Welcome!

Government Cloud Authors: Elizabeth White, Pat Romanski, Liz McMillan, Kevin Jackson, Bob Gourley

Related Topics: @CloudExpo, Java IoT, Microservices Expo, Containers Expo Blog, IoT User Interface, Agile Computing, Cloud Security, Government Cloud

@CloudExpo: Blog Post

FFIEC's Recognition of Cloud Security Advantages

How credit unions, smaller banks can now use outsourcing for compliance using security-as-a-service

Last month the Federal Financial Institutions Examination Council (FFIEC) shared an opinion on the viability and security of cloud computing. In the four-page statement, the interagency body empowered to prescribe uniform principles, standards, stated that cloud computing is “another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing.”

What they are offering is a back-handed endorsement of cloud computing with the caveat that if you perform your due diligence and the solution passes the security smell test, there is no reason why a financial institution cannot enjoy the full scope of cloud based benefits.

Like most other industries on the planet, banks, credit unions, investment brokerages, hedge funds, title and mortgage companies, credit card enterprises outsource certain parts of their business for a variety of reasons. In some cases, it is a skill that is outside their core competencies like the physical transference of currency (armored cars). For others it incorporates economic and efficiency factors like reducing and controlling costs, expanding operational capacity, and employing best-of-breed philosophies. Regardless of the reasoning, outsourcing is an integral part of international business standards.

“Outsourcing to a cloud service provider can be advantageous to financial institutions because of potential benefits such as cost reduction, flexibility, scalability, improved load balancing, and speed.” FFIEC Information Technology Subcommittee July 10, 2012

This is especially good news for credit unions and other smaller finance-centric enterprise organizations on the hook for compliance, heightened data and asset protection and access control   just like their multi-national brethren. In that the FFIEC has labeled cloud computing as an acceptable practice, I want to focus on three specific callouts that directly affect how and why security managed from the cloud (aka cloud-based security) fits with the strategic technology goals of any financial institution.

  • Legal and Regulatory Considerations All financial institutions operate under the heavy scrutiny of federal, state, local and industrial standards. It demands a certain degree of transparency (as well as privacy), a certain reliance on reporting and auditing, and heavy emphasis on compliance with various requirements. Although a serious and very complex issue, the ability to depend on several factors managed from the cloud, eases some of the burden. Regardless of where sensitive financial, personal and transactional data and is stored security-as-a-service typically provides the best-of-breed oversight institutions demand. Strictly from a security management perspective, understanding who and how and when any endpoint is attempting to access or ping a network asset at any time day or night is not only good practice, but a strict edict of laws like PCI and Sarbanes Oxley. But taken one step further, the ability to look beyond the obvious brute force attacks, the ability to instantly analyze traffic from a variety of silos and the ability inform, escalate and report any anomalies bases on strict interpretation of the law, creates. The cloud fits this stratagem simply by providing the additional expertise, faster and more accurate auditing and more “bang for the buck.

”I recall what a Network Apps Manager from Texas Capital Bank stated in a recent conference: "We get audited. We get audited a lot! In the span of a typical year we are audited by 6 different external and regulatory compliance groups." I get dizzy just thinking of the constant drain on resources it takes to keep up with it all. Not to put a fine point on it, but just consider the manpower, reporting and computing  relief an organization can experience simply by outsourcing Identity Management to provision and de-provision users , customers and vendors...not to mention the additional control from SaaS Single Sign On.

  • Holistic InfoSec All Financial institutions are typically at the center of many hacking attacks. The rule of thumb with cloud-based (or really any security strategy), is don’t worry about the attacks you can see coming. Most of the truly devastating breaches come from more insidious sources that are quiet and subtle. It is these types of assaults that look for cracks in a multitude of small, seemingly insignificant corners. This is why any strategy must contain a holistic approach. One that looks at and ties together the various and varied silos of information. This situational context approach identifies issues that might not raise red flags in one silo, but when correlated with other data points might require reporting, escalation and instant remediation.

And it’s no secret that global hackers have set their sites on American financial institutions but if you are running a credit union in Watertown, MN, do you need to fear nation-state cyber-terrorism? Probably not as much as Citibank, but shoring up your network perimeter is a must. Solutions like SIEM and Log Management have an excellent track record managed from the cloud. Other considerations such as careless third party users and employees, password mismanagement, poor vetting of third-party security protocols, access controls, must be addressed to achieve a true holistic approach strategy.  But for that credit union in Watertown or the title company in Carpenteria, CA there is limited budget to apply such an enterprise strategy. And that’s where cloud security comes in as a huge benefit. Security-as-a-service is typically a cash flow positive endeavor. This means there is no capital expenditures (it’s all OpEx) and there is no ROI lag time in terms of buying an expensive server or waiting 6 months to develop and deploy and appropriate program. Zero day deployment and pay-as-you-go scalability provide immediate return and immediate coverage.

