[ILLUSTRATION OMITTED]
First it was software off a shelf. Then it was solutions developed, installed and maintained by providers. The current hot topic in business technology is software as a service, or some other form of cloud computing. They all represent leaps forward in productivity, capability and profitability to banks. What they all have and continue to require, however, is an acute focus on and control of risks.
It is pretty much a given that the use of outsourced services delivered over the internet, as opposed to maintaining software and other infrastructure in-house, will grab hold of business.
"It's a tidal wave that's going to engulf us all within the next five years," predicts Ron Catrone, senior vice-president and chief information officer, Farmington Bank, Farmington, Conn.
Peter Graves, CIO, Independent Bank, Ionia, Mich., says in his blog "Tech Without Hype," on ababj.com, that cloud services will be a $160 billion industry by the end of 2011.
"There are a lot of positive reasons to adopt cloud computing as a technology or to add functionality," says L. Randy Marsicano, manager of professional services for WolfPAC Solutions Group, and a speaker at this year's ABA Risk Management Forum. "It reduces cost in your organization. You don't have to take on additional hardware. You don't have to have additional resources. Your time to market is quicker. It's a way to implement cutting-edge technology without the cost associated with it."
Risks, but known risks
As with all technology, there are risks involved. The fortunate thing, though, is that with cloud there are no new risks involved.
"The worst-case scenario doesn't change, regardless of infrastructure," says Brett Wilson of Trust-wave, an information technology and compliance company that offers cloud services for merchant banks. "The worst-case scenario for any organization around IT security are breaches, the notifications that go along with those, financial loss, reputational damage and regulatory actions that might result."
Marsicano, in a presentation, listed seven cloud-computing risks that banks and other businesses have to be aware of:
* Increased dependency on a third-party provider
* Loss of control over the physical and/or logical environment affecting data.
* Loss of availability should the cloud provider have a service interruption.
* Privacy and legal liability in the event of a security breach.
* Difficulty defining exact locations of data.
* Commingling of data.
* Difficulty of protecting trade secrets.
"It really boils down to three things: privacy, availability and obsolescence," says Marsicano. "Is the information secure? Is the information always available to customers, clients, internal operations that rely on that information? Are you making sure that the systems don't get old and outdated?".
But there are specific threats with the cloud. A not-for-profit organization called the Cloud Security Alliance focuses on this issue. In a very general sense, it lists seven top threats involving cloud computing: abuse and nefarious use; insecure application programming interfaces; malicious insiders; shared technology vulnerabilities; data loss or leakage; account, service and traffic hijacking; and other, unknown risks.
Dan Fisher, another ababj.com blogger ("Beyond the Bank"), warns about risks as well. "Where is your data stored? How is it being cared for? What firewalls are in place?" he asks. He recommends banks perform due diligence to answer such questions.
Regulatory vacuum
No banking regulator has yet to issue any formal guidance or policy statement regarding cloud computing. "It's that new of a phenomenon," says Catrone. When he brought the issue to his state and federal examiners, he says: "They will tell you that you need to take precautions in terms of using a reputable provider, that you document their security precautions and their security controls."
One government agency, at least, has started formalizing security controls for cloud computing--the National Institute of Standards and Technology (www.nist.gov), part of the Department of Commerce. In February NIST issued two proposed documents--a definition of cloud computing, and, most notably, guidelines on security and privacy in public cloud computing.
The basic points of this latter draft document are:
* Entities, including private businesses, should carefully plan the security and privacy aspects of cloud computing solutions before engaging them.
* They should understand the public cloud computing environment offered by the cloud provider and ensure that a cloud computing solution satisfies organizational security and privacy requirements.
* They should ensure that the client-side computing environment meets organization security and privacy requirements for cloud computing.
* They should maintain account ability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.
In general, the draft report notes: "Cloud computing technologies can be implemented in a wide variety of architectures, under different service and deployment models and can coexist with other technologies and software design approaches. The security challenges cloud computing presents, however, are formidable, especially for public clouds whose infrastructure and computational resources are owned by an outside party that sells those services to the general public."
Back to basics
One point to note here is that there is no single form of cloud computing. Marsicano lists three service models: software as a service; platform as a service; and infrastructure as a service. These types of cloud computing service models can be delivered using four different deployment models: private cloud; community cloud; public cloud; and hybrid cloud. What this means is that bankers seeking the advantages that some form of cloud computing could provide them must know, at the least, what questions to ask when they approach a provider.
"You want to make sure you have adequate policies and procedures in place," says Marsicano. "You want to make sure that you will perform your risk assessments on your technology and on your business processes and business functions from a customer information standpoint. You want to make sure you do your vulnerability scanning like you normally would do as part of your regular audit cycle."
Says Brett Wilson: "It comes back to the standard way that banks are going to do operational risk management and information security in the first place. What are the functions of the application that are manipulating the data? What would happen if this data became public? What would happen if a cloud vendor had access to this data in a way that [the bank] didn't control? What would happen if the application itself became unavailable because it was in the cloud?"
A major point Wilson makes is the need to make sure both the bank and the vendor are crystal clear on who is responsible for what.
Catrone--whose bank has yet to adopt cloud computing but has considered it--says, "It comes down to some degree of trust." He notes that the vendors he's approached provide extensive and convincing documentation about security measures and procedures. "Look at [a vendor's website] and see what they do concerning security. It's their business. It's their reputation. If they have a breach or if they have a failure that causes losses to hundreds or thousands of customers, they are out of business."
Still, he notes, "You can do all those precautionary steps but you never really know what happens inside the black box. We have to work that out as an industry and as a regulatory issue. The economics of it are going to force it."
Tech Topics goes weekly
Readers of the print Tech Topics can now get information weekly on the latest tech-related research, relevant new products and services, reports from live and online events, and exclusive interviews in our Tech Topics e-newsletter. Sign up for the free newsletter by going to www. obabj.com/e-newsletters.htm
BY JOHN GINOVSKY, CONTRIBUTING EDITOR
No comments:
Post a Comment