How to Keep A Cloud Secure

Print
Email
Reprints
Comment (1)
Twitter
LinkedIn
Facebook
Google+

Security is often described as being like an onion - it's got to be provided in layers, such that even if a miscreant manages to get past one or two barriers, there are still several more that could repel him (or her). When a company consumes compute resources over a cloud, there are even more layers required, as the bank's IT and security departments are a few steps removed from the data and applications they're charged with protecting.

Security is the biggest concern bank customers express about cloud computing. "It's letting go of that data - they're very concerned that we have the appropriate processes in place," says David Malcom, director of datacenter operations at Computer Services, Inc.

The first layer of clous security is vendor vetting, the contract and the service level agreement. "Customers want to see that background documentation to feel we've gone through the process of having our environment certified," Malcom says.

Vendors should be certified in SAS 70, PCI security guidelines and SSAE 16, which some people regard as the new SAS 70. A legal agreement should stipulate how quickly the vendor is to report suspected security incidents. It's also important to establish up front who owns the data. "Data destruction and backup happen to be two of the biggest issues inside the cloud," says Jon Ramsey, chief technology officer of Dell SecureWorks. "If the vendor owns the data, they could say, it's not your data, I don't have to destroy it. But if it's my data and I say you have to destroy it, whatever destroy means in this context, then they would probably be obligated to do it. Data lifecycle management is easier to enforce legally when you own the data."

The second basic cloud security layer is access control. "You want to make sure you're following good, basic blocking and tackling around identity management, such as using strong user names and passwords," Ramsey says. Intel and IBM both offer identity management programs for cloud implementations. Dell is about to close an acquisition of Quest Software, which has identity and access management capability.

Tsion Gonen, chief strategy officer at data protection company SafeNet, points out that a balance needs to be struck between usability and security with authentication. "You want to provide security but you also don't want to drive users crazy," he observes.

The third layer is network security. A firewall is of course essential; cloud providers can often offer more. "Our preferred approach is for customers to have dedicated network connections into our facilities, so that even though we're hosting their data in a cloud, it's not like it's public and you have to develop procedures around keeping everybody on the internet away from the data," says Malcom. CSI will provide virtual dedicated networks for each customer, so that there are true firewall rules in place to separate traffic going between different sets of customers, Malcom says.

The fourth layer is encryption. "If you can, I would highly recommend encrypting the data you put in the cloud and not letting the cloud service provider have access to the key with which you encrypted the data," Ramsey says. "That solves a whole host of problems. If the data is backed up, it's backed up and encrypted, no one can get it. If it's accidentally or purposely moved offshore and you're a U.S. regulated bank, you could say it's encrypted so you could follow things like Safe Harbor." PCI rules require encryption for data at rest.

"We're in an age where by definition you cannot assume you will be able to completely seal the perimeter," Gonen points out. "Someone will get through the door, and if he doesn't get through the door he'll get through the window. He will get to the asset you're trying to protect. That asset in most if not all cases is a piece of data." His company's approach is to encrypt all data so that cybercriminals won't be able to use it if they do manage to steal it.

Encryption can also help with the issue of snapshotting: cloud providers such as Amazon tend to replicate data to other locations using frequent snapshots for backup purposes. "How do you know that there aren't unauthorized snapshots in the cloud? That's not a question of losing data, it's a question of governance," Gonen notes. If the data is encrypted, no one else can touch it, regardless of how much it's duplicated.

The fifth layer is incident response. "Customers want to understand procedurally how we take action when we find incidents and how we set up logical separation [between customers' data]," Malcom says. "Every customer is different, some customers inherently trust the relationship with CSI, but most have some degree of skepticism when it comes to outsourcing their data."

BOTTOMLINE

"Trust but verify" is the mantra here. Make sure the cloud vendor can provide all of the security layers that are promised.

JOIN THE DISCUSSION

(1) Comment

SEE MORE IN

Top 10 Tech Companies to Watch
To identify the fintech startups deserving of special recognition this year, a team of American Banker editors, BAI staff and consultant Jeanne Capachin debated the merits of self-nominees and companies we know. These are the ten that matter for 2015.

Image: Fotolia

Comments (1)
The cloud allows for banks to provide more open, flexible systems to customers and partners, but it also carries with it greater security risks. Your article highlights important cloud security considerations that need to be addressed by banks' IT and security departments, particularly around access control. However, it's not enough to just handle the basic blocking and tackling - i.e. passwords - when it comes to identity and access management (IAM). Banks need to be able to identify, quantify and manage the risk to sensitive, sometimes personal customer information hosted in the cloud. For example, they need the ability to quickly filter through billions of data points to focus on specific data sets, such as such as PCI (Payment Card Industry) compliance data. By adding a layer of access intelligence, banks can pinpoint where their most critical risk lies based on user access to information and systems. It gives them the ability to not only lock the doors of their house, but to manage the keys and the activities of the guests.
-Rachel Weeks, Courion Corporation
Posted by CourionCorp | Wednesday, November 07 2012 at 12:34PM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.
Already a subscriber? Log in here
Please note you must now log in with your email address and password.