|By Kevin Nikkhoo||
|September 4, 2012 01:45 AM EDT||
Last month the Federal Financial Institutions Examination Council (FFIEC) shared an opinion on the viability and security of cloud computing. In the four-page statement, the interagency body empowered to prescribe uniform principles, standards, stated that cloud computing is “another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing.”
What they are offering is a back-handed endorsement of cloud computing with the caveat that if you perform your due diligence and the solution passes the security smell test, there is no reason why a financial institution cannot enjoy the full scope of cloud based benefits.
Like most other industries on the planet, banks, credit unions, investment brokerages, hedge funds, title and mortgage companies, credit card enterprises outsource certain parts of their business for a variety of reasons. In some cases, it is a skill that is outside their core competencies like the physical transference of currency (armored cars). For others it incorporates economic and efficiency factors like reducing and controlling costs, expanding operational capacity, and employing best-of-breed philosophies. Regardless of the reasoning, outsourcing is an integral part of international business standards.
“Outsourcing to a cloud service provider can be advantageous to financial institutions because of potential benefits such as cost reduction, flexibility, scalability, improved load balancing, and speed.” FFIEC Information Technology Subcommittee July 10, 2012
This is especially good news for credit unions and other smaller finance-centric enterprise organizations on the hook for compliance, heightened data and asset protection and access control just like their multi-national brethren. In that the FFIEC has labeled cloud computing as an acceptable practice, I want to focus on three specific callouts that directly affect how and why security managed from the cloud (aka cloud-based security) fits with the strategic technology goals of any financial institution.
- Legal and Regulatory Considerations All financial institutions operate under the heavy scrutiny of federal, state, local and industrial standards. It demands a certain degree of transparency (as well as privacy), a certain reliance on reporting and auditing, and heavy emphasis on compliance with various requirements. Although a serious and very complex issue, the ability to depend on several factors managed from the cloud, eases some of the burden. Regardless of where sensitive financial, personal and transactional data and is stored security-as-a-service typically provides the best-of-breed oversight institutions demand. Strictly from a security management perspective, understanding who and how and when any endpoint is attempting to access or ping a network asset at any time day or night is not only good practice, but a strict edict of laws like PCI and Sarbanes Oxley. But taken one step further, the ability to look beyond the obvious brute force attacks, the ability to instantly analyze traffic from a variety of silos and the ability inform, escalate and report any anomalies bases on strict interpretation of the law, creates. The cloud fits this stratagem simply by providing the additional expertise, faster and more accurate auditing and more “bang for the buck.
”I recall what a Network Apps Manager from Texas Capital Bank stated in a recent conference: "We get audited. We get audited a lot! In the span of a typical year we are audited by 6 different external and regulatory compliance groups." I get dizzy just thinking of the constant drain on resources it takes to keep up with it all. Not to put a fine point on it, but just consider the manpower, reporting and computing relief an organization can experience simply by outsourcing Identity Management to provision and de-provision users , customers and vendors...not to mention the additional control from SaaS Single Sign On.
- Holistic InfoSec All Financial institutions are typically at the center of many hacking attacks. The rule of thumb with cloud-based (or really any security strategy), is don’t worry about the attacks you can see coming. Most of the truly devastating breaches come from more insidious sources that are quiet and subtle. It is these types of assaults that look for cracks in a multitude of small, seemingly insignificant corners. This is why any strategy must contain a holistic approach. One that looks at and ties together the various and varied silos of information. This situational context approach identifies issues that might not raise red flags in one silo, but when correlated with other data points might require reporting, escalation and instant remediation.
And it’s no secret that global hackers have set their sites on American financial institutions but if you are running a credit union in Watertown, MN, do you need to fear nation-state cyber-terrorism? Probably not as much as Citibank, but shoring up your network perimeter is a must. Solutions like SIEM and Log Management have an excellent track record managed from the cloud. Other considerations such as careless third party users and employees, password mismanagement, poor vetting of third-party security protocols, access controls, must be addressed to achieve a true holistic approach strategy. But for that credit union in Watertown or the title company in Carpenteria, CA there is limited budget to apply such an enterprise strategy. And that’s where cloud security comes in as a huge benefit. Security-as-a-service is typically a cash flow positive endeavor. This means there is no capital expenditures (it’s all OpEx) and there is no ROI lag time in terms of buying an expensive server or waiting 6 months to develop and deploy and appropriate program. Zero day deployment and pay-as-you-go scalability provide immediate return and immediate coverage.
- Data segregation and recoverability: The nature of this issue is the overall security of data regardless of where and how it is stored. There are many whose lack of trust in the cloud prevents them from seeing that just because data is sitting on a server outside their four walls, means it is any less secure. By using the advice of the FFIEC, applying risk assessments against any outsourced solution, . It’s the same for any investment. If you do poor research on a electronic lock company, there are catastrophic risks involved. Many cloud providers invest a great deal in their security features. And of course, a company the sells security-as-a-service, must be as or more bulletproof than any on premises alternative in its ability to maintain data security, IT integrity and guaranteed continued service.
