Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

What the financial services sector needs to know when adopting the cloud securely

By Paige Leidig, CipherCloud

Paige-Leidig-Cipher-CloudThe financial services industry is increasingly adopting cloud computing. There’s no denying the compelling advantages to moving to the cloud – reduced cost, greater flexibility and scalability, increased mobility, and faster deployment to name a few.

The requirement to protect customer information is still a barrier for many firms though. The fact that customer records and information must be secure and confidential is causing a major headache across the industry. Did you know, for example, that you need to protect your customers’ records against any anticipated threats or hazards as well as unauthorised access that could cause substantial harm or inconvenience to the affected customer?

Worryingly, too many are adopting the cloud but are ignorant or feel they needn’t worry about the risks that cloud computing brings. Recent research from Ernst & Young entitled 2012 Global Information Security Survey revealed that 59 per cent of respondents said they used or planned to use cloud services. Yet over 33 per cent had not taken any measures to mitigate security risks.

Your IP is like gold dust

Companies that have implemented cloud computing are now seeing people gain unauthorised access to their intellectual property (IP). And the pursuit of access to such valuable assets will only continue. We are likely to see additional stealthy, sustained attacks, known as advanced persistent threats (APTs) against companies in the future. Given the large quantity of customer data, the financial services industry is a viable and an attractive target. Your IP is like gold dust to a hacker.

Worryingly, a successful APT launched against a cloud computing service could seriously damage your IP – and your reputation. In August last year, hackers gained access into the Dropbox online storage service using a list of customer email addresses from an employee’s account. Soon after, a journalist from technology publication, Wired, saw his Apple iCloud account compromised by a hacker who gained access by socially engineering the company’s tech support service.

The employees who allowed these high profile breaches to happen were well-meaning but unwitting. Yet, there is always the danger of an intentional inside job. If a member of staff working at a cloud service provider decides to siphon off a client’s data to the highest bidder, it could result in a costly and embarrassing data compromise involving that client’s own customers.

Ignorance is not bliss

As a cloud adopter, you need to understand your responsibilities and remember that reliance on the Cloud service provider is not enough. Many organisations unknowingly rely on service level agreements from their cloud service provider and assume they are responsible for their data’s security. It is not acceptable for financial services firms to claim ignorance and blame a breach on a third party provider.

In fact, the Information Commissioner’s Office (ICO) will come down hard on any careless cloud adopter after it recently clarified that a company collecting data from its customers is responsible for that data – regardless of which third party is enlisted to help store it.

As a financial firm, you hold large amounts of confidential customer information so, if yours is stored in the cloud, the ICO could end up putting your business into the spotlight and burdening you with fines of up to £500,000.

Now that customer records and information can reside anywhere in a digital cloud, it is no longer enough to think of security in terms of physical infrastructure alone. Cloud security must be addressed as well.

Compliance through encryption

Financial services companies should employ encryption to reduce the risk of disclosure or alteration of sensitive information in storage and transit. This is one of the best methods to keep your information safe from hackers. With this approach, a secret pair of digital codes called ‘keys’ is used to encrypt the software. Without these, the software cannot be decrypted.

Encryption therefore protects your vital data against prying eyes, regardless of where it is stored. Entities who attempt to circumvent the company’s protocols for data access will retrieve only scrambled information.

Encryption needs to work seamlessly for business users and their customers, so they are able to retrieve their information seamlessly. However, this in itself presents a problem. Who should actually own the keys?

Keep the keys, rotate the keys, destroy the keys

Often, third-party cloud service suppliers that encrypt a client’s information retain the keys. However, this brings us back to our original predicament. If a hacker or a disgruntled employee steals the keys, they have access to unencrypted client information.

To help extract organizations from this predicament, Gartner recommends that the client retains, manages the encryption keys locally and ensures the keys are properly rotated and destroyed to keep them secure over time.

There are other considerations for the financial services industry when embracing a cloud computing strategy. First, make information a first-class citizen in the cloud. Above all, ensure that it is protected. Consider regulatory requirements when building strategies to protect your information and ensure that you cover your bases with regards to data export and residency restrictions.

Managing such requirements can be discouraging for many companies whose expertise is not in cloud computing or information security. Working with a trusted third party can help to cover your security needs while maximising the innovation and competitiveness that the cloud brings.

These recommendations will help you eliminate any data confidentiality and integrity concerns as you fully embrace the cloud and migrate your data and applications. The less time you have to spend worrying about security, the more you can spend on your core business strategies.