Banking on Hybrid Cloud: Some Top Security Tips

by Bharat Mistry

A new Wall Street Journal news story this week claims that Amazon Web Services is beginning to make headway in the banking sector. If it’s true it’ll be a major breakthrough for the public cloud provider in an industry which has long been too risk averse and highly regulated for its brand of multi-tenant cloud computing. What the piece doesn’t mention explicitly is that if the notoriously conservative financial services industry is signing up to the public cloud, it’s most likely to be as part of hybrid deployments.

Yet even with a mix of private and public cloud installed to limit risk, organisations must remember that cloud computing brings with it a whole new set of security and management challenges. Forward planning, as always, is everything.

Why hybrid?
The hybrid cloud is fast becoming the de facto standard for organisations around the world. On the one hand they want the control, reliability and even customisability of the private cloud. Some data might actually have to reside on-premise by law or according to industry regulations. But on the other had they want to take advantage of the flexibility, ease-of-use, cost effectiveness and scalability of the public cloud.

In this way, several banks are keeping “core banking activities and data on their own platforms” but are looking at the public cloud to run things like their mobile banking apps, according to the WSJ.

It’s not just the banking industry that is most likely looking to combine the best of both cloud worlds. A poll of Amazon Web Services summit attendees last year found 79% are pursuing a hybrid cloud strategy. And while AWS has by far the largest market share, it’s by no means the only player in town: Microsoft, IBM, VMware and many more smaller players have made it a highly competitive space.

The issue is security. Roughly speaking, the cloud provider should secure the global infrastructure used to run the cloud while customers must handle the data, network configuration, OS and apps etc. It’s referred to be Amazon as a “Shared Responsibility” model.

No place for legacy security
Problems arise when customers choose the wrong kind of security tools to protect these new environments. Installing traditional physical security simply won’t work. It can cause huge performance degradation known as “security storms” and fail to protect systems from zero day vulnerabilities like Heartbleed, which have the power to disrupt organisations around the world within hours of being made public.

What’s more, non-hybrid cloud aware tools can leave “instant-on” gaps which occur when new or dormant virtual machines are put back online without updated security. And let’s also remember that IT staff have a tough enough job managing physical and virtual security. Add hybrid cloud into the mix and you run the risk of multiplying the number of interfaces and consoles that need to be managed.

Outsourcing any part of your IT infrastructure take a lot of time, effort and forward planning. Hybrid cloud deployments are no different. Consider the following tips to get started:

  • Sit down with procurement and legal stakeholders to draw up a list of potential providers
  • For existing contracts, review no less frequently than once a year
  • Look for cloud security platforms which offer:
    – Virtual patching to protect against zero day flaws
    – A wide range of capabilities, including web reputation, intrusion prevention, firewall,
    integrity monitoring, log inspection and anti-malware
    – Single dashboard/console to manage physical, virtual cloud and hybrid
    – Hybrid cloud-ready architecture to minimise performance hit and plug any instant-on
    gaps with leading public cloud providers including AWS, Azure, IBM, VMWare
  • Take note of regulatory framework including Safe Harbour, and the forthcoming EU General Data Protection Regulation and NIS Directive. They may affect where data can be stored and what safeguards need to be placed on it

Leave a Reply

Your email address will not be published. Required fields are marked *