  • Data segregation and recoverability: The nature of this issue is the overall security of data regardless of where and how it is stored. There are many whose lack of trust in the cloud prevents them from seeing that just because data is sitting on a server outside their four walls, means it is any less secure. By using the advice of the FFIEC, applying risk assessments against any outsourced solution, . It’s the same for any investment. If you do poor research on a electronic lock company, there are catastrophic risks involved. Many cloud providers invest a great deal in their security features. And of course, a company the sells security-as-a-service, must be as or more bulletproof than any on premises alternative in its ability to maintain data security, IT integrity and guaranteed continued service.

Now this isn’t aimed so much at Bank of America or Goldman Sachs, but rather “Main Street” institutions who don’t have a spare $100K waiting to spend on on-premise servers, $1 million to develop and deploy a holistic security strategy and another $150K for dedicated analysts to monitor activity around the clock. Cloud-based security provides more functionality, greater scope, and greater manageability than a typical local institution can afford to do in house. Through multi-tenancy, economies of scope and leveraged enterprise best-of-breed expertise and capabilities, every financial institution can benefit from top-class security…as long as they do their homework!

As with any business decision, whether to migrate certain aspects of enterprise operation to the cloud, depends on several factors. Does it promote your strategic and tactical plans/goals? Have you done your homework and made sure both the vendor and the solution are a good (and trustworthy) fit? Does it provide ROI in a reasonable/expected time frame? Does the reward outpace the risk? Is the risk manageable? I could go on. But the argument is no longer be should I utilize the cloud. The better question is in what situations and how do cloud based solutions create benefit and advantages for my company?

If you wish to learn more about the application of holistic security, read the white paper: Applying Security Holistically from the Cloud: A Paradigm Shift Applying Situational Awareness in SIEM Deployments.

