Cloud Hosting

The attractions are obvious: in todays data-saturated world, cloud computing allows large institutions to rapidly expand their IT capacity, boost efficiency and slash infrastructure costs. The downside? New security threats, amplified by stricter rules on protecting customer data, and a dependence on third-party providers for potentially vitalservices.

It is with an eye on the downside that banks have been slow in adopting cloud computing, which involves on-demand access to a shared pool of computing resources, such as servers andapplications.

Earlier this year, the European Banking Authority (EBA) set out to change this in Europe, publishing draft recommendations for firms to enable them to reap the benefits of cloud computing, while ensuring that risks are appropriately identified and managed. The second objective is to harmonise, across the European Union, supervisors expectations of banks using the cloud. The EBA tells Risk.net it plans to publish final guidance in the fourth quarter of thisyear.

Cloud enthusiasts say such measures as well as ongoing work by cloud providers to meet banks unique needs are all steps in the rightdirection.

Luke Scanlon, Pinsent Masons

There is light at the end of the tunnel, and this [EBA] consultation will help a lot, says Luke Scanlon, who advises clients at law firm Pinsent Masons on newtechnologies.

The proverbial tunnel islong.

Take cyber security. On the one hand, cloud providers such as the leader of the pack, Amazon Web Services are likely to have security processes and technology that are at least as advanced as those of their banking clients, thanks to their technical expertise and economies of scale. On the other hand, providers can pass on a banks data or system management to yet another contractor, increasing security risks present in traditionaloutsourcing.

The EUs General Data Protection Regulation, coming into force next year, will up the ante on data security. The new rules require, among other things, that bank customers are able to request that their personal data held is deleted. One practical outcome, say lawyers, is that banks will have to clarify to cloud providers exactly how they should handle and categorise data to ensure it can be easily isolated and deleted ifrequired.

Of more concern are potentially punitive fines up to 4% of annual global turnover for firms found guilty of data breaches caused by neglect. The size of the potential fines is attracting a lot of attention from both clients and cloud service providers, says Peter George, partner at law firm Baker McKenzie, and responsible for the firms annual cloud computing survey. There will be contractual disagreements over where liabilitylies.

One way to spot and mitigate such outsourcing risks is to undertake regular audits of third-party providers, as banks in most EU countries are already required to do. The EBAs consultation now closed sets out similar guidance with a specific focus on cloud suppliers, and Scanlon at Pinsent Masons welcomes what he sees as a flexible approach to a difficulttask.

Cloud computing involves distributing data across any number of physical locations. Scanlon says that, given the largest cloud providers host services for thousands of banks, regular physical audits would be inefficient, costly and would create risks for other banking clients, related to the security of theirdata.

Rahul Prabhakar, in charge of regulatory compliance for financial services in Europe, Middle East and Africa at Amazon Web Services, puts it another way: A constant stream of people walking through our premises presents securityrisks.

Peter George, Baker McKenzie

The EBA recognises these challenges in its document and endorses alternative options where an outsourcing institution does not employ its own audit resources. These options are pooled audits, performed jointly with other banking clients, and third-party certifications or audits, provided they conform to widely recognised standards and meet the needs of the outsourcingbank.

This is a really positive step, Scanlonsays.

Prabhakar also welcomes the EBAs stance on audits but says the order of preference should be reversed. The EBA and other regulators should consider clearly stating that, one, logical [de-facto] access is more appropriate than physical access and, two, that third-party reports and certifications or pooled audits are more preferable than individualaudits.

Some regulators have been more prescriptive. Canadas Office of the Superintendent of Financial Institutions insists on being able to audit banks across their functions, says Robert Paolino, the former chief risk officer for Canada at Japanese bank MUFG. This effectively requires that data is stored within the country especially data considered as sensitive under Canadas PrivacyAct.

Oversight of cloud providers is even harder if they employ subcontractors. This may keep costs low but banking clients may not have a direct relationship with the provider of significant parts of the cloud service as a result. Its been a struggle to square that circle, says Jonathan Kirsop, partner at law firm Stephenson Harwood in London.

One solution has been for cloud providers to give notice that they are appointing a subcontractor and give clients the right to terminate that particular service. This does provide theoretical control over the supply chain, saysKirsop.

The EBAs draft advice on what it calls chain outsourcing says banks dont need to pre-approve every subcontractor, and providers can simply give clients notice of any subcontractor changes rather than require each change to be approved by all clients.

The EBA also proposes that the outsourcing institution should carefully delineate which activities can be subcontracted, and that any subcontractors fully comply with the obligations placed on the original cloud provider. The outsourcing agreement should also require the cloud provider to notify any changes to subcontracting arrangements in time for its clients to carry out a riskassessment.

A strategy for severing the relationship with a provider is another hurdle banks have to clear before cloud computing can properly take off in theindustry.

How do you extricate yourself from a cloud computing contract when youre dependent on the provider? asks George at BakerMcKenzie.

