While cloud computing represents one of the most promising new playing fields in information technology, many of the security concerns that accompany the emerging technology are extensions of those encountered in the traditional data center environment: trust in the technology provider's security mechanisms, the ability to identify and authenticate users, and the need to audit all access and changes. How banks handle those issues might determine whether the industry widely adopts various cloud services in the future.
Indeed, a key issue for any bank looking to leverage an external cloud is trust, says Timothy Brown, SVP and chief architect for security management at Islandia, N.Y.-based CA. "When you think about what the cloud normally does, you are transferring some of your data into the hands of an unknown third party," he says. "In doing that, you're losing some control. But often that control can be made up in the SLA [service-level agreement] -- it can be made up in contracts and it can be made up in transparency."
Brown stresses that banks looking for a cloud provider must do their homework, determining whether providers have sustainable business models and what is covered under any SLA. Additionally, banks should look at the cloud provider's overall security policies -- how it protects data and how it manages user privileges and access for IT staff. And once an agreement has been reached with a cloud provider, Brown advises, the bank should extend its IT auditing processes to regularly test how well the provider is maintaining security.
Julien Courbe, partner and financial services technology advisory lead at PricewaterhouseCoopers, says, "We recommend our clients undergo third-party audits. We also recommend having clear language in the contract regarding the exit or termination strategy. Don't become dependent on the cloud provider to the point where you can't switch providers or bring the information back in-house."
Cloud data centers are not regulated, and there is no certification specific to providing cloud data services, points out Nico Popp, VP of product development at VeriSign (Mountain View, Calif.), who says identity management and data access are significant factors in cloud security. "You need a trust framework, and the question is then, where do you start," he relates. "We believe the right place to start is access and identity management."
Banks have a unique role in evolving identity management with cloud services, Popp adds. Banks already have extensive experience with access and identity management issues, he explains, so they are uniquely positioned to work with cloud providers.
"Identity [management] is the most acute problem" with external cloud services, Popp continues. "Who has access to my data? We think we'll see identity as the No. 1 issue, and that will lead to two things: certification and identity policies."
In the meantime, cloud adoption among banks is on the rise, and, according to CA's Brown, banks have an opportunity to make the most of the evolution in data management and computing that the cloud offers. "We need to take advantage of this transition and use it to increase security," Brown says. "The consumers of these services really have the ability to ask us as providers to build more security."