnovation
Stephan's blog archive
August 2017 (1)

Who's commenting on Stephan's posts

Ketharaman Swaminathan
Graham Seel
Kishore Meda