|By Kevin Nikkhoo||
|September 4, 2012 01:45 AM EDT||
Last month the Federal Financial Institutions Examination Council (FFIEC) shared an opinion on the viability and security of cloud computing. In the four-page statement, the interagency body empowered to prescribe uniform principles, standards, stated that cloud computing is “another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing.”
What they are offering is a back-handed endorsement of cloud computing with the caveat that if you perform your due diligence and the solution passes the security smell test, there is no reason why a financial institution cannot enjoy the full scope of cloud based benefits.
Like most other industries on the planet, banks, credit unions, investment brokerages, hedge funds, title and mortgage companies, credit card enterprises outsource certain parts of their business for a variety of reasons. In some cases, it is a skill that is outside their core competencies like the physical transference of currency (armored cars). For others it incorporates economic and efficiency factors like reducing and controlling costs, expanding operational capacity, and employing best-of-breed philosophies. Regardless of the reasoning, outsourcing is an integral part of international business standards.
“Outsourcing to a cloud service provider can be advantageous to financial institutions because of potential benefits such as cost reduction, flexibility, scalability, improved load balancing, and speed.” FFIEC Information Technology Subcommittee July 10, 2012
This is especially good news for credit unions and other smaller finance-centric enterprise organizations on the hook for compliance, heightened data and asset protection and access control just like their multi-national brethren. In that the FFIEC has labeled cloud computing as an acceptable practice, I want to focus on three specific callouts that directly affect how and why security managed from the cloud (aka cloud-based security) fits with the strategic technology goals of any financial institution.
- Legal and Regulatory Considerations All financial institutions operate under the heavy scrutiny of federal, state, local and industrial standards. It demands a certain degree of transparency (as well as privacy), a certain reliance on reporting and auditing, and heavy emphasis on compliance with various requirements. Although a serious and very complex issue, the ability to depend on several factors managed from the cloud, eases some of the burden. Regardless of where sensitive financial, personal and transactional data and is stored security-as-a-service typically provides the best-of-breed oversight institutions demand. Strictly from a security management perspective, understanding who and how and when any endpoint is attempting to access or ping a network asset at any time day or night is not only good practice, but a strict edict of laws like PCI and Sarbanes Oxley. But taken one step further, the ability to look beyond the obvious brute force attacks, the ability to instantly analyze traffic from a variety of silos and the ability inform, escalate and report any anomalies bases on strict interpretation of the law, creates. The cloud fits this stratagem simply by providing the additional expertise, faster and more accurate auditing and more “bang for the buck.
”I recall what a Network Apps Manager from Texas Capital Bank stated in a recent conference: "We get audited. We get audited a lot! In the span of a typical year we are audited by 6 different external and regulatory compliance groups." I get dizzy just thinking of the constant drain on resources it takes to keep up with it all. Not to put a fine point on it, but just consider the manpower, reporting and computing relief an organization can experience simply by outsourcing Identity Management to provision and de-provision users , customers and vendors...not to mention the additional control from SaaS Single Sign On.
- Holistic InfoSec All Financial institutions are typically at the center of many hacking attacks. The rule of thumb with cloud-based (or really any security strategy), is don’t worry about the attacks you can see coming. Most of the truly devastating breaches come from more insidious sources that are quiet and subtle. It is these types of assaults that look for cracks in a multitude of small, seemingly insignificant corners. This is why any strategy must contain a holistic approach. One that looks at and ties together the various and varied silos of information. This situational context approach identifies issues that might not raise red flags in one silo, but when correlated with other data points might require reporting, escalation and instant remediation.
And it’s no secret that global hackers have set their sites on American financial institutions but if you are running a credit union in Watertown, MN, do you need to fear nation-state cyber-terrorism? Probably not as much as Citibank, but shoring up your network perimeter is a must. Solutions like SIEM and Log Management have an excellent track record managed from the cloud. Other considerations such as careless third party users and employees, password mismanagement, poor vetting of third-party security protocols, access controls, must be addressed to achieve a true holistic approach strategy. But for that credit union in Watertown or the title company in Carpenteria, CA there is limited budget to apply such an enterprise strategy. And that’s where cloud security comes in as a huge benefit. Security-as-a-service is typically a cash flow positive endeavor. This means there is no capital expenditures (it’s all OpEx) and there is no ROI lag time in terms of buying an expensive server or waiting 6 months to develop and deploy and appropriate program. Zero day deployment and pay-as-you-go scalability provide immediate return and immediate coverage.
- Data segregation and recoverability: The nature of this issue is the overall security of data regardless of where and how it is stored. There are many whose lack of trust in the cloud prevents them from seeing that just because data is sitting on a server outside their four walls, means it is any less secure. By using the advice of the FFIEC, applying risk assessments against any outsourced solution, . It’s the same for any investment. If you do poor research on a electronic lock company, there are catastrophic risks involved. Many cloud providers invest a great deal in their security features. And of course, a company the sells security-as-a-service, must be as or more bulletproof than any on premises alternative in its ability to maintain data security, IT integrity and guaranteed continued service.
