Security does not come embedded in a cloud service, nor are cloud services something you can choose to avoid, panellists discussed during one of the opening panels at Sibos 2019, London.
Kris Lovejoy, global cybersecurity leader at EY, said, “Security does not come with cloud as a seat belt does in a new car.”
The panel discussed the use of cloud being unavoidable on account of the likelihood of any partner or third party using it. And it is very much up to the individual organisation to carry out risk assessments. “Even if you are not using cloud, someone you work with will be,” said Lovejoy.
Lovejoy asserted that the decision to use cloud is a business risk one and not a tech one, contrary to much popular industry dialogue. “Complexity equals risk; one mistake can be replicated many times in a cloud environment,” she said. Automation, however can help this.
The decision needs to be considered and very bespoke. “We need to avoid the lemming effect, Sergey Putyatinsky, deputy chairman of the board, Credit Bank of Moscow, said.
Penetration testing is crucial, urged Sergey. “Standards are not enough, you can have all the ISOs and still be vulnerable.” The industry needs to establish best practice principles and the regulators need to improve their engineering prowess in order to help, the panel discussed.
Should regulators help?
“Regulators do not have the competencies to oversee cloud, their engineering skills are not there yet. They are important for audit processes, but we can’t rely on regs to ensure cloud is secure,” said Andrew McCormack, chief information officer, Payments Canada.
“Sixty per cent of data breaches or hacks come from insiders,” he continued.
The benefits, however, make it a no-brainer
Despite pressing home the risk factors and security considerations around cloud, the panel posited the enormous benefits to be gleaned, making for a compelling proposition.
“With the cloud you have ability to surge and expand capacity to meet demand at such speed. It is now critical to success of business in this day and age. The AI and analytics capabilities is something that is beyond the reach of an on-premise environment or in-house,” said McCormack.
Lovejoy outlined the vast capability cloud offers in terms of app development.
“Implementation timescale for an app has gone from a year or two, to an hour. Yes, it introduces risk but the benefit far outweighs it,” she said.