Ever since the financial services industry took its first steps into cyberspace, security has been top of the agenda. Banks have had to stay one step ahead of the risks as the computing paradigm has shifted, and now that we are in the era of the cloud those risks are evolving once again.
"Cybersecurity is one of the industry's primary concerns," says Brett Smith, vice-president of Information Security Governance at Deutsche Bank Americas. "A lot of time and resources are committed to it, and that commitment is growing. The people we service use technology more every day and the risks are changing rapidly. In the past two years there have been some interesting and powerful developments in mobile devices and social networking."
Banks must keep up with customers' needs and deliver services without compromising the security of transactions and customer data. That makes securing the cloud a high priority, and the process begins with understanding. The cloud is broadly considered to be web-based processing, which brings together myriad resources, devices and software over the internet. It represents a major shift in the traditional model of computing and, whether we know it or not, we are all part of it.
"There is some debate about whether the cloud is something new or whether it is just a rebranding of old outsourced services," says Smith. "Whichever definition you choose, the capacity of the cloud is increasing dramatically, so it is very much a moving target. We are constantly working to keep track of it.
"The technology that makes up the cloud has been familiar for some time, but when you get enough of it together its behaviour changes significantly. It reaches critical mass. When you get 500 million users on a single service it creates a new dynamic. The technology is not new, but it needs to be considered in a new light."
When it comes to security, this new dynamic demands a significant change in mindset. "The result is that there is a much greater awareness now of the need for system-level security rather than point security," Smith explains. "You have to look at the cloud as a broader ecosystem and provide security at that level. That is a very different way of thinking and it is not necessarily intuitive. Most technology is about specific risks and controls. That is the legacy, and it is not irrelevant, but we must now look at how we leverage these controls together to get a synergistic effect. We have a lot of people working on adding processes and controls, and generating a greater awareness of shared risk. We are all in this together."
Collaboration is the key
The nature of the cloud, in which there are many different stakeholders, means that no organisation can act on the security issue in isolation. Common goals must be pursued through collaborative efforts, and the financial services industry has shown itself willing to embrace this approach.
"Banks need to work with each other and with technology vendors," Smith notes. "This has started to happen and there have been lots of announcements regarding the work on standardised offerings from vendors. One challenge is that large vendors are predominantly focused on consumer services, but what they offer is also of interest to the enterprise. There needs to be more work done to bringing those two things together."
Many large technology vendors are setting up research initiatives to enhance cloud computing services, while banks are working together on issues such as identity management. But whether the focus is on the broader consumer sector or specific industries like financial services, it is imperative that interactions can be verified, and that there is a fundamental certainty that the person initiating a transaction is who they claim to be. This certainty is more important to the banking sector than it is in other areas of the cloud,
such as social networking sites.
"You need trust and you need mechanisms that confirm trust," says Smith. It is easier when you are dealing with small groups, but when you open up to a larger population then you need trust that can be verified. You need a more structured approach to systems for that, and we are making good progress on standards in the financial services industry.
"It is much harder to achieve when you are not dealing with a specific industry like ours, and services are more generic. That will need a more principled approach and more time to get it right. The financial services industry, however, is regulated, so we have explicit service requirements. We need a more prescriptive model, whereas in the broader ecosystem, in social networking for example, we don't have the same level of regulation dictating how people and services must interact."
Although the cloud creates new challenges and risks for the financial services industry, the good news is that banks are fully aware of this situation and are taking steps to ensure that the security measures they adopt are appropriate, robust and deliver the necessary trust without compromising customer service levels. Security is firmly accepted as a fundamental part of customer service, as all clients have an expectation that they will be able to interact with a bank in a manner that is safe and reliable - a fact that Smith confirms.
"The financial services industry is making good progress in terms of identifying risks and mitigating them,"
he adds. "There are a lot of bright people looking at tactical and strategic solutions for the challenges that we face going forward. Excellent progress is being made on both levels."
Despite well-publicised concerns regarding security, compliance and data integration issues, banking institutions have begun to embrace cloud computing across the services spectrum. While banks seeking agility, faster time-to-solution and lower, more-flexible cost structures in IT delivery are consuming cloud services -- 51% of North American banks have some form of adoption of software-as-a-service (SaaS) -- they remain sceptical about security and are reluctant to put core areas of functionality and information in the cloud, significantly limiting the market potential of cloud computing. In the medium term (2012-14), data integration and compliance issues are likely addressable by cloud providers. However, security concerns will likely not be overcome in the near or medium term in solution areas that banks view as proprietary or process information classified as restricted.
Gartner research: the effect of cloud computing on banking suppliers
Banks are adopting cloud services, with SaaS being the most-widely deployed form. This is mainly in peripheral, non-core solution areas, but exceptions do exist. Adoption varies by banking segment, with more small-tier and large-tier banks adopting SaaS than those in the mid-tier segment.
Driven by the need for agility, speed-to-solution and lower, more-flexible cost structures, banks plan to increase their spending on cloud services. There is a growing interest and adoption of the cloud as an infrastructure utility. Most examples to date are in private cloud services in large-tier banks.
Data integration challenges, security issues and compliance concerns are still preventing banks from adopting cloud services across a broader span of business areas. The cloud cannot be a 'black box' from an audit perspective.
This report is based on independent technology advisory research from Gartner, inc.