Now this isn’t aimed so much at Bank of America or Goldman Sachs, but rather “Main Street” institutions who don’t have a spare $100K waiting to spend on on-premise servers, $1 million to develop and deploy a holistic security strategy and another $150K for dedicated analysts to monitor activity around the clock. Cloud-based security provides more functionality, greater scope, and greater manageability than a typical local institution can afford to do in house. Through multi-tenancy, economies of scope and leveraged enterprise best-of-breed expertise and capabilities, every financial institution can benefit from top-class security…as long as they do their homework!
As with any business decision, whether to migrate certain aspects of enterprise operation to the cloud, depends on several factors. Does it promote your strategic and tactical plans/goals? Have you done your homework and made sure both the vendor and the solution are a good (and trustworthy) fit? Does it provide ROI in a reasonable/expected time frame? Does the reward outpace the risk? Is the risk manageable? I could go on. But the argument is no longer be should I utilize the cloud. The better question is in what situations and how do cloud based solutions create benefit and advantages for my company?
If you wish to learn more about the application of holistic security, read the white paper: Applying Security Holistically from the Cloud: A Paradigm Shift Applying Situational Awareness in SIEM Deployments.
SYS-CON Events announced today that Micron Technology, Inc., a global leader in advanced semiconductor systems, will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Micron’s broad portfolio of high-performance memory technologies – including DRAM, NAND and NOR Flash – is the basis for solid state drives, modules, multichip packages and other system solutions. Backed by more than 35 years of technology leadership, Micron's memory solutions enable the world's most innovative computing, consumer,...
Sep. 2, 2015 05:30 PM EDT Reads: 257
SYS-CON Events announced today the Containers & Microservices Bootcamp, being held November 3-4, 2015, in conjunction with 17th Cloud Expo, @ThingsExpo, and @DevOpsSummit at the Santa Clara Convention Center in Santa Clara, CA. This is your chance to get started with the latest technology in the industry. Combined with real-world scenarios and use cases, the Containers and Microservices Bootcamp, led by Janakiram MSV, a Microsoft Regional Director, will include presentations as well as hands-on demos and comprehensive walkthroughs.
Sep. 2, 2015 04:45 PM EDT Reads: 387
In his session at @ThingsExpo, Lee Williams, a producer of the first smartphones and tablets, will talk about how he is now applying his experience in mobile technology to the design and development of the next generation of Environmental and Sustainability Services at ETwater. He will explain how M2M controllers work through wirelessly connected remote controls; and specifically delve into a retrofit option that reverse-engineers control codes of existing conventional controller systems so they don't have to be replaced and are instantly converted to become smart, connected devices.
Sep. 2, 2015 04:15 PM EDT Reads: 207
SYS-CON Events announced today that Pythian, a global IT services company specializing in helping companies leverage disruptive technologies to optimize revenue-generating systems, has been named “Bronze Sponsor” of SYS-CON's 17th Cloud Expo, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Founded in 1997, Pythian is a global IT services company that helps companies compete by adopting disruptive technologies such as cloud, Big Data, advanced analytics, and DevOps to advance innovation and increase agility. Specializing in designing, imple...
Sep. 2, 2015 04:15 PM EDT Reads: 347
Akana has announced the availability of the new Akana Healthcare Solution. The API-driven solution helps healthcare organizations accelerate their transition to being secure, digitally interoperable businesses. It leverages the Health Level Seven International Fast Healthcare Interoperability Resources (HL7 FHIR) standard to enable broader business use of medical data. Akana developed the Healthcare Solution in response to healthcare businesses that want to increase electronic, multi-device access to health records while reducing operating costs and complying with government regulations.
Sep. 2, 2015 04:00 PM EDT Reads: 276
17th Cloud Expo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterprises are using some form of XaaS – software, platform, and infrastructure as a service.
Sep. 2, 2015 04:00 PM EDT Reads: 1,577
With the Apple Watch making its way onto wrists all over the world, it’s only a matter of time before it becomes a staple in the workplace. In fact, Forrester reported that 68 percent of technology and business decision-makers characterize wearables as a top priority for 2015. Recognizing their business value early on, FinancialForce.com was the first to bring ERP to wearables, helping streamline communication across front and back office functions. In his session at @ThingsExpo, Kevin Roberts, GM of Platform at FinancialForce.com, will discuss the value of business applications on wearable ...