Kevin Nikkhoo

CloudAccess.com

More Stories By Kevin Nikkhoo

With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
The IoT has the potential to create a renaissance of manufacturing in the US and elsewhere. In his session at 18th Cloud Expo, Florent Solt, CTO and chief architect of Netvibes, will discuss how the expected exponential increase in the amount of data that will be processed, transported, stored, and accessed means there will be a huge demand for smart technologies to deliver it. Florent Solt is the CTO and chief architect of Netvibes. Prior to joining Netvibes in 2007, he co-founded Rift Technol...
The increasing popularity of the Internet of Things necessitates that our physical and cognitive relationship with wearable technology will change rapidly in the near future. This advent means logging has become a thing of the past. Before, it was on us to track our own data, but now that data is automatically available. What does this mean for mHealth and the "connected" body? In her session at @ThingsExpo, Lisa Calkins, CEO and co-founder of Amadeus Consulting, will discuss the impact of wea...
SYS-CON Events announced today that Peak 10, Inc., a national IT infrastructure and cloud services provider, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Peak 10 provides reliable, tailored data center and network services, cloud and managed services. Its solutions are designed to scale and adapt to customers’ changing business needs, enabling them to lower costs, improve performance and focus inter...
We’ve worked with dozens of early adopters across numerous industries and will debunk common misperceptions, which starts with understanding that many of the connected products we’ll use over the next 5 years are already products, they’re just not yet connected. With an IoT product, time-in-market provides much more essential feedback than ever before. Innovation comes from what you do with the data that the connected product provides in order to enhance the customer experience and optimize busi...
In his session at @ThingsExpo, Chris Klein, CEO and Co-founder of Rachio, will discuss next generation communities that are using IoT to create more sustainable, intelligent communities. One example is Sterling Ranch, a 10,000 home development that – with the help of Siemens – will integrate IoT technology into the community to provide residents with energy and water savings as well as intelligent security. Everything from stop lights to sprinkler systems to building infrastructures will run ef...
So, you bought into the current machine learning craze and went on to collect millions/billions of records from this promising new data source. Now, what do you do with them? Too often, the abundance of data quickly turns into an abundance of problems. How do you extract that "magic essence" from your data without falling into the common pitfalls? In her session at @ThingsExpo, Natalia Ponomareva, Software Engineer at Google, will provide tips on how to be successful in large scale machine lear...
Digital payments using wearable devices such as smart watches, fitness trackers, and payment wristbands are an increasing area of focus for industry participants, and consumer acceptance from early trials and deployments has encouraged some of the biggest names in technology and banking to continue their push to drive growth in this nascent market. Wearable payment systems may utilize near field communication (NFC), radio frequency identification (RFID), or quick response (QR) codes and barcodes...
SYS-CON Events announced today that Stratoscale, the software company developing the next generation data center operating system, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Stratoscale is revolutionizing the data center with a zero-to-cloud-in-minutes solution. With Stratoscale’s hardware-agnostic, Software Defined Data Center (SDDC) solution to store everything, run anything and scale everywhere...
Angular 2 is a complete re-write of the popular framework AngularJS. Programming in Angular 2 is greatly simplified – now it's a component-based well-performing framework. This immersive one-day workshop at 18th Cloud Expo, led by Yakov Fain, a Java Champion and a co-founder of the IT consultancy Farata Systems and the product company SuranceBay, will provide you with everything you wanted to know about Angular 2.
You think you know what’s in your data. But do you? Most organizations are now aware of the business intelligence represented by their data. Data science stands to take this to a level you never thought of – literally. The techniques of data science, when used with the capabilities of Big Data technologies, can make connections you had not yet imagined, helping you discover new insights and ask new questions of your data. In his session at @ThingsExpo, Sarbjit Sarkaria, data science team lead ...
SYS-CON Events announced today that Men & Mice, the leading global provider of DNS, DHCP and IP address management overlay solutions, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. The Men & Mice Suite overlay solution is already known for its powerful application in heterogeneous operating environments, enabling enterprises to scale without fuss. Building on a solid range of diverse platform support,...
You deployed your app with the Bluemix PaaS and it's gaining some serious traction, so it's time to make some tweaks. Did you design your application in a way that it can scale in the cloud? Were you even thinking about the cloud when you built the app? If not, chances are your app is going to break. Check out this webcast to learn various techniques for designing applications that will scale successfully in Bluemix, for the confidence you need to take your apps to the next level and beyond.
Whether your IoT service is connecting cars, homes, appliances, wearable, cameras or other devices, one question hangs in the balance – how do you actually make money from this service? The ability to turn your IoT service into profit requires the ability to create a monetization strategy that is flexible, scalable and working for you in real-time. It must be a transparent, smoothly implemented strategy that all stakeholders – from customers to the board – will be able to understand and comprehe...
Increasing IoT connectivity is forcing enterprises to find elegant solutions to organize and visualize all incoming data from these connected devices with re-configurable dashboard widgets to effectively allow rapid decision-making for everything from immediate actions in tactical situations to strategic analysis and reporting. In his session at 18th Cloud Expo, Shikhir Singh, Senior Developer Relations Manager at Sencha, will discuss how to create HTML5 dashboards that interact with IoT devic...
Artificial Intelligence has the potential to massively disrupt IoT. In his session at 18th Cloud Expo, AJ Abdallat, CEO of Beyond AI, will discuss what the five main drivers are in Artificial Intelligence that could shape the future of the Internet of Things. AJ Abdallat is CEO of Beyond AI. He has over 20 years of management experience in the fields of artificial intelligence, sensors, instruments, devices and software for telecommunications, life sciences, environmental monitoring, process...
SYS-CON Events announced today that Ericsson has been named “Gold Sponsor” of SYS-CON's @ThingsExpo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. Ericsson is a world leader in the rapidly changing environment of communications technology – providing equipment, software and services to enable transformation through mobility. Some 40 percent of global mobile traffic runs through networks we have supplied. More than 1 billion subscribers around the world re...
There is an ever-growing explosion of new devices that are connected to the Internet using “cloud” solutions. This rapid growth is creating a massive new demand for efficient access to data. And it’s not just about connecting to that data anymore. This new demand is bringing new issues and challenges and it is important for companies to scale for the coming growth. And with that scaling comes the need for greater security, gathering and data analysis, storage, connectivity and, of course, the...
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY. DatacenterDynamics is a brand of DCD Group, a global B2B media and publishing company that develops products to help senior professionals in the world's most ICT dependent organizations make risk-based infrastructure and capacity decisions.
Machine Learning helps make complex systems more efficient. By applying advanced Machine Learning techniques such as Cognitive Fingerprinting, wind project operators can utilize these tools to learn from collected data, detect regular patterns, and optimize their own operations. In his session at 18th Cloud Expo, Stuart Gillen, Director of Business Development at SparkCognition, will discuss how research has demonstrated the value of Machine Learning in delivering next generation analytics to im...
This is not a small hotel event. It is also not a big vendor party where politicians and entertainers are more important than real content. This is Cloud Expo, the world's longest-running conference and exhibition focused on Cloud Computing and all that it entails. If you want serious presentations and valuable insight about Cloud Computing for three straight days, then register now for Cloud Expo.