Now this isn’t aimed so much at Bank of America or Goldman Sachs, but rather “Main Street” institutions who don’t have a spare $100K waiting to spend on on-premise servers, $1 million to develop and deploy a holistic security strategy and another $150K for dedicated analysts to monitor activity around the clock. Cloud-based security provides more functionality, greater scope, and greater manageability than a typical local institution can afford to do in house. Through multi-tenancy, economies of scope and leveraged enterprise best-of-breed expertise and capabilities, every financial institution can benefit from top-class security…as long as they do their homework!
As with any business decision, whether to migrate certain aspects of enterprise operation to the cloud, depends on several factors. Does it promote your strategic and tactical plans/goals? Have you done your homework and made sure both the vendor and the solution are a good (and trustworthy) fit? Does it provide ROI in a reasonable/expected time frame? Does the reward outpace the risk? Is the risk manageable? I could go on. But the argument is no longer be should I utilize the cloud. The better question is in what situations and how do cloud based solutions create benefit and advantages for my company?
If you wish to learn more about the application of holistic security, read the white paper: Applying Security Holistically from the Cloud: A Paradigm Shift Applying Situational Awareness in SIEM Deployments.
The true value of the Internet of Things (IoT) lies not just in the data, but through the services that protect the data, perform the analysis and present findings in a usable way. With many IoT elements rooted in traditional IT components, Big Data and IoT isn’t just a play for enterprise. In fact, the IoT presents SMBs with the prospect of launching entirely new activities and exploring innovative areas. CompTIA research identifies several areas where IoT is expected to have the greatest impact.
May. 26, 2015 09:00 PM EDT Reads: 5,213
The 4th International Internet of @ThingsExpo, co-located with the 17th International Cloud Expo - to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA - announces that its Call for Papers is open. The Internet of Things (IoT) is the biggest idea since the creation of the Worldwide Web more than 20 years ago.
May. 26, 2015 06:00 PM EDT Reads: 2,260
The Industrial Internet revolution is now underway, enabled by connected machines and billions of devices that communicate and collaborate. The massive amounts of Big Data requiring real-time analysis is flooding legacy IT systems and giving way to cloud environments that can handle the unpredictable workloads. Yet many barriers remain until we can fully realize the opportunities and benefits from the convergence of machines and devices with Big Data and the cloud, including interoperability, data security and privacy.
May. 26, 2015 05:00 PM EDT Reads: 4,939
The Internet of Things is tied together with a thin strand that is known as time. Coincidentally, at the core of nearly all data analytics is a timestamp. When working with time series data there are a few core principles that everyone should consider, especially across datasets where time is the common boundary. In his session at Internet of @ThingsExpo, Jim Scott, Director of Enterprise Strategy & Architecture at MapR Technologies, discussed single-value, geo-spatial, and log time series data. By focusing on enterprise applications and the data center, he will use OpenTSDB as an example t...
May. 26, 2015 02:00 PM EDT Reads: 6,677
The Internet of Things is not only adding billions of sensors and billions of terabytes to the Internet. It is also forcing a fundamental change in the way we envision Information Technology. For the first time, more data is being created by devices at the edge of the Internet rather than from centralized systems. What does this mean for today's IT professional? In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will addresses this very serious issue of profound change in the industry.
May. 26, 2015 01:15 PM EDT Reads: 1,115
Scott Jenson leads a project called The Physical Web within the Chrome team at Google. Project members are working to take the scalability and openness of the web and use it to talk to the exponentially exploding range of smart devices. Nearly every company today working on the IoT comes up with the same basic solution: use my server and you'll be fine. But if we really believe there will be trillions of these devices, that just can't scale. We need a system that is open a scalable and by using the URL as a basic building block, we open this up and get the same resilience that the web enjoys.
May. 26, 2015 01:00 PM EDT Reads: 7,292
We are reaching the end of the beginning with WebRTC, and real systems using this technology have begun to appear. One challenge that faces every WebRTC deployment (in some form or another) is identity management. For example, if you have an existing service – possibly built on a variety of different PaaS/SaaS offerings – and you want to add real-time communications you are faced with a challenge relating to user management, authentication, authorization, and validation. Service providers will want to use their existing identities, but these will have credentials already that are (hopefully) i...
May. 26, 2015 01:00 PM EDT Reads: 4,599
All major researchers estimate there will be tens of billions devices - computers, smartphones, tablets, and sensors - connected to the Internet by 2020. This number will continue to grow at a rapid pace for the next several decades. With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo, June 9-11, 2015, at the Javits Center in New York City. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be
May. 26, 2015 12:15 PM EDT Reads: 2,692
Container frameworks, such as Docker, provide a variety of benefits, including density of deployment across infrastructure, convenience for application developers to push updates with low operational hand-holding, and a fairly well-defined deployment workflow that can be orchestrated. Container frameworks also enable a DevOps approach to application development by cleanly separating concerns between operations and development teams. But running multi-container, multi-server apps with containers is very hard. You have to learn five new and different technologies and best practices (libswarm, sy...