Sep. 2, 2015 04:00 PM EDT
The 3rd International WebRTC Summit, to be held Nov. 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA, announces that its Call for Papers is now open. Topics include all aspects of improving IT delivery by eliminating waste through automated business models leveraging cloud technologies. WebRTC Summit is co-located with 15th International Cloud Expo, 6th International Big Data Expo, 3rd International DevOps Summit and 2nd Internet of @ThingsExpo. WebRTC (Web-based Real-Time Communication) is an open source project supported by Google, Mozilla and Opera that aims to enable bro...
Sep. 2, 2015 03:45 PM EDT Reads: 1,559
The 17th International Cloud Expo has announced that its Call for Papers is open. 17th International Cloud Expo, to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, APM, APIs, Microservices, Security, Big Data, Internet of Things, DevOps and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal today!
Sep. 2, 2015 03:30 PM EDT Reads: 1,640
SYS-CON Events announced today that the "Second Containers & Microservices Expo" will take place November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities.
Sep. 2, 2015 03:15 PM EDT Reads: 623
WebRTC services have already permeated corporate communications in the form of videoconferencing solutions. However, WebRTC has the potential of going beyond and catalyzing a new class of services providing more than calls with capabilities such as mass-scale real-time media broadcasting, enriched and augmented video, person-to-machine and machine-to-machine communications. In his session at @ThingsExpo, Luis Lopez, CEO of Kurento, will introduce the technologies required for implementing these ideas and some early experiments performed in the Kurento open source software community in areas ...
Sep. 2, 2015 02:15 PM EDT
Consumer IoT applications provide data about the user that just doesn’t exist in traditional PC or mobile web applications. This rich data, or “context,” enables the highly personalized consumer experiences that characterize many consumer IoT apps. This same data is also providing brands with unprecedented insight into how their connected products are being used, while, at the same time, powering highly targeted engagement and marketing opportunities. In his session at @ThingsExpo, Nathan Treloar, President and COO of Bebaio, will explore examples of brands transforming their businesses by t...
Sep. 2, 2015 02:00 PM EDT Reads: 264
SYS-CON Events announced today that HPM Networks will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. For 20 years, HPM Networks has been integrating technology solutions that solve complex business challenges. HPM Networks has designed solutions for both SMB and enterprise customers throughout the San Francisco Bay Area.
Sep. 2, 2015 01:30 PM EDT Reads: 938
While many app developers are comfortable building apps for the smartphone, there is a whole new world out there. In his session at @ThingsExpo, Narayan Sainaney, Co-founder and CTO of Mojio, will discuss how the business case for connected car apps is growing and, with open platform companies having already done the heavy lifting, there really is no barrier to entry.
Sep. 2, 2015 12:45 PM EDT Reads: 194
Too often with compelling new technologies market participants become overly enamored with that attractiveness of the technology and neglect underlying business drivers. This tendency, what some call the “newest shiny object syndrome,” is understandable given that virtually all of us are heavily engaged in technology. But it is also mistaken. Without concrete business cases driving its deployment, IoT, like many other technologies before it, will fade into obscurity.
Sep. 2, 2015 12:15 PM EDT Reads: 414
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo in Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal an...
Sep. 2, 2015 11:30 AM EDT Reads: 1,997
As more intelligent IoT applications shift into gear, they’re merging into the ever-increasing traffic flow of the Internet. It won’t be long before we experience bottlenecks, as IoT traffic peaks during rush hours. Organizations that are unprepared will find themselves by the side of the road unable to cross back into the fast lane. As billions of new devices begin to communicate and exchange data – will your infrastructure be scalable enough to handle this new interconnected world?
Sep. 2, 2015 11:15 AM EDT Reads: 185
With the proliferation of connected devices underpinning new Internet of Things systems, Brandon Schulz, Director of Luxoft IoT – Retail, will be looking at the transformation of the retail customer experience in brick and mortar stores in his session at @ThingsExpo. Questions he will address include: Will beacons drop to the wayside like QR codes, or be a proximity-based profit driver? How will the customer experience change in stores of all types when everything can be instrumented and analyzed? As an area of investment, how might a retail company move towards an innovation methodolo...
Sep. 2, 2015 11:15 AM EDT Reads: 494
The Internet of Things is in the early stages of mainstream deployment but it promises to unlock value and rapidly transform how organizations manage, operationalize, and monetize their assets. IoT is a complex structure of hardware, sensors, applications, analytics and devices that need to be able to communicate geographically and across all functions. Once the data is collected from numerous endpoints, the challenge then becomes converting it into actionable insight.
Sep. 2, 2015 09:00 AM EDT
Contrary to mainstream media attention, the multiple possibilities of how consumer IoT will transform our everyday lives aren’t the only angle of this headline-gaining trend. There’s a huge opportunity for “industrial IoT” and “Smart Cities” to impact the world in the same capacity – especially during critical situations. For example, a community water dam that needs to release water can leverage embedded critical communications logic to alert the appropriate individuals, on the right device, as soon as they are needed to take action.
Sep. 2, 2015 08:45 AM EDT