Can cloud be more secure?

When the question first 
comes up around the boardroom table—“Should we move some of our core systems to the cloud?”—the instinctive response may be one of rejection.

The thought that the bank’s confidential data entrusted to it by customers, the products and services it offers, and the proprietary work of the bank’s staff could somehow lurk “out there,” seems irresponsible. After all, news comes often enough of one breach after another of big companies. And regulators continually harp on the need to manage third-party risk.

What some bankers, cloud providers, and analysts are saying is that the concept of “banking in the cloud” may be either oversimplified or misunderstood.

Here are comments from two providers who offer cloud solutions as part of their product mix.

“The earliest discussions around cloud are, ‘I don’t want to do that. That’s not very secure.’ In fact it can be quite the opposite,” says Scott Hansen, senior vice-president, D+H. “When you take a look at security breaches, often it happens with static data stored on machines. That’s when breaches occur. The concept of a cloud environment is one where nothing is stored locally.” In other words, data or the unauthorized access to data simply is not available on easily stolen or hacked user devices when the data resides with a cloud host.

More than a few banks appear to accept this view. D&H says its Compushare C3 cloud solution hosts the core banking systems of more than 700 banks.

CSI, which also provides cloud hosting to many banks, takes a somewhat different approach when prospective clients voice security concerns.

“The main thing I tell customers is you can outsource your IT systems. You can even outsource your IT management. But you can’t outsource the responsibility of your data,” says David Malcom, vice-president of managed services.

That means being able to go to a cloud provider’s physical plant periodically to see how things are set up, how things are handled, what security layers and procedures are in place, and understanding the whole setup. The ability to do that is an important component of choosing a given partner.

Peter Graves, CIO, Independent Bank, $2.3 billion in assets, Ionia, Mich., is a strong proponent of outsourcing to cloud hosts, but remains wary.

“The only way to do this is by doing your homework,” he says. “What you don’t know is going to hurt you. That also pertains to the vendors you might partner with when you outsource. You really have to look at compartmentalizing that outsourcing and look at those pieces that make the most sense, and then try to find the right vendors that fit.”

His bank relies on the cloud for its core systems, as well as some HR systems. Later this year they are looking to outsource their mortgage origination system.

Beyond security, what?

Once the security aspect of cloud hosting is at least held for further consideration, banks are acknowledging the positive aspects of cloud hosting—economics, competitiveness, management, and more.

“It’s not too many years ago that moving to the cloud meant getting rid of the racks and turning the old data center into an employee lounge, and you wouldn’t need as many IT people. That’s the hard-cost reduction,” says Hansen. Now, he and others say, there are other aspects to consider:

 • “Customers like the transition from a capital expense type of expenditure to an operational expense, where their IT management can move into a…monthly perspective instead of having capital expenditures that have to get depreciated over time,” says Malcom.

 • Another driver is “the life cycle management of all these systems and platforms and the maintenance, patching, and making sure they’re secured and up-to-date. All of that life cycle management is a huge cost and burden and detracts from what you should be doing, which is making yourself more competitive,” says Graves.

 • “It’s a business continuity move,” notes Hansen. “If there’s nothing stored locally, and all your machines get destroyed, getting back up and running is nothing more than running down to Best Buy and buying some new PCs.”

Security, though, is still what it often comes down to, and the two bank vendors we spoke with make two further points in that regard.

On the one hand, says Hansen, “If you’re a $100 million bank, in essence you have to tackle the same in-house hardening and security as a $10 billion bank.”

On the other, says CSI’s Malcom, cloud hosts “have teams of people who are dedicated to security. Teams of people who are dedicated to compliance. And teams of people who are dedicated to internal auditing functions to make sure those other areas perform the way they are supposed to perform.”

From bank CIO Graves’ point of view, deciding to host systems in the cloud is something to seriously consider in an informed way.

“With the economies of scale that you can achieve through the right providers who do this day in and day out—if you find the right providers—it’s not only economically going to make sense, but they are better at managing risk. They keep your systems more up to date. They’re going to be able to keep the lights on and make sure things get done,” says Graves.

Just as important, he adds, “it gives you an advantage over your competition.”

The big decision

Deciding when and what to transition to the cloud may not be easy.

“There’s a time and place for the transition,” says Hansen. “It’s not six months after you’ve just replaced all your PCs or reinvented your entire data center. But hardware has a shorter and shorter average depreciated life span. We’re finding there are moments of opportunity in a three-to-five year cycle.”

Also, says Malcom, “Some bank customers outsource to us just the core processor. Some outsource just IT management. Then there’s a huge number of systems that can be outsourced. It’s a pretty broad topic.”

An important step, says Graves, is to develop a multiyear plan, based on a lot of research, testing, and consulting.

“If a bank is not looking at this and hasn’t a plan out there, they are going to be at a disadvantage,” says Graves, adding: “Those who don’t look at this are missing the proverbial boat, and it’s a lifeboat, not a cruise ship.”

Cloud scrutiny

Regulators and other standards keepers have weighed in extensively regarding responsibilities and accreditation of cloud-hosting providers as they relate to their financial institution clients.

For example, the Federal Financial Institutions Examination Council requires that if the financial institution allows its data to be hosted in the cloud, the board of directors and management remain responsible to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws and regulations. At the same time, FFIEC has statutory authority to supervise third-party services.

If any sort of credit card processing is included in the cloud services, the PCI data security standards come into play. As noted in the PCI DSS cloud guidelines, “Cloud security is a shared responsibility between the cloud service provider and its clients…PCI DSS will apply to that environment and will typically involve validation of both the CSP’s infrastructure and the client’s usage of that environment.”

Added to this are audit requirements, known as service organization control (SOC) reports under guidelines set by the American Institute of Certified Public Accountants.

“At a minimum there should be an annual touch point between the [financial] organization and the cloud provider to review the SOC reports that the cloud provider have gone through and written up,” says CSI’s David Malcom. “They are a way to see what types of controls and procedures the cloud provider had tested and what their performance against those tests were.”

“While these certifications provide a good starting point for banks and other financial institutions seeking to deploy their applications in a hybrid or public cloud,” says Jim O’Neill, senior analyst with Celent, “the financial institution still needs to be vigilant in regard to the security of its own application environment. Best practices include rigorous access control policies, strong user authentication practices, and the use of encryption wherever customer data is concerned.”