As bank executives continue to debate, hesitate and worry over the security issues related to using applications that connect to the cloud, their employees are using cloud-based apps by the hundreds often without banks' knowledge.
The average bank had 844 cloud services in use throughout its network in the third quarter of this year, according to an analysis conducted by Skyhigh Networks, far higher than bank IT departments estimated.
"If you did a survey where you asked the financial services companies themselves [how many cloud services they use], the answer would be somewhere between 32 and 34, because you approved those," said Rajiv Gupta, CEO of Skyhigh, which provides cloud security software.
The gap is because many employees are quietly downloading cloud services like Dropbox and Gmail, in the interest of being more productive, while a bank's IT department is not even aware it's happening or the potential security problems that could result. Indeed, many IT departments distrust cloud services because they do not view them as secure.
"There's a big disconnect, and it's frightening," said David Albertazzi, who is senior analyst, retail banking and payments at the Aite Group. "It's not so much about cloud computing. It's about a failure in vendor risk management programs and overall risk assessment of the institution."
Vendor management can often be overwhelming. Many banks deal with 500 to 1,000 venders, but only a handful are considered mission critical. But Albertazzi said it's important that all vendors be included in the vendor risk program so that nothing falls between the cracks.
A recent Cloud Security Alliance survey found that 52% of IT professionals in financial services have been pressured to approve an app they did not think met the company's security or compliance requirements. And IT executives themselves break the rules at times.
"I was talking to the CISO of a bank, he was nodding and taking notes, and he stopped and realized he was taking notes in Evernote, which is not an approved service at the bank," Gupta said. "He was using a service that makes him efficient."
Financial services companies do approve the use of some cloud services. The Cloud Security Alliance survey found that 24% of financial services companies have a "full steam ahead" attitude toward the cloud and another 62% of these companies are moving with caution.
But 76% of IT professionals at financial services companies said they did not know the scope of shadow IT at their companies, but wanted to know.
PROTECTING WESTERN UNION
The high rate of under-the-radar use of cloud apps in financial services companies comes as no surprise to David Levin, director of information security at Western Union.
"I think  is a true number across a lot of organizations," he said.
Common cloud-based apps could include Facebook and Gmail, he said.
Western Union has long had a web filter that blocked certain categories of sites (including cloud services). But frustrated users requested more and more apps to a degree that was overwhelming.
Levin, who oversees security for 10,000 corporate employees, said his biggest security concern about cloud apps is around document sharing sites like Dropbox and Box.
"Your data is in the cloud, you don't know how it's being used," Levin said. "The users don't realize the risks, they just see it as a productivity improvement product."
Sites for collaboration and project management also raise concerns, Levin said, as well as sites used for code development and analysis.
"Going to a cloud application to run a project doesn't necessarily introduce risk to the network," he said. "The tough thing is that the security policies and standards Western Union adheres to might not be shared by the cloud computing company."
As more users sign up for cloud apps, however, they're accepting those companies' terms and conditions.
"Who's reading those? Is legal involved in that?" Levin said. "Most likely not."
Levin also worries about the authentication measures cloud providers use.
"Do they have the same password complexity? Do they offer two-factor authentication? These are all the kinds of things we typically check when we work with vendors through the proper process, and the cloud kind of bypasses all that," he said.
To address these issues, Western Union created an initiative called WISE Western Union Information Security Enablement.
"We were all about the security team providing next-gen technology to our employees to help them do their job better, rather than saying, you can't go to that website, tough luck," Levin said. "If you tell them no, they'll go anyway. If you give them solutions that are easy to use and feel like they're next gen or make their lives easier, they'll migrate to that, and you'll reduce your risk of them going to the other side."
The company first brought in a cloud single-sign-on authentication solution called Okta, then a file transfer solution from Accellion that's similar to Box, but with added security and housed in Western Union's private cloud. It implemented Skyhigh's software to monitor the use of cloud apps and understand how the apps are being used, who's using them, and the risks of those apps.
A benefit of the new tools monitoring cloud use is Western Union can now see which new cloud apps are working well and might make sense for teams in other countries. And IT can build a larger business case for, say, buying a project management platform.
Regulators are increasingly expecting financial institutions to know where their data is at all times; a particular challenge in the cloud.
"In today's world, from an internet and cloud perspective, it's difficult," Levin said. "It starts with a lot of awareness and training for the end user to know what not to do. Then there's technology to help defend that. There's no silver bullet. You'll always have a user problem. People will do whatever they need to do to get what they need done. When was the last time you read the Apple terms and conditions? People are oblivious of some things when they sign up for something. Convenience will always outweigh security."
BEST PRACTICES FOR CLOUD COMPUTING
General principles of vendor risk management, which federal regulators have been emphasizing of late, should be applied to cloud services, according to Albertazzi.
"Employees may not realize they're contracting on behalf of the organization with a vendor," he said. "If they're using Box to send files to employees, they may think they're doing the right thing. The whole point is there needs to be a top-down approach to vendor risk management."
Banks also need to conduct a risk assessment and categorize the risk of the apps in use in their organizations high, medium, and low. They need to look at the vendors' certifications, such as SSAE 16 and know in advance where data will reside and be notified of any data relocation. They also should know how the vendor handles data privacy, data protection, where the data is going to be collected, sent, processed and stored.
"Those are the golden rules around data privacy," Albertazzi said.