Cloud computing is gaining traction among financial institutions. While private cloud is considered the "natural choice" for many financial organizations today, more firms are beginning to squint to the public cloud. Some advantages are shared by private and public clouds, such as great flexibility and elasticity. Some advantages are special to private clouds, such as greater control; while some advantages are special to public clouds, including removing the cost and overhead of creating and maintaining your own infrastructure.
The economy plays a significant role in the process as well. It pushes decision makers to find creative ways to cut capital expenditures, and pay for what they actually consume (i.e. OPEX). In public clouds, organizations are starting out with public-facing parts of their applications, as well as development efforts and disaster recovery; while with mission critical applications (such as trading, wealth, or risk management applications) – private clouds.
In both cases, the issue of data privacy and confidentiality is a top concern. A financial application (or a service for that matter) must be protected, and a financial institution must maintain true privacy in the cloud.
Cloud Security Is a Top Concern
Everybody agrees that maintaining financial application confidentiality in a public cloud is critical. It is worth mentioning – since it goes against the conventional wisdom – that this is essential also in a private cloud.
Private clouds are not an abstract concept; they are used for some very practical needs. Often an organization will use a private cloud to serve its customers, employees or supply chain. These stakeholders have their own cloud data security concerns. From their point of view, they are using a public or community service, even if the technical implementation is called a "private cloud". This imposes many security requirements on the private cloud as well.
For example, consider a financial institution which is selling financial packages to the employees of its customers. The customers are large organizations, but the end-users are individuals: employees who need to manage their financial benefits.
This institution has set up a software solution providing self-service tools to the end-users, to view and assess their financial packages. A fundamental part of the system is security, and the choice was made to base the system on a private cloud.
But the end-users and – even more important – their employers, who are paying for the system, see this as a public cloud. Essentially they have outsourced their employee's data to an external financial provider. They are therefore very strict about security, and ask many of the same questions they would ask in a pure "public cloud" implementation.
This example underlines the difference between the technical definitions of public and private, and the point of view of true business stakeholders. The latter wins, every time.
Achieving Data Confidentiality in the Cloud
When moving to the cloud, all the traditional threats still exist. In addition, there are new, cloud specific threats. Cloud providers preach a "shared responsibility" model, claiming (for good reason), that you - the customer - should take all means to ensure application privacy and security. Trust cannot be outsourced, which is why each organization must own the responsibility to keep its data private.
Some examples for new and specific cloud threats include shared infrastructure, employees of cloud providers who may be "malicious insiders," and unapproved usage of cloud infrastructure (for example a developer provisioning a new virtual server to test drive a recently developed app). Regardless of the threat, a fundamental building block technology for achieving privacy in a public cloud is data encryption. Cloud encryption allows organizations to build "virtual walls" around their sensitive data, and therefore achieve privacy in a shared environment.
But cloud encryption is only one part of the equation. Managing the encryption keys in a shared, public compute environment is the bigger obstacle. Another equally large issue is securing the most sensitive resources, such as the encryption keys themselves, when they are in memory of servers in the cloud.
Think about the following question: Who would you trust with your encryption keys? The cloud provider? A third party security vendor? Probably none of the above. (Remember: trust cannot be outsourced...)
Financial institutions should trust only themselves with their encryption keys, but utilizing an on-premise key management server for their cloud is sometimes impossible, and in most cases limits the most attractive benefits of the cloud (i.e. flexibility and elasticity).