A year can be an eternity in the world of technology, particularly when it comes to advances in cloud computing. Future Banking catches up with Deutsche Bank Americas’ Brett Smith to discuss cloud innovation and what challenges remain – or have been overcome – in light of security, risk and cross-organisational cohesion.
How has cloud security evolved in the past 12 months since you last spoke with Future Banking?
I think it's much less of a hype issue now, which allows us to get to work on it, and we're seeing a lot of consortium-type work; a lot of people are grappling with the issues of cloud, independent of whether it is or isn't a new technology and what the regulators think about it. We're addressing these and other issues and have to come to grips with a new vernacular; it's more about business use and business awareness. Maybe what's changed is the business's growing awareness of IT capabilities - they're saying, "Well, I can do this at home on Amazon, why can't I do it at work?"
We haven't resolved all the issues, but it's matured and we've got past the issue of whether it's all hype. We're grappling with how to make these capabilities securely available and I think that's the biggest development.
How safe are we in the cloud at the moment?
Well, one of the problems we have right now in the information security industry is metrics; we currently don't have a standard safety metric we can use to measure how secure something is. What I will say is that it's safer than it was. There are a lot of products and features coming out to address concerns, and I think the cloud model has many benefits that tackle the risks that were causing problems in the standard model. For example, we have fewer physical outages in the cloud because the big providers are getting really good at standardised processes. You don't have people tripping over power cords as much because there aren't as many, and those we do have are in clean data centres that are nicely set up.
So, rather than saying it's more or less safe, I'd say the risk has shifted and we need to focus on where it is now and worry less about the issues we used to have.
Can you anticipate new risks coming up or are you always in a defensive or reactionary position?
We used to have a lot of problems with physical and network perimeter security, and that's still a concern but, by and large, if you go to a reputable vendor, they know how to handle firewalls and physical security. Now we're seeing spear phishing, advanced persistent threat (APT) or logic attacks on the application level, or threats that traverse the firewall because they're on HTTP.
Would you classify it as a gold rush to help enable cloud services?
There is some of that going on with people looking at new ways to do business and jumping in. I think a lot of the major players are pretty well established, and very serious and committed to doing business well.
There's still a lot going on and this idea of linking the cloud to social networking, apps and mobile computing renders them all interdependent on one another, so I don't think we can talk about the cloud in isolation.
To deal with the cloud we need people who can look at all these different components and understand how they're inter-relating. That's the big challenge because we come from a very silo-based approach and now we need people who can talk across all those spectrums. Mobile computing is now the big thing, but it's feeding on cloud capabilities since many of these apps and their infrastructure are hosted on clouds.
Is the cloud an accelerator to the demise of the bank branch?
I think it's going to drive the evolution of all business aspects, not just bank branches.
Is it still an unwieldy mechanism or is it now a more 'graspable' concept and function?
People are coming to terms with the fact that you eat an elephant one bite at a time - that is, you go and grab the piece that you need to work on today. I don't think there's a generic solution, so asking the following may be the appropriate approach: What are we going to do about infrastructure as a service? What are we going to do about cloud services in the context of a particular project? Are we going to treat this more as an outsourcing agreement or a hosting agreement? What's the model that fits best? People are approaching it from multiple angles as the situation warrants.
That being said, and because of the benefits of the consortium approach, I'm involved with the Shared Assessments Program and the Open Data Center Alliance, both of which are very much engaged with cloud at a more macro level. So I think there are some very promising systemic approaches to it.
How do you see things progressing?
There's been a lot of work with APIs. At first with the cloud, you needed to log into a web portal and start up a virtual machine. So we're pushing hard with APIs, the ability to monitor configurations and traffic, and are introducing a lot more automation, which goes back to standards such as various OASIS-type authentication mechanisms. All of these capabilities will leverage what the cloud can really offer and get away from the manual processes and command lines.
What are the main priorities at Deutsche Bank Americas at the moment?
Essentially the security of data - who has access to it, how do you know what data is in the cloud and what's happening to it. Data sensitivity, handling and labelling are key. The other thing is ID management and access: Is data accessed from the enterprise or is it accessed from the internet? Who has access? Is it accessed by the vendor or accessed from only within the enterprise?
And, in conjunction with that, the realisation that it's not a single endpoint issue, but mash-ups where you have multiple clouds and services being knitted together to form a business solution. We're finding out we need standards to make these multiple solutions manageable.
What about security?
We're really trying to break the 'if it's secure, it doesn't work' assumption, or that the most secure thing has to be locked in a closet. When we're talking about information and services, they're useless locked in a closet. So we're trying to break this false dichotomy of functionality or usability vs security and make it easy for the business to use the new technologies in a secure manner.
We're working with a lot of clouds, cloud consortiums and shared-assessment programmes, and other vendors and providers of services, such as the Open Data Center Alliance, to look at establishing standards across the industry so people can work together. We're also looking at how to get secure, workable mobile devices into the hands of our users and customers, which I think will involve pushing the security into the architecture and design of services and products. We're trying hard to partner with IT and the business to make them aware of the challenges and attack them from different sides.
Is it helping to make the organisation more transparent and efficient in terms of communication?
It's an interesting balance. When you say you can do your banking on your smartphone, or you can relate to your clients using this app, you have decentralisation or high distribution across broad populations of users and clients.
At the same time, the management and a lot of the controls we'd like to establish need to be vetted by regulators and auditors, so we must centralise the controls and agreements we have.
In a nutshell, it is a new model that will centralise our standards, contracts and agreements, but distribute the actual capabilities across broad ranges of people and technology. Transparency and standardising ways of interacting to best leverage the automation will be critical.
What does cloud computing tell us about how people collaborate? How are financial services accommodating or changing the way they interact with customers, stakeholders and one another?
That takes us into the realm of social media. One of the interesting things about the cloud is that it's enabled for and compliments the development of social networks.
I think the business is here to serve the needs of the market, which is saying "I want to collaborate; I want to talk with my neighbours, competitors and clients, and I want to talk to my banker". I think that's enabling communication and collaboration across boundaries and we're talking to customers in whole new ways.
In that sense, we're getting a lot closer to them through apps on devices, and moving from cloud as a technology to cloud as a way of doing business and inter-relating.
