Are security issues preventing financial services firms from adopting cloud computing? If so, what can be done to improve cloud security and encourage financial firms to migrate to the cloud? To find out, we sat down with our very own Philip Lieberman. In addition to serving as Identity Week’s Editor-in-Chief, Phil is also President and CEO of privileged identity management vendor Lieberman Software.
IW: What is the status of financial services firms moving to the cloud?
PL: Today the financial services area is a mixed bag of on-premises IT for older legacy and high security applications, and private cloud to support modern portable internal applications. There is also some use of the public cloud for such offerings as Microsoft Office 365 and SalesForce.
IW: How large of a barrier is security for financial firms that are considering the cloud?
PL: By using private cloud as a migration path, many companies are essentially paying for the use of hardware, electricity, air conditioning, storage and bandwidth in bulk, while maintaining their own application security. However, physical security and privileged identity management become unknowns to a greater degree, given that the infrastructure of the private cloud is outside the control of the user.
IW: What exactly are the security issues that financial firms are concerned about?
PL: Several factors – unknown or unverified processes of cloud providers, untrusted cloud provider employees and contractors, and lack of access to audit records and physical access records. There’s also an absence of transparency and coordination with regard to IT infrastructure management.
IW: What can be done to improve cloud security to the point where financial services firms are more likely to become cloud adopters?
PL: Cloud providers could differentiate themselves by offering transparency as to their internal processes. There is actually little real security because the internal processes of the cloud providers are opaque. These providers operate under strict non-disclosure agreements, which mean that inadequate security processes never see the light of day. The best scenario would be indemnification of clients against losses caused by poor security practices, in line with generally accepted standards of gross negligence.
IW: When is cloud computing likely to go mainstream within the financial services industry?
PL: If there is indemnification, along with government supplied safe harbours that protect adopters against litigation, cloud adoption would be easy. As for private clouds, there is a case to be made considering that cloud providers can offer economies of scale in the purchase and running of infrastructure, with minimal additional security risk versus an on-premises solution. Of course, there is little to nothing to be gained in security by such a private cloud solution, but in the never ending quest for reduced operating costs, there is a business case for the private cloud. On the other hand, if the private cloud vendor fails as a business or changes its strategy, then the customer has to have a “plan B” to migrate back to an on-premises solution or to find another suitable private cloud provider.