Risk Management

12:58 PM
Gilad Parann-Nissany, SAP
Gilad Parann-Nissany, SAP
Commentary
50%
50%

The Holy Grail of Cloud Computing – Maintaining Data Confidentiality

Whether a financial institution enters a public or private cloud, data privacy and confidentiality are top concerns. A financial application (or a service) must be protected, and true privacy must be maintained, says SAP's Gilad Parann-Nissany.

Cloud computing is gaining traction among financial institutions. While private cloud is considered the "natural choice" for many financial organizations today, more firms are beginning to squint to the public cloud. Some advantages are shared by private and public clouds, such as great flexibility and elasticity. Some advantages are special to private clouds, such as greater control; while some advantages are special to public clouds, including removing the cost and overhead of creating and maintaining your own infrastructure.

Gilad Parann-Nissany
Gilad Parann-Nissany, CEO, SAP

The economy plays a significant role in the process as well. It pushes decision makers to find creative ways to cut capital expenditures, and pay for what they actually consume (i.e. OPEX). In public clouds, organizations are starting out with public-facing parts of their applications, as well as development efforts and disaster recovery; while with mission critical applications (such as trading, wealth, or risk management applications) – private clouds.

In both cases, the issue of data privacy and confidentiality is a top concern. A financial application (or a service for that matter) must be protected, and a financial institution must maintain true privacy in the cloud.

Cloud Security Is a Top Concern

Everybody agrees that maintaining financial application confidentiality in a public cloud is critical. It is worth mentioning – since it goes against the conventional wisdom – that this is essential also in a private cloud.

Private clouds are not an abstract concept; they are used for some very practical needs. Often an organization will use a private cloud to serve its customers, employees or supply chain. These stakeholders have their own cloud data security concerns. From their point of view, they are using a public or community service, even if the technical implementation is called a "private cloud". This imposes many security requirements on the private cloud as well.

For example, consider a financial institution which is selling financial packages to the employees of its customers. The customers are large organizations, but the end-users are individuals: employees who need to manage their financial benefits.

This institution has set up a software solution providing self-service tools to the end-users, to view and assess their financial packages. A fundamental part of the system is security, and the choice was made to base the system on a private cloud.

But the end-users and – even more important – their employers, who are paying for the system, see this as a public cloud. Essentially they have outsourced their employee's data to an external financial provider. They are therefore very strict about security, and ask many of the same questions they would ask in a pure "public cloud" implementation.

This example underlines the difference between the technical definitions of public and private, and the point of view of true business stakeholders. The latter wins, every time.

Achieving Data Confidentiality in the Cloud

When moving to the cloud, all the traditional threats still exist. In addition, there are new, cloud specific threats. Cloud providers preach a "shared responsibility" model, claiming (for good reason), that you - the customer - should take all means to ensure application privacy and security. Trust cannot be outsourced, which is why each organization must own the responsibility to keep its data private.

Some examples for new and specific cloud threats include shared infrastructure, employees of cloud providers who may be "malicious insiders," and unapproved usage of cloud infrastructure (for example a developer provisioning a new virtual server to test drive a recently developed app). Regardless of the threat, a fundamental building block technology for achieving privacy in a public cloud is data encryption. Cloud encryption allows organizations to build "virtual walls" around their sensitive data, and therefore achieve privacy in a shared environment.

But cloud encryption is only one part of the equation. Managing the encryption keys in a shared, public compute environment is the bigger obstacle. Another equally large issue is securing the most sensitive resources, such as the encryption keys themselves, when they are in memory of servers in the cloud.

Think about the following question: Who would you trust with your encryption keys? The cloud provider? A third party security vendor? Probably none of the above. (Remember: trust cannot be outsourced...)

Financial institutions should trust only themselves with their encryption keys, but utilizing an on-premise key management server for their cloud is sometimes impossible, and in most cases limits the most attractive benefits of the cloud (i.e. flexibility and elasticity).

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
More Commentary
SEC Examinations: What to Expect When the SEC Is on Its Way
Theodore Eichenlaub highlights trends in SEC expectations and how to approach a risk assessment of your compliance program.
The Value of Predictive Analytics in Financial Services
Risk management and customer data are two key areas where data analytics is being applied in financial services.
Moving the Trader Closer to the Investment Process
The sell side can demonstrate more value by applying analytics to pre- and post-trading, and by educating buy-side clients about broker segmentation, trading behavior and algorithm shortcomings, and more.
Wirehouses May See More Independent BDs as Retention Packages Expire
Retention bonuses are expiring, leaving brokerages vulnerable to attrition. Is access to technology making it easier for brokers to go independent?
SCI: A Whale of a Regulation
The SEC's Reg SCI weights in at a whopping 742 pages. Here is what you need to know about the oversized regulation.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video
Inside Abel Noser's Trading Floor
Inside Abel Noser's Trading Floor
Advanced Trading takes you on an exclusive tour of Abel Noser's New York trading floor, where the agency broker known for transaction cost analysis, is customizing algorithms for the buy side, while growing its fixed income trading and transitions business.