Risk Management

12:58 PM
Gilad Parann-Nissany, SAP
Gilad Parann-Nissany, SAP

The Holy Grail of Cloud Computing – Maintaining Data Confidentiality

Whether a financial institution enters a public or private cloud, data privacy and confidentiality are top concerns. A financial application (or a service) must be protected, and true privacy must be maintained, says SAP's Gilad Parann-Nissany.

Cloud computing is gaining traction among financial institutions. While private cloud is considered the "natural choice" for many financial organizations today, more firms are beginning to squint to the public cloud. Some advantages are shared by private and public clouds, such as great flexibility and elasticity. Some advantages are special to private clouds, such as greater control; while some advantages are special to public clouds, including removing the cost and overhead of creating and maintaining your own infrastructure.

Gilad Parann-Nissany
Gilad Parann-Nissany, CEO, SAP

The economy plays a significant role in the process as well. It pushes decision makers to find creative ways to cut capital expenditures, and pay for what they actually consume (i.e. OPEX). In public clouds, organizations are starting out with public-facing parts of their applications, as well as development efforts and disaster recovery; while with mission critical applications (such as trading, wealth, or risk management applications) – private clouds.

In both cases, the issue of data privacy and confidentiality is a top concern. A financial application (or a service for that matter) must be protected, and a financial institution must maintain true privacy in the cloud.

Cloud Security Is a Top Concern

Everybody agrees that maintaining financial application confidentiality in a public cloud is critical. It is worth mentioning – since it goes against the conventional wisdom – that this is essential also in a private cloud.

Private clouds are not an abstract concept; they are used for some very practical needs. Often an organization will use a private cloud to serve its customers, employees or supply chain. These stakeholders have their own cloud data security concerns. From their point of view, they are using a public or community service, even if the technical implementation is called a "private cloud". This imposes many security requirements on the private cloud as well.

For example, consider a financial institution which is selling financial packages to the employees of its customers. The customers are large organizations, but the end-users are individuals: employees who need to manage their financial benefits.

This institution has set up a software solution providing self-service tools to the end-users, to view and assess their financial packages. A fundamental part of the system is security, and the choice was made to base the system on a private cloud.

But the end-users and – even more important – their employers, who are paying for the system, see this as a public cloud. Essentially they have outsourced their employee's data to an external financial provider. They are therefore very strict about security, and ask many of the same questions they would ask in a pure "public cloud" implementation.

This example underlines the difference between the technical definitions of public and private, and the point of view of true business stakeholders. The latter wins, every time.

Achieving Data Confidentiality in the Cloud

When moving to the cloud, all the traditional threats still exist. In addition, there are new, cloud specific threats. Cloud providers preach a "shared responsibility" model, claiming (for good reason), that you - the customer - should take all means to ensure application privacy and security. Trust cannot be outsourced, which is why each organization must own the responsibility to keep its data private.

Some examples for new and specific cloud threats include shared infrastructure, employees of cloud providers who may be "malicious insiders," and unapproved usage of cloud infrastructure (for example a developer provisioning a new virtual server to test drive a recently developed app). Regardless of the threat, a fundamental building block technology for achieving privacy in a public cloud is data encryption. Cloud encryption allows organizations to build "virtual walls" around their sensitive data, and therefore achieve privacy in a shared environment.

But cloud encryption is only one part of the equation. Managing the encryption keys in a shared, public compute environment is the bigger obstacle. Another equally large issue is securing the most sensitive resources, such as the encryption keys themselves, when they are in memory of servers in the cloud.

Think about the following question: Who would you trust with your encryption keys? The cloud provider? A third party security vendor? Probably none of the above. (Remember: trust cannot be outsourced...)

Financial institutions should trust only themselves with their encryption keys, but utilizing an on-premise key management server for their cloud is sometimes impossible, and in most cases limits the most attractive benefits of the cloud (i.e. flexibility and elasticity).

1 of 2
Comment  | 
Print  | 
More Insights
More Commentary
Chief Data Officers: Organization Strategy & Cultural Change
Chief data officers are new to the financial services C-suite, but they are facing a number of challenges, including the need for new data governance and execution strategies, staffing, and new organizational structures to enable cultural change.
New York FinTech Innovation Lab Calls for New Entrepreneurial Applicants
Wells Fargo joins 14 other major financial institutions providing mentoring and guidance to the six chosen startups.
Micro Data Challenges in an Era of Macroprudential Regulation
Research and statistical analysis experts at central banks are tasked with developing sophisticated forecasts and models to identify systemic risk. Yet they are spending most of their time acting as data entry clerks, rather than developing these models.
The Perks of 'SmartSourcing' Shared Services in Financial Industry
A breadth of vital but undifferentiated business processes are still being replicated across the industry. They are all candidates for centralization.
Managing Social Media Risk Strategy: Technology Can Only Go So Far
Advanced analytical technologies are an important part of a social media risk management strategy, an Accenture report says, but the technology must be balanced with training and procedures.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Inside Abel Noser's Trading Floor
Inside Abel Noser's Trading Floor
Advanced Trading takes you on an exclusive tour of Abel Noser's New York trading floor, where the agency broker known for transaction cost analysis, is customizing algorithms for the buy side, while growing its fixed income trading and transitions business.