Guidance on outsourcing to the cloud released by the UKs Financial Conduct Authority (FCA) last year suggests that banks should ensure exit plans are documented, understood by appropriate staff and fully tested. It says banks should monitor concentration risk and consider how they would respond if a service provider were tofail.

Peter George, BakerMcKenzie

However, the details remain largely untested. No bank has ever exited from a significant public cloud technology arrangement, the BBA, a UK banking trade body, and Pinsent Masons wrote in a January discussion paper. The report focuses on the cloud model that is available to the general public, with Amazon Web Services the best-knownexample.

As a result, frictions arise as to the contractual terms between banks and cloud service providers and other third parties leveraging public cloud. There is added pressure as parties do not have the benefit of experience to call upon, the paper continues. The BBA is therefore calling on the FCA to work with the banking industry to produce a due diligence checklist for banks migrating from cloudcontracts.

The draft EBA guidance also acknowledges concentration risk inherent in cloud computing, not only from the point of view of individual institution but also at industry level where large suppliers of cloud services can become a single point of failure when many institutions rely onthem.

Among other recommendations, the EBA advises banks to develop key risk indicators to spot deterioration in the cloud service to unacceptable levels, and to prepare alternative solutions and plans for transitioning to them from the out-of-favour cloudprovider.

Not only will a smooth transition to another provider ensure the banks services are unaffected, but it will also spare the bank reputational damage from a failure by a thirdparty.

Neither the EBA nor the FCA guidance contains tips on negotiating contracts with cloud providers, which comes with its own unique challenges.

In traditional bespoke outsourcing, financial services clients tend to have a lot of bargaining power and are able to use their own master services agreements, says Kirsop at Stephenson Harwood. With a cloud service, its a one-to-many solution. Suppliers cant have lots of different terms or policies for different clients. Clients have to get comfortable with standard terms, with limited ability to negotiate around them. Thats the fundamentaldifference.

Finally, as with most banking activities in the post-financial crisis era, regulation can be a key determinant of the spread of innovativepractices.

The EBA wrote in its draft guidance that uncertainty among banks about how supervisors expect them to handle cloud computing poses a barrier to its adoption.

In Indonesia, banks are blocked outright from migrating to the cloud due to their regulators requirement that all critical services be hosted within the countrys borders. For banks, who could they find in Indonesia that could host those services? The big [cloud] providers dont want to set up data centres in Indonesia; its not viable for them right now, says Manish Chawda, partner at Singapore consulting firm Pragma, which specialises in cyber and technologyrisks.

Differences in rules between jurisdictions present another headache for banks.

Jonathan Scott-Lee, Standard Chartered

Standard Chartered, for example, has operations in 68 emerging markets. As the bank is ramping up its use of cloud computing, the answer is not as might be assumed to take a highest common denominator approach, says Jonathan Scott-Lee, the Singapore-based global head of compliance, data, technology, operations and outsourcing at StandardChartered.

For a start, a gold-plated cloud strategy would eliminate most if not all of the cost efficiencies of the cloud. Second, even the highest specifications can fall foul of some regulatory environments: China, for example, mandates specific regulatory standards on the commercial use ofencryption.

I advise our digital teams to develop technology as globally as possible but that is flexible enough to allow software to be deployed in local environments, Scott-Lee says. For example, a cloud-based system could be linked to a locally housed database for client information for jurisdictions where the regulator requires data on clients to be heldlocally.

However, the trend is now towards ironing out regulatory differences around cloud computing, as illustrated by the EBAinitiative.

Jeroen Prins, a London-based financial services technology risk expert at PwC, sums up: For key jurisdictions we believe that similar principles apply and it is now feasible for the larger banks to adopt cloud servicesglobally.

Continue reading here:
Heads in the cloud: banks inch closer to cloud take-up - Risk.net (subscription)

OTTAWACyber threats and ransomware attacks are no match for cloud computing design-built from the ground up for information technology security.

In physical security, particularly access control, the history of hacking formerly focused solely on stopping unauthorized users from duplicating or cloning information housed on cards and other devices. Now, its all about stopping criminals from gaining access to or attacking a customers network and its data through vulnerabilities in their physical security systems.

The mounting case for cybersecurity is real and escalating. Cyber threats and ransomware present a formidable threat across all businesses and vertical markets. In the example of ransomware an attacker manages to successfully place malware on the network with the intent of encrypting critical data or entirely locking systemsto hold the business ransom for payments, with the promise of releasing the information or unlocking the system. Much of the ransomware is coming from out-of-country hackers who are quite sophisticated in their attacks, often demanding bit coin as payment.

Online extortion had a banner year in 2016, according to Trend Micros annual security assessment report: 2016 Security Roundup: A Record Year for Enterprise Threats. In 2016 there was a 752 percent increase in new ransomware families, with $1 billion losses to enterprises worldwide.

Ransomware attacks are growing in frequency, causing devastating consequences to enterprises and organizations across the globe. Numerous, widespread breaches around the world occurred prior to and through Mothers Day weekend 2017 as the WannaCry ransomware spread. Britains National Health Service was hit by the cyber-attack and the same perpetrator froze computers at Russias Interior Ministry while further affecting tens of thousands of computers elsewhere.

