Financial institutions look to cloud with skepticism

Some banks that do business in Rhode Island are easing into the global trend to use cloud computing service, or processing and storing data on servers not owned by the company either on rented server space they control, generally called the “private cloud,” or shared servers, called the “public cloud.”
Still, financial institutions’ acceptance of cloud computing, even for selected, less-sensitive applications, duels with skepticism about the ability to guarantee security in precarious cyber-territory.
Webster Bank has an internal “private cloud” for processing data and is also going along with an increasing trend by companies to use the “public cloud.”
“We will continue to implement ‘in-house’ application in our private, virtualized environment, while partnering with vendors who provide software solutions from a public cloud,” said Webster Bank Chief Information Officer Colin Eccles.
Savings Institute Bank & Trust, which acquired NewportFed on Sept. 6, uses private-cloud computing, but carefully chooses how those services are used, said President and CEO Rheo Brouillard.
“We do not use any public-cloud services for any applications, but rely, primarily for proprietary and confidentiality of information reasons, on dedicated private servers,” said Brouillard.
BankNewport uses cloud computing for human resources applications, said Chief Information Officer Colleen Medeiros.
That’s an example of an application some in the financial industry said makes good use of cloud computing to process data, while keeping customers’ sensitive financial information on privately controlled computers.
“We are not using cloud computing for our internal bank network and do not have plans to do so, due to regulatory scrutiny and the GLBA,” said Medeiros.
The GLBA is the Gramm-Leach-Bliley Act, passed in 1999, to ensure that financial institutions protect consumers’ confidential information.
Threats to the security of confidential information override the advantages of cloud computing for financial institutions, in the opinion of Francesca Spidalieri, cyber-leadership fellow at Salve Regina University’s Pell Center for International Relations and Public Policy. “I have strong reservations. I am not for cloud-computing services for banking, especially because of the sensitivity of the information they hold,” said Spidalieri, one of the organizers of the Pell Center’s series of programs titled Rhode Island Cybersecurity Initiative, which began on Sept. 11.
Spidalieri said the threats to cyber-security are constant.
“There is always someone else out there who’s found a more sophisticated way to get into a network. There are so many cybercriminals,” said Spidalieri. “Someone is trying to get into these networks tons of times every day.
“They’re probably from another country and all they need are good tech skills and a good Internet connection,” Spidalieri said. “There’s a low-cost entry into this type of crime.”
While business in general is tending to migrate to cloud computing, Spidalieri said financial institutions have had good reason to be skeptical and hesitant to make the change.
Cybercrimes are more than just sporadic occurrences, she said.
“There are only two types of businesses – those that have been hacked and those that don’t know they’ve been hacked,” said Spidalieri. “And there are those that have been hacked but don’t want to tell you because they don’t want everyone to know their systems have been penetrated and personal information may have been stolen.”
Spidalieri is on a mission to engage employees across the spectrum of business to be aware of and learn how to defend against cyberthreats.
“Cybersecurity is not just a technology problem. Achieving cybersecurity is a social, institutional, legal and governance problem,” she said. “If you don’t train your employees and they’re not aware of the risk, IT will be working to fix the breach of security.”
The attraction of the “cloud” is still hard for businesses to resist, she said.
“Cheaper always tends to dominate the conversation,” said Spidalieri.
“I see banks continuing to migrate to cloud computing, especially small banks. The first reason they give is they want to reduce technology costs. They don’t have to invest in all this equipment,” said Spidalieri. “It’s convenient, and it can improve relationships with customers because they can have more services to offer on the cloud.” Banks can minimize some of the risk by making a distinction about what kind of applications they put in the cloud, but still, “you don’t know where your assets are, how the information is stored or what the threats are,” said Spidalieri.
The trend for banks to migrate to the cloud seems to be progressing steadily.
Seventy-one percent of bank executives surveyed in a recently released report told PricewaterhouseCoopers they plan to invest more in cloud computing, nearly four times the figure of a year earlier, according to an Aug. 12 article in American Banker.
One reason for the shift, according to PricewaterhouseCoopers financial services technology leader Julien Courbe, is that vendors of public cloud services have made their offerings to banks more secure and reliable, according to the article.
“Most investments banks have made to date have been made in the private cloud,” said Courbe. “Now we’re seeing banks invest in public-cloud solutions.”
The major public-cloud providers – Amazon.com, Google, Microsoft and Rackspace – have reported strong growth in cloud use so far this year, according to the article.
“There’s been a lot of development to make cloud computing more secure. Providers [including] Amazon and Rackspace can invest in robust defense across their entire infrastructure because there are economies of scale,” said Rajesh Jayaraman, chief technology officer for Andera, a Providence-based software-as-a-service company that owns and operates its own servers and develops software that banks use for opening accounts. Andera customers include more than 500 banks and credit unions.
Despite increased security, Jayaraman said because the public cloud is “rented and shared computer space, your data could be sitting on the same computer with someone else’s, and there’s a risk of comingling of data.”
The one definitive point about a business’ use of a private cloud is that “the computing is dedicated to one company.”
“However, ‘private cloud’ is a nebulous term,” he said. “In general, private cloud means you are in some external environment where you rent space.” •

No posts to display