Moving to the cloud remains a path filled with mystery and fear, especially in heavily-regulated industries like financial services. Frequently, I have the opportunity to interact with bankers from institutions both large and small, domestically and abroad. Many have shared their organizations’ reluctance to move to the cloud, viewing even simple Software-as-a-Service (SaaS) offerings as too risky.
When people hear we’re embracing public cloud at the Federal Reserve Bank of Boston, it raises eyebrows and elicits questions about how we’ve addressed concerns surrounding security, resiliency, and even reputational impact. Yet, a quick Internet search shows that many banks, and even the federal government, have major efforts underway to accelerate their move to the cloud.
The cloud presents endless opportunities, allowing organizations to focus on key strategic priorities, while setting them on a path to be more agile and innovative. An organization that completely avoids the cloud is doing a disservice to their customers, stakeholders, and employees.
[ Read more from Don Anderson: Automation: A strategic approach to earning employee trust and buy-in. ]
As you’d expect, the Federal Reserve Bank of Boston focuses heavily on the security and resiliency of our services. Yet, we have the opportunity to demonstrate technology leadership in the financial services industry as well. We’re finding a balance between security, resiliency, and our desire to enable our organization by taking advantage of the cloud.
Where to start
Like most mature organizations, we have a fairly robust security program to assess and identify risks for internally-developed and hosted applications. Why wouldn’t we use the same program when evaluating a cloud or third-party offering? It’s a balanced approach that we’ve found to be effective, and frankly, quite straightforward.
The Federal Reserve has a diverse user base and handles important transactions. We work with economists who seek to collaborate globally, we run payment services that are mission critical to the economy, and we host banking and monetary policy information deemed critical. These are not areas that we’re prioritizing for the cloud. Similar to other organizations, we have started by prioritizing our low-risk and back office applications. This opens up new opportunities and capabilities that on-premises doesn’t offer and better positions us for the future.
In my conversations with folks in the financial industry, especially those who operate in international markets, I often field questions about security and data privacy such as, “How do I know it’s as secure as what I do today on premises?” and, “If my data ends up at a data center in a foreign country, what can those countries do to that data? And what are the applicable laws that apply to it?”
These are all fair questions. Security remains fundamental, but ignoring the cloud eliminates so many options and opportunities, and may even introduce new security vulnerabilities as on-premises vendors discontinue support for their products.
Here’s how we’re embracing public cloud by putting security at the forefront, but without sacrificing speed or creating roadblocks.
Mitigating cloud risks and rewards
Our security requirements and controls are based on the NIST Cybersecurity Framework. When we consider opportunities in the cloud – whether it’s a SaaS product or something we’re deploying ourselves – we’re analyzing them against that same framework. In doing so, we’re changing the mindset that cloud is less secure. Cloud opportunities are being held to the same standard as our on-premises solutions. This is creating an important mindset shift internally: The path will be the same whether it’s in the cloud or we build it on premises ourselves. Either way, we will still assess the gaps, identify the risks, and either mitigate or accept them. During our assessments, we’ve found many vendors who have excellent security programs. They, too, have a lot to lose if an incident were to occur.
When you’re starting a new conversation with the business about a project, the focus should always be on the business’s needs and desired capabilities, not on the technology or security limitations. We rarely, if ever, talk about cloud or on-premises; at the end of the day, there’s functionality the business needs, and we need to find a way to obtain it securely. And just like with on premises, a solution will likely have some flaws that will require mitigation or risk acceptance.
For example, we recently made the decision to move toward a SaaS-based ERP that provides significant functional advantages over our existing on-premises solution. If we didn’t have the proper mindset, our options would have been limited to a previous generation or custom-developed solution. As we developed and collected requirements from the business functions, we also included the requirements of information security. When it came time to assess the possibilities, we knew where the various solutions met or didn’t meet our requirements and what requirements were showstoppers from both a business and information security standpoint.
When people I talk to say they could never take a similar approach because their business or security folks would not allow it, I encourage them to look at the incentives of the cloud providers and the cyber criminals who want to do damage to them. The large providers are a large target for criminals because of the potential gain from one small mistake. These providers recognize this and must invest and maintain the highest level of security to protect their revenue. While the media headlines may show that cloud vendors are suffering breaches regularly, for the most part the vector of attack continues to be the same as in the on-premises world of a stolen user IDs and passwords. Even then, access is limited to the specific customer breached, not the entire service.
Maneuvering culture and leadership
Key to our approach has been a strong security function that partners with the business. While their primary job is to protect the organization, they must also have a balanced approach that enables the organization as well. It doesn’t matter where the application or data is or how it is being performed, it’s an extension of the organization and must be treated holistically. They recognize that the cloud offers immense opportunity for the organization, and they need to consider how the activities of today could be done in the cloud in the future.
The business will always chase the shiny object, going after new features or functionalities that may offer a competitive advantage or improve efficiency. It’s security’s job to recognize that to be relevant, they need to support that transition and aspiration. Security can’t be a roadblock to it. They should be viewed as enablers, helping the organization meet its goals.
[ Want more advice on how to address skeptics concerns about cloud security? Download, Hybrid cloud security: 5 questions skeptics will ask ]