Banking

Can the cloud be safe for banks?

Aditi Roy Ghatak considers the issues at stake for the banking industry to implement cloud technology. Here are some of the possibilities for this security-sensitive industry.

"We will never buy another data center. We will never buy another rack or server or storage device or network device again. I will never let any organization that I work for get locked into proprietary hardware or software again. I'll never tell my teams in the business that it will be weeks to get them hardware provision. I'll never pay up front for any infrastructure and certainly would never pay for any, or rent any, infrastructure that I would never use." - Michael Harte, CIO of Commonwealth Bank of Australia, in his speech to the Committee for Economic Development in Australia.

Cloud characteristics like zero up-front capital requirement, shared service delivery over the internet, agility, and a pay-for-use environment has got some large banks like ING, proactively testing the technology. While some banks are closely watching and looking for the answers regarding cloud security and regulatory issues, some others are not quite sure of what cloud computing truly is.

High technology costs and under-utilized hardware are some of the major issues that the big banks face currently. With the help of cloud, the banks may efficiently scale up operations without adding any costs, either on manpower or on hardware and software. Since the hardware and software are available on demand, the user has to pay only for what is utilized and need not make a huge initial outlay investment.

One of the many problems faced by the IT departments of the large banks is that of below-optimum usage of their computers. Generally, large banks deploy huge in-house capacity and more than adequate hardware, which later on is not used to the optimum. In such cases, the bank may switch a function such as treasury applications, if not the entire core banking services to the cloud.

For small-scale banks it is not always possible to make an upfront investment on a core banking solution, hence, impacting their competitiveness. By getting into a subscription model, such banks can pay per use, per branch. Another issue commonly faced by the small scale banks is to get the right talent to manage the servers and hardware. By choosing the cloud, that issue is solved.

While there is no doubt that there are some clear benefits of implementing the cloud in the banking industry, the security and compliance concerns for such a sensitive industry definitely have to be addressed in the best possible manner. The hybrid, or shared, IT infrastructure is one model that promises the variable costs, scalability, flexibility and on-demand availability sold by public cloud computing, while at the same time addressesthe security, compliance and performance procedures concerns of banks and financial services companies.

Financial services firm ING, has partnered with technology giants such as IBM, Hewlett-Packard, Cisco, VMware and EMC to construct a large hybrid cloud, combining the features of public clouds and private data centers. ING's private cloud consists of a web of computing, storage, and network resources used as a service with automated, self-service provisioning. The kind of applications currently planned for cloud computing at ING are general office apps, utility apps, and business apps.

Similarly, capital markets are a key growth market, where Microsoft has seen some of the major adoption of cloud services, due to the regulatory changes and at the same time, the need to compete and curb costs. For instance, Misys and Temenos offer core banking applications via cloud. Also, in investment markets, firms such as Wall Street Systems manage all their trade settlement on the cloud.

Any type of banking application and data is very critical and confidential for the bank. Hence, it may take time to develop a cloud strategy before hopping on to the technology.

  • Determine the business functions that might be suitable for different cloud environments and classify your information assets by sensitivity.
  • Develop a comprehensive set of requirements specific to the lines of business and the specific business functions the bank will operate in cloud.
  • Banks can consider secure private cloud and have a contractual agreement to provide cloud-based, low-cost solution by taking complete responsibility and by fulfilling all required norms by the customer.
  • Databases can be kept inside bank and only application (SOA based, multi-tenant architecture) can be put in the private cloud and integrated to each other (a typical secure hybrid cloud model).
18 comments
footprintless
footprintless

A good topic but written with strong bias towards "The Cloud". The nanosecond you put anything in any "cloud" you are putting it someone else's hands. That "someone" are the staff of the "Cloud" provider. And those people can make mistakes or be corrupted or quit or get sick just like the staff of any other company. They need to be hired and kept so how does that solve staffing problems? And hybrid means investment in equipment, infrastructure and staff -- the "private" cloud. Would the US Defense Department of the Pentagon put their data in "the Cloud"? The "Cloud" is just one more step toward totally eliminating all privacy. I will only put our data in someone else's hands if we cannot avoid it or cannot afford to do otherwise and then only the minimum necessary.

syosifov
syosifov

Putting your data on the cloud is too risky of course. On the other side the appeal of the technologies is very strong. Also they continue to evolve. So to my mind it's a subject of a time. Perhaps one won't transfer an existing application directly to the cloud. Giving account to the specific challenges, respective research need to be done to address them. And inevitably there will be failures some times. But bank robberies have happened and before the invention of the Computer.

dogknees
dogknees

It just occurred to me that there doesn't seem to be much discussion about "remedies". That is, if the cloud provider does breach the terms of service, they get to pay you a bunch of money. This is pretty standard in most contracts, but seems notably absent in the IT world in general and the cloud service world in particular. Anyone like to venture any reasons this is the case, and why businesses put up with it?

ttx19
ttx19

HELL NO IT IS NOT SAFE AT ALL THEY NEED TO SHUT IT DOWN NOW THE CLOUD IS A BAD THING AND NO ONE CARE WHAT A RIPE AND IF ANY ONE PUTS MY INFO IN THE CLOUD I WILL SUE THEM FOR ALL THEY HAVE

BALTHOR
BALTHOR

However the cloud is as good as starting a brand new religion.I think there was a big redirect to attack computers.It could be that computers actually have stopped stuff like the measles and the mumps.

