What If Cloud Providers Are More Secure than Banks?
As bank executives continue to debate, hesitate and worry over the security issues related to using applications that connect to the cloud, their employees are using cloud-based apps by the hundreds often without banks' knowledge.
The leak of client records at Morgan Stanley illustrates the danger posed when just one employee has unauthorized or unsecured access to sensitive information, as well as the ongoing threat to financial institutions from insider theft.
Bank executives need to understand these basics of vulnerability and accountability when it comes to the security of electronic networks or they could quickly lose their jobs.
Bankers' longstanding aversion to public cloud storage may be getting harder to justify in light of data security lapses at the financial institutions themselves.
The major data breaches of 2014 claimed two large-bank victims JPMorgan Chase and Morgan Stanley and 43 financial services firms all told, according to the Identity Theft Resource Center. No major cloud providers were hit.
Is it possible that a cloud provider with the right security staff and technology in place could provide stronger security than a bank?
"For a lot of these risks, particularly as you get below the top 50 dedicated service providers may have a better chance, due to their singlemindedness of purpose and their budgets, of providing more robust security than can a bank on its own," said Dan Latimore, senior vice president of Celent's banking practice.
Many cloud providers for survival reasons strive to meet every security certification and standard out there. Outside certification, the right encryption protocols, due diligence around where data centers or data boxes are hosted (in the bank's own data center or a public or hybrid cloud), could all help bankers become more comfortable with doing work in the cloud.
"Amazon is world class in security, and Rackspace up there," said Craig Gorsline, president and COO of ThoughtWorks, a software services company. "They both have round-the-clock best-of-breed system processes for good reason their entire existence relies on not being hacked. We haven't seen any major meltdowns on Amazon."
And banks have just as much reason to worry about their own infrastructure as they do cloud providers', he said.
"At the end of the day, whether the servers are in your basement or in the cloud, every point of entry has risk," Gorsline said. "You're as much at risk with the servers in your basement as you are with Amazon."
Despite public cloud services' mainly positive track record, bankers remain leery of using them, as Cloud Lending, a startup, learned when it tried to pitch cloud-based lending software to banks.
"We started Cloud Lending to displace the on-premise, inflexible legacy systems financial institutions use with more flexible and progressive cloud-based back office," said CEO Snehel Fulzele. "More traditional banks are wary of moving their back-office applications such as core banking onto the cloud." Cloud Lending pivoted its business to sell its technology to online marketplace lenders.
Some bankers see cloud storage as a crisis waiting to happen. "You just need a data breach of all the loan stuff," said Stessa Cohen, research director at Gartner.
To be fair, banks are in good company feeling queasy about the cloud: In a recent Ponemon Institute survey of 613 IT and security professionals, respondents estimated that every 1% increase in the use of cloud services will result in a 3% percent higher probability of a data breach. Almost three-quarters (72%) of respondents believe their cloud service provider would not notify them immediately if they had a data breach involving the loss or theft of their intellectual property or confidential business information, and 71% believe they would not receive immediate notification following a breach involving the loss or theft of customer data.
And sharing sensitive data with any vendor brings risk, all the more so since bank regulators have been focusing intensely on third-party vendor risk.
Banks have been slowly moving along a progression when it comes to using cloud computing. For years, many have run so-called "private clouds," in which computers that sit inside the bank or its data centers, under the control of the IT department, use elements of cloud computing such as virtualization, on-demand provisioning and pay per use (in which business units are charged only for the computing capacity they consume). Some would call this a type of cloud computing.
When banks venture into public cloud offerings, they tend to start with lower-risk applications, such as non-customer-facing applications (think customer relationship management and basic office tools), application testing, and analytics that are run infrequently (say, to model the risk of a new product). Many banks, including Wells Fargo, Citi and Huntington National Bank, use Salesforce.com's cloud-based customer relationship management software. In 2012, BBVA committed to providing more than 35,000 of its workers in Spain with Google Apps for email, document management and collaboration.
Lending software is considered higher up the risk scale.
"There's a lot less willingness so far on the part of banks to entrust their core functions such as deposit taking and lending to the cloud because the risks are ones they haven't grappled with before," said Latimore. "But there's also a control issue." If something goes wrong, and regulators or the media find out the bank was using a cloud provider, the bank could be held up as an outlier and have that business decision questioned.
DealStruck, an online lender to small businesses that uses Cloud Lending and Salesforce's Force.com cloud-based infrastructure, hasn't experienced any problems with handling loan data in the cloud, so far.
"There are massive amounts of transaction processing, whether it's payments, lending, credit bureaus, happening through the cloud," said DealStruck CEO Ethan Senturia. Companies can insist their vendors be compliant with the Payment Card Industry standard and add other security and privacy controls, he pointed out.
"We've gotten comfortable with it. The majority of the world has gotten comfortable with it," Senturia said. "Banks are generally the last to adopt technology and they also have regulation that often prohibits them from doing things."
More progressive banks are interested in adopting the cloud due to its ability to bring new products to market faster, said Cloud Lending's Fulzele. "While the number of such forward-looking banks in the U.S. is limited, it is growing every day and we expect that cloud adoption among all banks will slowly but surely increase."