Key Considerations for Banking on the Cloud
With strict regulations governing banks in India, and the IT teams constantly under the challenge of delivering to the needs of their business, Indian banks are exploring possibilities of exploiting cloud computing as a mechanism to deliver faster services to the business, and at the same time reduce the cost of delivering such services.
Banks are entering the cloud-computing arena cautiously, although the model can offer financial institutions a number of advantages, including:
- Cost savings
- Resource optimization
- Usage-based billing
- Business agility
- Business continuity
Having said that, the concerns around security, privacy, interoperability of standards, data confidentiality and quality of service have been prime reasons for banks not being able to adopt the cloud.
According to IDRBT’s (Institute for Development and Research in Banking Technology, an autonomous center set up by Reserve Bank of India),Cloud Security Framework for Indian Banking Sector 2013, "Most of the time and resources are spent to keep the lights on and fire fighting low-level activities with little time for strategies, leave alone innovation. Not that there are no larger issues. There is an urgent need to consolidate the infrastructure and secondly empower business. One needs to ask a fundamental strategic question. Do banks want to own IT assets or operate business and focus on what they are good at, i.e. banking? IT-business alignment is a neglected area in this milieu quite often. IT governance is yet to mature."
Cloud computing is a way of delivering IT enabled capabilities to users in the form of ‘services’ with elasticity and scalability, where users can make use of resources, platform, or software without having to possess and manage the underlying complexity of the technology.
Focusing on the security concerns of cloud, the following are to be understood in detail by the banks, which should provide the technical case for Banks to adopt the cloud:
- Privileged User Access: As cloud can allow access and processing of data by personnel outside the Bank, they should ask the cloud providers to supply specific information on hiring and oversight of privileged administrators, and controls of their accesses.
- Regulatory Compliance: Adherence to security certifications and audit of the cloud setup should be enforced on service providers.
- Data Location: Commitment from the Service Providers on where and how the data is stored, and adherence to privacy requirements from time to time. Data location should facilitate the specific jurisdiction control for the banks.
- Data Recovery: Banks should insist on multiple copies of the data to be maintained by the Service Providers without compromising security requirements, and protect from data failure in case of a disasters.
- Investigative Support: Banks should insist on Service Providers to provide investigative support and the process to handle in case of security breach
- Long-term viability: Financial viability of Service Providers over a long-term.
- Identity and Access Control Management: Banks should be allowed to integrate their existing Identity and Access Management systems to the deployed cloud environment.
- Isolation of Rules: Security roles and responsibilities of employees, contractors and third party users should be defined and documented in accordance to Bank’s information security policies.
- Encryption and Key Management: Banks’ confidential and sensitive data must be protected using encryption, both, while in transit as well as at rest. Keys used for appropriate encryption adopted by organizations should be managed securely throughout its lifecycle.
While cloud security related aspects would predominantly be the responsibility of the Cloud Service Providers, Banks would need to ensure that relevant contracts with them are tightened with the Bank’s specific security requirement. Major involvement of the Bank in this area would be around Cloud Security Governance, Risk and Control aspects. Banks have to evolve a criterion for applications and bucket them into:
- Low risk
- High Information Risk (Sensitive customer information, Intellectual Property, Data leakage resulting in financial loss)
- High Regulatory Compliance Risk
- High Business Continuity Risk (Application unavailability, Disaster Recovery failure)
The following main factors are to be considered by Banks while choosing a Cloud service provider:
- Technical adequacy for porting applications to Cloud
- Cost efficiency
- Risk profiling – availability, regulatory, compliance and statutory requirements
- Control over intrusion decisions, vulnerability monitoring, denial of service attacks
Banks should choose service and delivery models on cloud that best match their requirements for cost savings, scalability, data integrity and security, business agility and resource optimization. They should adopt an evolutionary approach towards cloud computing based on the type of applications and nature of data.
Govind Desikan is the Business Development Head for Cloud Services, Netmagic, responsible in evangelising Cloud initiatives and to engage with customers deeply in preparing a Cloud blue-print for successful Cloud roll-outs. He has been associated with IT industry for close to 20 years with a wide ranging experiences from large Enterprises, working with Software Vendors, building Datacenter services grounds-up as well as in architecting large system roll-outs including elastic and adaptable architecture. Conversant with most software technologies, he is a passionate and vivid believer in simplifying technology to make it relevant for Business Decision Maker. In his past, he has worked with popular software OEM brands such as VMware, Microsoft, Sun, Oracle etc. Apart from being an Computer Science Engineer, he is also a Cost Accountant and an ISO Lead Auditor. He is well known with his customers who fondly recognize him as "one of the best consultative solution seller".