Banks have often looked upon the public cloud with suspicion, cautiously stepping around it while initially preferring the private cloud model as the most secure option in their view. The half-way house is the hybrid cloud model, which allows sensitive transactional data to be locked up in a private cloud, while public clouds have been the preserve of non-sensitive data for standardised workloads and for software applications such as shared email. However, they’ve now stepped out from behind their dams to test the waters of hyperscale computing.
This trend raises the question about whether banks have opened a new chapter, to be on the same page with the public cloud. It’s true they are increasingly looking to the public cloud, but not always because too many projects or platform migrations over the longer-term end up being more expensive than was first thought. David Reilly, the CTO of Bank of America positions it as follows:
“Twice a year the team does a benchmarking exercise that analyses the company’s infrastructure inventory, the price paid for it and compares it to the current selling price. When we benchmark the price points in the public cloud against what we’re able to provide internally – and we have years of benchmarking under our belt now – the economic delta’s just not there yet,” he says. He adds that he finds no economic reason to move to the public cloud.
Tesco Bank breach
Prying questions about how secure their systems actually are have also often been met with a diversionary response worthy of any politician. Yet security has always been their main concern, and they have always wanted to present themselves as being secure when this isn’t always true.
There are a number of examples that show that the banks are still prone to data security breaches. Tesco Bank, for example, had to freeze its online operations in November 2016. The attack led to £2.5m being stolen from 9,000 customers’ accounts. This money was quickly refunded to the bank’s customers, but it was initially feared that 20,000 customer bank accounts had been compromised. Fortunately customers weren’t completely left stranded without cash. They were able to make cash withdrawals, make direct debits and use their chip and pin cards while online transactions were blocked until the bank could bring the situation under control.
The bank opted not to disclose any further details about the attack. Security – including cloud security – remains a touchy subject, but attacks like this can damage a brand’s reputation and its customer relationships. So has there been an advancement in security over the last five years? The evidence suggests probably not in some cases. In 2016 cloud security firm Bitglass found that one in five breaches over the last 10 years were caused by hacking. It also revealed that more than 60 financial services organisations have suffered from being the target of recurring breaches during the course of the last decade.
JP Morgan Chase breach
JP Morgan Chase - the largest bank in the US – has suffered from several recurring breaches since 2007. A cyber-attack in 2014 was the biggest one against it. As a result of the breach, 76 million US households were affected. However, the bank also suffered due to the loss or theft of stolen devices, unintended disclosure and payment card fraud. Nat Kausik, CEO of Bitglass, therefore advises banks to stay one step ahead to protect data as it moves beyond the corporate firewall. He stresses that firms must encrypt cloud data while it’s at rest, control access by contextual risk and protect data on devices it doesn’t manage – such as personal devices used by employees to complete their work.
In other words, to instil more confidence in the public cloud, banks should be looking at ways to accelerate their data to minimise the window that can allow hackers time to attack. With so many data leaks and with increases in identity fraud, one could argue that banking customers’ perceptions in the face of a number of data breaches have been one of the key factors holding back the adoption of public cloud for banks. The other is regulatory scrutiny.
The financial services industry is highly regulated, and it often fears rigorous regulatory scrutiny in case their organisations are compromised by significantly damaging data breaches at one of their cloud vendors. Yet the banks have been testing the public cloud without publicising it. The focus of these tests have primarily been on moving their infrastructure. The fact is that banks can no longer avoid migrating some of their applications to the cloud and public at that.
Traditional legacy processes within banks and other financial institutions have grown over the years; they are heavily regulated and controlled and any new application that’s bolted on must go through years of planning and risk assessment. But now with so many start-ups in the fintech industry snapping at their heels, taking many aspects of their business-to-business and business-to-consumer operations away from them, they are now having to respond to these challenges.
However, it is not only the completion of these cloud projects that is driving change; their customers’ demands are too. The next generation expects to be able transact everything online and instantly. Everyone has become impatient in today’s internet world. As a result, many cloud providers have taken on and resolved many of the securing and access control concerns that previously dogged the financial markets, bringing with this security improvement a new opportunity to embrace the public cloud.
Now that the cloud providers have taken on and resolved many of the securing and access control concerns of the financial markets, there’s a whole new opportunity for these organisations to use the public cloud and the benefits it brings, such as hyperscale computing. Such has been the advancements in security of the cloud providers that last summer De Nederlandsche Bank, the Netherlands’ national banking regulator, cleared Amazon Web Services for a range of banking services.
In fact, some banks such as Capital One are intending to move most of their data into the public cloud by 2018. The ultimate endorsement for the public cloud is the USA Financial Industry Regulatory Authority, FINRA process 90 per cent of its data – including all of its market surveillance capabilities – on Amazon Web Services (AWS)!
With access to the public cloud there are many cost savings to be had in terms of instant on demand computing power for special projects and big data analysis. This is often used by a major American investment firm that uses AWS to run credit risk simulations. These public cloud-based simulations test and analyse its long-term debt and equity-backed securities in its London branch. The public cloud is also being used by this organisation to enable it to attain extra capacity during an expected peak demand, such credit card transactions on Black Friday or as a rapid development environment.
So the public cloud does have a place in big banks and in other financial services organisations. Yet with data breaches being ever prevalent, they need to do more to secure their customers, their businesses and their brand reputations. Improved security can be achieved between clouds – public or otherwise. This begins, as Kausik suggests, by encrypting the data at rest before it starts its journey to the cloud. The faster the data flows, the harder it is for hackers to intercept the data.
WAN optimisation solutions companies can’t help here because they can’t accelerate encrypted data. Banks and financial services organisations therefore need to consider other options, such as PORTrockIT which reduces data latency and which securely accelerates data – enabling the public cloud to become a serious option. A solution like this makes it possible be on the same page as the public cloud, or with the cloud generally, because financial services organisations should be backing up their data in real-time in some cases. They also need to have the ability to restore that data fast, or to ensure service continuity whenever a data breach has occurred. This aside some banks are increasingly on the same page with the public cloud, but they still need to work on securing their data.
David Trossell, CEO and CTO, Bridgeworks