By Paige Leidig, CipherCloud
The financial services industry is increasingly adopting cloud computing. There’s no denying the compelling advantages to moving to the cloud – reduced cost, greater flexibility and scalability, increased mobility, and faster deployment to name a few.
The requirement to protect customer information is still a barrier for many firms though. The fact that customer records and information must be secure and confidential is causing a major headache across the industry. Did you know, for example, that you need to protect your customers’ records against any anticipated threats or hazards as well as unauthorised access that could cause substantial harm or inconvenience to the affected customer?
Worryingly, too many are adopting the cloud but are ignorant or feel they needn’t worry about the risks that cloud computing brings. Recent research from Ernst & Young entitled 2012 Global Information Security Survey revealed that 59 per cent of respondents said they used or planned to use cloud services. Yet over 33 per cent had not taken any measures to mitigate security risks.
Your IP is like gold dust
Companies that have implemented cloud computing are now seeing people gain unauthorised access to their intellectual property (IP). And the pursuit of access to such valuable assets will only continue. We are likely to see additional stealthy, sustained attacks, known as advanced persistent threats (APTs) against companies in the future. Given the large quantity of customer data, the financial services industry is a viable and an attractive target. Your IP is like gold dust to a hacker.
Worryingly, a successful APT launched against a cloud computing service could seriously damage your IP – and your reputation. In August last year, hackers gained access into the Dropbox online storage service using a list of customer email addresses from an employee’s account. Soon after, a journalist from technology publication, Wired, saw his Apple iCloud account compromised by a hacker who gained access by socially engineering the company’s tech support service.
The employees who allowed these high profile breaches to happen were well-meaning but unwitting. Yet, there is always the danger of an intentional inside job. If a member of staff working at a cloud service provider decides to siphon off a client’s data to the highest bidder, it could result in a costly and embarrassing data compromise involving that client’s own customers.
Ignorance is not bliss
As a cloud adopter, you need to understand your responsibilities and remember that reliance on the Cloud service provider is not enough. Many organisations unknowingly rely on service level agreements from their cloud service provider and assume they are responsible for their data’s security. It is not acceptable for financial services firms to claim ignorance and blame a breach on a third party provider.
In fact, the Information Commissioner’s Office (ICO) will come down hard on any careless cloud adopter after it recently clarified that a company collecting data from its customers is responsible for that data – regardless of which third party is enlisted to help store it.
As a financial firm, you hold large amounts of confidential customer information so, if yours is stored in the cloud, the ICO could end up putting your business into the spotlight and burdening you with fines of up to £500,000.
Now that customer records and information can reside anywhere in a digital cloud, it is no longer enough to think of security in terms of physical infrastructure alone. Cloud security must be addressed as well.
Compliance through encryption
Financial services companies should employ encryption to reduce the risk of disclosure or alteration of sensitive information in storage and transit. This is one of the best methods to keep your information safe from hackers. With this approach, a secret pair of digital codes called ‘keys’ is used to encrypt the software. Without these, the software cannot be decrypted.
Encryption therefore protects your vital data against prying eyes, regardless of where it is stored. Entities who attempt to circumvent the company’s protocols for data access will retrieve only scrambled information.
Encryption needs to work seamlessly for business users and their customers, so they are able to retrieve their information seamlessly. However, this in itself presents a problem. Who should actually own the keys?
Keep the keys, rotate the keys, destroy the keys
Often, third-party cloud service suppliers that encrypt a client’s information retain the keys. However, this brings us back to our original predicament. If a hacker or a disgruntled employee steals the keys, they have access to unencrypted client information.
To help extract organizations from this predicament, Gartner recommends that the client retains, manages the encryption keys locally and ensures the keys are properly rotated and destroyed to keep them secure over time.
There are other considerations for the financial services industry when embracing a cloud computing strategy. First, make information a first-class citizen in the cloud. Above all, ensure that it is protected. Consider regulatory requirements when building strategies to protect your information and ensure that you cover your bases with regards to data export and residency restrictions.
Managing such requirements can be discouraging for many companies whose expertise is not in cloud computing or information security. Working with a trusted third party can help to cover your security needs while maximising the innovation and competitiveness that the cloud brings.
These recommendations will help you eliminate any data confidentiality and integrity concerns as you fully embrace the cloud and migrate your data and applications. The less time you have to spend worrying about security, the more you can spend on your core business strategies.