Across Asia, several universities and organizations reportedly fell prey, including Renault, the European automaker. The attacks spread swiftly to more than 74 countries, with Russia worst hit and included Ukraine, India, Taiwan, Latin America and Africa.

The fact of the matter is that anything riding on the network is at risk. Physical security systems are vitally important to daily operations of every organization today. At many facilities any downtime of these systems may significantly affect the safety of people, property and assets.

Tackling data security risks

Cloud computing creates a solid path for customers to lower their total cost of ownership (TCO) with open architecture and other installation efficiencies that provide ready scalability. But it also provides healthy TCO in providing inherent safeguards that protect data regularly and automatically.

Cloud computing Access Control as a Service (ACaaS) Security Management Systems (SMS) offers respite to the practice of housing access control systems on premises, with inherently higher security. Many of the cloud-based solutions today redundantly store system data and video automatically or on schedule. In addition, most cloud providers are held to an extremely high level of cybersecurity with various levels of encryption and automatic disaster recovery. Acceptance of cloud solutions by organizations is at an all-time high and manufacturers are releasing cloud solutions for numerous technologies. Integrators need to take advantage of the opportunity to offer cloud solutions to customers for enhanced security and reliable network authentication.

What end users and security integrators are beginning to understand is that the cloud is much safer than a non-hosted environment. In the example of ACaaS SMS, there are multiple layers of safeguards and security in the technology available as opposed to on-premise software-based platforms using local servers. Cloud-hosted security management systems are purpose-built and designed with software security as a leading backbone. Hosted systems can follow what Microsoft refers to as SD3+C: Secure by Design, Secure by Default and Secure in Deployment in Communications.

Two-Factor Authentication and Password Policies

For those who have had their Facebook account hacked, the reality of the insecurity of passwords hits home. Secure cloud-hosted systems dont use default user names and passwords. Each hosted system is issued a unique password, providing the first step to an ultra-secure solution. In addition, the ability to create password policies for users that can be set for low, medium and high adds another layer of protection. Lastly, two-factor authentication, which is being used much more frequently with consumers, can be attached to the log-in credentials of any user.

With two-factor authentication, user accounts are linked with a second source of verification, such as a code generated for further authentication. Users must provide this code when entering their user name and password, while a potential hacker would need three things in order to access the system: user name, password and access to open the device which generates the two-factor authentication code. Two-factor authentication at the login for cloud-hosted access control reduces the risks of weak passwords while also simplifying password policy management for the IT staff.

Standards-based TLS 1.2 encryption

In addition to the SD3+C design concept, encryption further protects the transmission of data between the client and the cloud-based server using Secure Sockets Layer (SSL), a standards-based security technology for establishing an encrypted link between a server and a client. The SSL Transport Layer Security (TLS) 1.2 encryption secures the data connection to connected field hardware as opposed to using easily hacked Open SSL protocols. Further, TLS 1.2 encryption allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before data is exchanged. Cloud computing takes this a step further: manufacturers auto-negotiate the TLS encryption with the access control controller boards as they initiate contact with the server.

Once logged in, SSL certifications further safeguard the communications between applications while TLS certificates protect the communications between field devices and the ACaaS SMS platform. Proactive and consistent vulnerability scanning also provides additional protection against emerging threats.

IP Client, versus IP Server, are also characteristic of cloud-computing which greatly reduces risk from outside threats. IP Client uses outbound ports at the users site instead of inbound ports, circumventing the possibility of security breaches and data compromise. With IP Client, IT staff does not have to open inbound network ports or set up port forwarding, keeping the network secure and lowering management workload on manual configurations and set up.

Advanced security safeguards

All software manufacturers have Quality Assurance (QA) departments inspecting their own software for bugs and issues. However, what are the risks if QA misses a critical issue with the code? Third party vulnerability assessments are not only becoming prevalent in the cloud-based solutions market, but expected by savvy end users who want support documentation to assure that the manufacturer has taken additional steps to further minimize risks. Veracode is one of those that provides these services in cloud-hosted ACaaS and tests for key application security risks to enterprise solutions. Software providers of all sizes use the VerAfied security rating to demonstrate their software has undergone stringent independent testing and certification against the latest industry standards.

Gartner predicts worldwide public cloud services to grow 18 percent in 2017 to $246 billion, up from $209 billion in 2016. ACaaS thats built for and hosted by the cloud provides the industrys most robust solutions for secure, connected environments in security and the emerging internet of Things. A major factor to consider for cloud-computing SMS today is the level of security a manufacturer provides for their application. The most robust solution should incorporate multiple layers of data and privacy protection to safeguard client information while delivering the highest end-to-end security, from system login to trusted field devices.

Paul DiPeso is executive vice president of Feenics, a company that specializes in cloud-based access control solutions including its Access Control as a Service (ACaaS) platform built specifically for and hosted in the public cloud.

Follow this link:
Guest Commentary: Cloud computing tackles emerging cyber threats - Security Systems News