Risk Management

12:58 PM
Gilad Parann-Nissany, SAP
Gilad Parann-Nissany, SAP

The Holy Grail of Cloud Computing – Maintaining Data Confidentiality

Whether a financial institution enters a public or private cloud, data privacy and confidentiality are top concerns. A financial application (or a service) must be protected, and true privacy must be maintained, says SAP's Gilad Parann-Nissany.

Cloud computing is gaining traction among financial institutions. While private cloud is considered the "natural choice" for many financial organizations today, more firms are beginning to squint to the public cloud. Some advantages are shared by private and public clouds, such as great flexibility and elasticity. Some advantages are special to private clouds, such as greater control; while some advantages are special to public clouds, including removing the cost and overhead of creating and maintaining your own infrastructure.

Gilad Parann-Nissany
Gilad Parann-Nissany, CEO, SAP

The economy plays a significant role in the process as well. It pushes decision makers to find creative ways to cut capital expenditures, and pay for what they actually consume (i.e. OPEX). In public clouds, organizations are starting out with public-facing parts of their applications, as well as development efforts and disaster recovery; while with mission critical applications (such as trading, wealth, or risk management applications) – private clouds.

In both cases, the issue of data privacy and confidentiality is a top concern. A financial application (or a service for that matter) must be protected, and a financial institution must maintain true privacy in the cloud.

Cloud Security Is a Top Concern

Everybody agrees that maintaining financial application confidentiality in a public cloud is critical. It is worth mentioning – since it goes against the conventional wisdom – that this is essential also in a private cloud.

Private clouds are not an abstract concept; they are used for some very practical needs. Often an organization will use a private cloud to serve its customers, employees or supply chain. These stakeholders have their own cloud data security concerns. From their point of view, they are using a public or community service, even if the technical implementation is called a "private cloud". This imposes many security requirements on the private cloud as well.

For example, consider a financial institution which is selling financial packages to the employees of its customers. The customers are large organizations, but the end-users are individuals: employees who need to manage their financial benefits.

This institution has set up a software solution providing self-service tools to the end-users, to view and assess their financial packages. A fundamental part of the system is security, and the choice was made to base the system on a private cloud.

But the end-users and – even more important – their employers, who are paying for the system, see this as a public cloud. Essentially they have outsourced their employee's data to an external financial provider. They are therefore very strict about security, and ask many of the same questions they would ask in a pure "public cloud" implementation.

This example underlines the difference between the technical definitions of public and private, and the point of view of true business stakeholders. The latter wins, every time.

Achieving Data Confidentiality in the Cloud

When moving to the cloud, all the traditional threats still exist. In addition, there are new, cloud specific threats. Cloud providers preach a "shared responsibility" model, claiming (for good reason), that you - the customer - should take all means to ensure application privacy and security. Trust cannot be outsourced, which is why each organization must own the responsibility to keep its data private.

Some examples for new and specific cloud threats include shared infrastructure, employees of cloud providers who may be "malicious insiders," and unapproved usage of cloud infrastructure (for example a developer provisioning a new virtual server to test drive a recently developed app). Regardless of the threat, a fundamental building block technology for achieving privacy in a public cloud is data encryption. Cloud encryption allows organizations to build "virtual walls" around their sensitive data, and therefore achieve privacy in a shared environment.

But cloud encryption is only one part of the equation. Managing the encryption keys in a shared, public compute environment is the bigger obstacle. Another equally large issue is securing the most sensitive resources, such as the encryption keys themselves, when they are in memory of servers in the cloud.

Think about the following question: Who would you trust with your encryption keys? The cloud provider? A third party security vendor? Probably none of the above. (Remember: trust cannot be outsourced...)

Financial institutions should trust only themselves with their encryption keys, but utilizing an on-premise key management server for their cloud is sometimes impossible, and in most cases limits the most attractive benefits of the cloud (i.e. flexibility and elasticity).

1 of 2
Comment  | 
Print  | 
More Insights
More Commentary
Gartner: 75% of Mobile Apps Will Fail Security Tests Through 2015
The rise of BYOD means enterprises must implement security testing and containment solutions, according to new Gartner research.
Chip & Pain, EMV Will Not Solve Payment Card Fraud
Switching to EMV cards will lower retail fraud, but it's not enough. Here's the good, the bad, and the ugly.
With UCITS V, $9T Isnít as Easy as It Used to Be
With UCITS V's restrictive remuneration rules and hidden costs, going global may get a little less attractive.
Banks to Increase IT Spend on Big Data Challenges, Finds Aite Report
Big data has presented the greatest challenges and dissatisfaction for banks, yet it is the most likely to see upward spending in the next two years.
Scotland Independence Vote: Haggis & Fragmentation
Scottish independence has far-reaching consequences for the global financial markets.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - July 2014
In addition to regular audits, the SEC will start to scrutinize the cyber-security preparedness of market participants.
Inside Abel Noser's Trading Floor
Inside Abel Noser's Trading Floor
Advanced Trading takes you on an exclusive tour of Abel Noser's New York trading floor, where the agency broker known for transaction cost analysis, is customizing algorithms for the buy side, while growing its fixed income trading and transitions business.