Risk Management

12:58 PM
Gilad Parann-Nissany, SAP
Gilad Parann-Nissany, SAP
Commentary
50%
50%

The Holy Grail of Cloud Computing – Maintaining Data Confidentiality

Whether a financial institution enters a public or private cloud, data privacy and confidentiality are top concerns. A financial application (or a service) must be protected, and true privacy must be maintained, says SAP's Gilad Parann-Nissany.

Cloud computing is gaining traction among financial institutions. While private cloud is considered the "natural choice" for many financial organizations today, more firms are beginning to squint to the public cloud. Some advantages are shared by private and public clouds, such as great flexibility and elasticity. Some advantages are special to private clouds, such as greater control; while some advantages are special to public clouds, including removing the cost and overhead of creating and maintaining your own infrastructure.

Gilad Parann-Nissany
Gilad Parann-Nissany, CEO, SAP

The economy plays a significant role in the process as well. It pushes decision makers to find creative ways to cut capital expenditures, and pay for what they actually consume (i.e. OPEX). In public clouds, organizations are starting out with public-facing parts of their applications, as well as development efforts and disaster recovery; while with mission critical applications (such as trading, wealth, or risk management applications) – private clouds.

In both cases, the issue of data privacy and confidentiality is a top concern. A financial application (or a service for that matter) must be protected, and a financial institution must maintain true privacy in the cloud.

Cloud Security Is a Top Concern

Everybody agrees that maintaining financial application confidentiality in a public cloud is critical. It is worth mentioning – since it goes against the conventional wisdom – that this is essential also in a private cloud.

Private clouds are not an abstract concept; they are used for some very practical needs. Often an organization will use a private cloud to serve its customers, employees or supply chain. These stakeholders have their own cloud data security concerns. From their point of view, they are using a public or community service, even if the technical implementation is called a "private cloud". This imposes many security requirements on the private cloud as well.

For example, consider a financial institution which is selling financial packages to the employees of its customers. The customers are large organizations, but the end-users are individuals: employees who need to manage their financial benefits.

This institution has set up a software solution providing self-service tools to the end-users, to view and assess their financial packages. A fundamental part of the system is security, and the choice was made to base the system on a private cloud.

But the end-users and – even more important – their employers, who are paying for the system, see this as a public cloud. Essentially they have outsourced their employee's data to an external financial provider. They are therefore very strict about security, and ask many of the same questions they would ask in a pure "public cloud" implementation.

This example underlines the difference between the technical definitions of public and private, and the point of view of true business stakeholders. The latter wins, every time.

Achieving Data Confidentiality in the Cloud

When moving to the cloud, all the traditional threats still exist. In addition, there are new, cloud specific threats. Cloud providers preach a "shared responsibility" model, claiming (for good reason), that you - the customer - should take all means to ensure application privacy and security. Trust cannot be outsourced, which is why each organization must own the responsibility to keep its data private.

Some examples for new and specific cloud threats include shared infrastructure, employees of cloud providers who may be "malicious insiders," and unapproved usage of cloud infrastructure (for example a developer provisioning a new virtual server to test drive a recently developed app). Regardless of the threat, a fundamental building block technology for achieving privacy in a public cloud is data encryption. Cloud encryption allows organizations to build "virtual walls" around their sensitive data, and therefore achieve privacy in a shared environment.

But cloud encryption is only one part of the equation. Managing the encryption keys in a shared, public compute environment is the bigger obstacle. Another equally large issue is securing the most sensitive resources, such as the encryption keys themselves, when they are in memory of servers in the cloud.

Think about the following question: Who would you trust with your encryption keys? The cloud provider? A third party security vendor? Probably none of the above. (Remember: trust cannot be outsourced...)

Financial institutions should trust only themselves with their encryption keys, but utilizing an on-premise key management server for their cloud is sometimes impossible, and in most cases limits the most attractive benefits of the cloud (i.e. flexibility and elasticity).

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
More Commentary
Voice Biometrics Improve Transaction Monitoring Fraud Detection
Why voice biometrics should be a part of your fraud prevention strategy in the call center.
Fintech Fast Forward 2015
What will shape the future of Fintech in 2015 and beyond?
Look Deeper at Business Connections
When a business person or practice crosses the line, what should a professional do?
Big-Data Analytics & Cloud: The Perfect Storm
Most signs are pointing to a big increase in investment in big-data analytics and cloud in the coming year.
Verifying Behavior, Not Input, to Detect Sophisticated Attacks
Understanding how users interact with the touch points with biometric information is an increasingly important part of digital security.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video
Inside Abel Noser's Trading Floor
Inside Abel Noser's Trading Floor
Advanced Trading takes you on an exclusive tour of Abel Noser's New York trading floor, where the agency broker known for transaction cost analysis, is customizing algorithms for the buy side, while growing its fixed income trading and transitions business.