May. 26, 2015 12:00 PM EDT Reads: 2,462
SYS-CON Events announced today that DragonGlass, an enterprise search platform, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. After eleven years of designing and building custom applications, OpenCrowd has launched DragonGlass, a cloud-based platform that enables the development of search-based applications. These are a new breed of applications that utilize a search index as their backbone for data retrieval. They can easily adapt to new data sets and provide access to both structured and unstruc...
May. 26, 2015 12:00 PM EDT Reads: 2,244
An entirely new security model is needed for the Internet of Things, or is it? Can we save some old and tested controls for this new and different environment? In his session at @ThingsExpo, New York's at the Javits Center, Davi Ottenheimer, EMC Senior Director of Trust, reviewed hands-on lessons with IoT devices and reveal a new risk balance you might not expect. Davi Ottenheimer, EMC Senior Director of Trust, has more than nineteen years' experience managing global security operations and assessments, including a decade of leading incident response and digital forensics. He is co-author of t...
May. 26, 2015 11:00 AM EDT Reads: 5,959
The Internet of Things is a misnomer. That implies that everything is on the Internet, and that simply should not be - especially for things that are blurring the line between medical devices that stimulate like a pacemaker and quantified self-sensors like a pedometer or pulse tracker. The mesh of things that we manage must be segmented into zones of trust for sensing data, transmitting data, receiving command and control administrative changes, and peer-to-peer mesh messaging. In his session at @ThingsExpo, Ryan Bagnulo, Solution Architect / Software Engineer at SOA Software, focused on desi...
May. 26, 2015 11:00 AM EDT Reads: 4,253
SYS-CON Events announced today that MetraTech, now part of Ericsson, has been named “Silver Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9–11, 2015, at the Javits Center in New York, NY. Ericsson is the driving force behind the Networked Society- a world leader in communications infrastructure, software and services. Some 40% of the world’s mobile traffic runs through networks Ericsson has supplied, serving more than 2.5 billion subscribers.
May. 26, 2015 10:15 AM EDT Reads: 1,918
Buzzword alert: Microservices and IoT at a DevOps conference? What could possibly go wrong? In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, the leading expert on architecting agility for the enterprise and president of Intellyx, panelists will peel away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of our distributed cloud environment, and we must architect and code accordingly. At the very least, you'll have no problem fil...
May. 26, 2015 10:00 AM EDT Reads: 2,173
While great strides have been made relative to the video aspects of remote collaboration, audio technology has basically stagnated. Typically all audio is mixed to a single monaural stream and emanates from a single point, such as a speakerphone or a speaker associated with a video monitor. This leads to confusion and lack of understanding among participants especially regarding who is actually speaking. Spatial teleconferencing introduces the concept of acoustic spatial separation between conference participants in three dimensional space. This has been shown to significantly improve comprehe...
May. 26, 2015 10:00 AM EDT Reads: 3,370
The Domain Name Service (DNS) is one of the most important components in networking infrastructure, enabling users and services to access applications by translating URLs (names) into IP addresses (numbers). Because every icon and URL and all embedded content on a website requires a DNS lookup loading complex sites necessitates hundreds of DNS queries. In addition, as more internet-enabled ‘Things' get connected, people will rely on DNS to name and find their fridges, toasters and toilets. According to a recent IDG Research Services Survey this rate of traffic will only grow. What's driving t...
May. 26, 2015 09:00 AM EDT Reads: 5,421
Today’s enterprise is being driven by disruptive competitive and human capital requirements to provide enterprise application access through not only desktops, but also mobile devices. To retrofit existing programs across all these devices using traditional programming methods is very costly and time consuming – often prohibitively so. In his session at @ThingsExpo, Jesse Shiah, CEO, President, and Co-Founder of AgilePoint Inc., discussed how you can create applications that run on all mobile devices as well as laptops and desktops using a visual drag-and-drop application – and eForms-buildi...
May. 26, 2015 08:00 AM EDT Reads: 5,675
The Internet of Things promises to transform businesses (and lives), but navigating the business and technical path to success can be difficult to understand. In his session at @ThingsExpo, Sean Lorenz, Technical Product Manager for Xively at LogMeIn, demonstrated how to approach creating broadly successful connected customer solutions using real world business transformation studies including New England BioLabs and more.
May. 26, 2015 08:00 AM EDT Reads: 6,181
The recent trends like cloud computing, social, mobile and Internet of Things are forcing enterprises to modernize in order to compete in the competitive globalized markets. However, enterprises are approaching newer technologies with a more silo-ed way, gaining only sub optimal benefits. The Modern Enterprise model is presented as a newer way to think of enterprise IT, which takes a more holistic approach to embracing modern technologies.
May. 25, 2015 11:00 PM EDT Reads: 6,300
Every day we read jaw-dropping stats on the explosion of data. We allocate significant resources to harness and better understand it. We build businesses around it. But we’ve only just begun. For big payoffs in Big Data, CIOs are turning to cognitive computing. Cognitive computing’s ability to securely extract insights, understand natural language, and get smarter each time it’s used is the next, logical step for Big Data.
May. 25, 2015 08:00 PM EDT Reads: 2,394