Earlier this year my bike was stolen from my apartment block in London. Sadly I was not the only victim as a number of my neighbours also had their bikes stolen from the bike rack inside the gated basement of the building. You can imagine our anger and distress that such a crime had been committed, especially when we assumed that the security measures in place to protect our bikes were more than adequate. Despite appearances, the truth was that our bikes were not secure and there was a fundamental fault in the way they were supposedly being protected.
The security arrangements in place focussed on preventing people from entering the complex; however, there were no security measures to stop people already inside the security gates from removing bikes and taking them outside the apartment block. When I considered this, it reminded me of a similar situation that I have witnessed inside a number of banks.
Managing and maintaining data centres
Security will clearly always be a major concern for financial institutions. Maintaining appropriate levels of security whilst managing and maintaining vast infrastructures continues to be a difficult, onerous and expensive task. Banks need to manage security over an infrastructure that includes data centres, computers, hardware and storage facilities. The complexity of this challenge is increased due to the scale that banks need to work at.
In addition to this, the day-to-day running of data centres and infrastructure requires the installation of new hardware and operating systems, the configuration of routers and firewalls along with numerous updates. These actions need to be undertaken whilst still ensuring that applications, software and hardware are updated and remain available and responsive at all times. Unfortunately banks are struggling to keep their software and hardware assets updated and ‘patched’ whilst remaining available at the rate needed to keep them safe.
In their Data Breach Investigation Report published earlier in 2017, Verizon revealed that in the financial sector, a third of published vulnerabilities are patched within 12 weeks – whilst two thirds of vulnerabilities remain unpatched 3 months after being published. The most enlightened take a proactive ‘vulnerability management’ approach to managing network security that includes processes for: identifying, verifying, mitigating and patching vulnerabilities.
Google regularly publishes industry reports that identify vulnerabilities which may affect other companies and third parties. Normally these reports are published after attempts have been made to ‘patch’ the affected software or hardware. What is clear is that even after vulnerabilities are highlighted, financial institutions are struggling to keep up in maintaining the necessary security measures to ensure adequate protection.
Many banks are falling into the trap of believing that their security measures are appropriate and up to date. The reality is that they are not; and a number of vulnerabilities still persist inside many organisations. There continues to be a false sense of security amongst senior figures within many banks who believe that their organisation is safe because they have large firewalls in place.
Why cloud improves security measures
Migrating to the cloud provides a number of distinct advantages for banks that directly address many of the highlighted infrastructure problems and security issues. Cloud providers will ‘patch’ routers automatically, as well as keep software up to date for the good of all their clients. On their own, banks simply cannot provide this service as well as the likes of Google, Amazon, and Microsoft. Unlike the individual bank with its bespoke IT infrastructure, each of the cloud providers provides enormous economies of scale in the provision of their service.
Banks experience an implicit benefit when they migrate to the cloud. There are greater levels of transparency, as cloud providers explain to banks how the multiple layers of security are implemented and maintained. This is critical in appreciating the value of a cloud infrastructure, as banks are able to see and understand how security measures actually work, creating a greater level of confidence and trust.
The more enlightened banks who are more inclined to migrate to the cloud are those that understand that previous concerns over security have been sufficiently answered. Banks will not trust placing their core systems into the cloud unless it has been explicitly explained to them how their businesses are being secured.
We have identified three main reasons why a data centre run by the likes of Google or Amazon is more secure than a stand-alone centre operated by the bank itself.
- 1. The cloud is technically better
- 2. Cloud provides more transparency
- 3. Cloud forces banks to pay more attention to security matters
From a technical point of view, cloud is far more secure than anything banks currently have; in addition to the ongoing requirement to maintain software updates, cloud providers simply have more scale and backup resilience built into the system. Cloud vendors also provide more transparency by advising users how they should manage their security and utilise the cloud for maximum benefit. Security measures for cloud are publicly available yet remain highly secure, and there are no examples of security through obscurity.
Cloud providers are simply better at security than banks, and many people throughout the financial services industry are beginning to recognise and understand this. Before banks existed, the safest place to keep one’s money was under the mattress of a bed, guarded by one’s own lock and key. Nowadays, most of us realise that banks are much safer places to store our money; they are better suited to protecting our savings at a reasonable cost. Migrating to the cloud is similar; we need to overcome our fears and recognise that moving to the public cloud is a similar philosophical journey. A massive part of the security burden that banks already have to deal with is being moved to cloud-based platforms that are better equipped to manage this pressure.
However, banks are still reticent about migrating their business to the cloud. In the past they have adopted cumbersome solutions that were easy to circumvent because they simply adhered to existing company security policies; despite the fact that such solutions were not solving underlying security issues. This practice can no longer continue.
Banks who do not migrate to the cloud and who fail to take advantage of the most secure and transparent computing platform in the world today are actually undermining their security, and if they continue in this manner they will continue to be a target for innovative cyber criminals.
In my situation, I ‘only’ lost my bike after trusting in what I thought was a secure local on-premise solution. Banks with a lot more to lose should take steps to move to the most secure solution currently being offered; and with scale, focus and best practice this can only mean cloud.