Spainkee
Spainkee

I believe Physical Security is a huge part of securing data. I find it rediculous that anyone rely on a third party for live data storage. Unless maybe music or Pictures. But Financial, Medical, Business critical data? First line of defense is a Physicaly Secured in-house Data Center. "The Cloud" seems to me to be a brain child of Storage Rich companies raking in the bucks off of companies with brainless lazy CIO's. It never took me 2 weeks to Provision new Hardware as the initial quote from the Ausie CIO stated. In-House Virtualization with a SAN solution. Easy Peezy.... .

mikef12
mikef12

Somebody hacks in, steals your $$. You contact the bank for redress. They point to the cloud provider. You contact the cloud provider. They point to the bank. You contact..... Would this happen? Yes, with a probability of 5 nines. Any customer whose accounts are transferred to outside IT providers needs absolute guarantees of redress from his bank - failing that, should leave for another bank.

xbankr
xbankr

The Cloud is a great way to go for a variety of applications within a bank including software distribution, contact lists, compliance info, appraisal and environmental reports, etc. However, when it comes to operating systems that involve sensitive client data associated with moving funds or balances, it will be necessary to demonstrate security. I sincerely question the ability to provide that as I am not so sure that sort of security exists. Banks are trusted because of their reputation and that reputation is not based on providing the key to the vault to an unknown third party. That said, I am amazed that people are willing to use their cell phones to affect transactions in their own personal accounts.

ttx19
ttx19

you put my bank in the cloud and i will sue all of you because i have find out the cloud is not safe at all only dumb people put info in the cloud

Pete6677
Pete6677

Vendors love naive PHBs like Michael Harte. If his bank really allows him to implement this idea of never again buying any hardware and relying on proprietary outside vendors for everything, they will be taken to the cleaners. Has he ever heard of vendor lock-in? Cloud computing is a great addition to an IT infrastructure, particularly for things primarily used outside the company, but it cannot completely replace the corporate IT department.

Michael Kassner
Michael Kassner

You stated: "One of the many problems faced by the IT departments of the large banks is that of below-optimum usage of their computers." What are your sources for that statement?

chaz15
chaz15

You mean there might be an actual pot of gold at the end of the rainbow? Can't see the banks risking 'Cloudy days' though. It would only take one good hack to empty their coffers!

tom.marsh
tom.marsh

If your bank has a lot of "unused server capacity" laying around you need to investigate why your Admins and engineers didn't size your virtual-machine infrastructure correctly. Don't use "doing a bad job" by an individual as an excuse for switching to cloud services when you could solve the problem just as readily by replacing the admin with somebody competent.

tom.marsh
tom.marsh

The Russian mob thanks you for making it that much easier to steal your data and then your customers' money. Or, rather your "soon-to-be-ex-customers" money.

tom.marsh
tom.marsh

"Errors & Omissions" liability insurance policies generally have a dollar limit on liability covered, so a company offering an unlimited guarantee would basically be covering the difference between that limit and actual damages to a customer out of pocket. I have no idea how to change this reality, though... If you're an insurance provider, it would be extremely complex (more so than normal insurance calculations) to figure out what that liability really costs the insurer to cover in order to properly price a policy. Because of that, there is a lot of risk that even if a policy is written the insurer could have significant un-hedged risk if they calculate incorrectly, of if they're not conducting regular (expensive) audits of the insured company to make sure the risk of liability hasn't increased since the policy was written.

Spainkee
Spainkee

I believe Physical Security is a huge part of securing data. I find it rediculous that anyone rely on a third party for live data storage. Unless maybe music or Pictures. But Financial, Medical, Business critical data? First line of defense is a Physicaly Secured in-house Data Center. "The Cloud" seems to me to be a brain child of Storage Rich companies raking in the bucks off of companies with brainless lazy CIO's. It never took me 2 weeks to Provision new Hardware as the initial quote from the Ausie CIO stated. In-House Virtualization with a SAN solution. Easy Peezy....

Dr_Zinj
Dr_Zinj

I haven't seen a single U.S bank with an on-line system that isn't so full of holes it looks like swiss cheeze. I trust the U.S. mail for bank statements and sending bills. I trust working with a teller, or occasionally an ATM (although even ATMs are vulnerable to hacking.)

tom.marsh
tom.marsh

I'm not sure how what you've said justifies taking on even more risk with a third-party. My bank's solution is very secure, and I feel a lot of confidence in it. If your bank doesn't give you the same warm-fuzzy you may want to investigate alternatives.