Dealing with Data Security Concerns in the Cloud Age
Assistant General Manager, BFSI Practice, HCL Infosystems Ltd.
Digital technologies have ushered in the next industrial revolution, transforming businesses across sectors and geographies. One of the most promising of these technologies is Cloud Computing, which is universally gaining prominence and acceptance by business leaders as the next game changer.
According to credible industry surveys, leading enterprise Cloud adopters have migrated almost two-thirds of their workloads to the Cloud; and enterprises focused on deriving strategic value from their cloud investments aim to migrate at least 50% of their workloads to the Cloud. Infrastructure flexibility, reduced total cost of ownership, and shortened time to market are just some of the top reasons to move to the Cloud.
However, despite all the glorifications attributed to Cloud adoption, the BFSI sector in India is largely cautious in its enthusiasm towards this technology. Faced with strict regulations, the constant need to deliver innovative products and provide seamless digital experience to customers, banks & FIs are exploring cloud computing as a mechanism to deliver faster services to the business, and at the same time reduce the cost of delivering such services.
However, one of the key opportunity costs of the successful implementation of Cloud computing is to manage the security of Cloud applications. Security concerns, especially regarding confidentiality and control of data, are the primary barriers holding back mass cloud adoption in Indian BFSI landscape. Security worries arise as soon as one begins to run applications beyond the designated firewall and move closer towards the public domain.
The large-scale security breaches of 2014, affecting some of the largest financial institutions in the world, and continued cyber attacks such as the recent ransomware attacks, which affected millions of households and businesses, have heightened security concerns for the data on Cloud.
It is not difficult for Banks and FIs to leverage the full potential of Cloud, without compromising on data security. Robust security policies, engagement with a reliable Cloud Service Provider and better understanding of the division of security responsibilities between Cloud providers and enterprises will lead to wider adoption of Cloud services in the financial sector. A systematic approach to Cloud adoption will go a long way in ensuring a smooth transition to Cloud.
- Understanding the importance of data security by all Stakeholders – The CIO, CMO, respective BU Heads and other stakeholders should be part of the Cloud migration process and agree on an effective monitoring mechanism that protects the interests of the company, while offering the best value for the company.
- Data centric security approach – Data-centric security leverages the business value of data to determine and implement the appropriate level of information security. In this approach, security services are linked directly to business processes and the data that needs to be protected. For example, the data can be assessed in the context of some pre-identified important parameters such as:-
(1) Type of data;
(2) Risks Involved;
(3) Criticality/ sensitivity of data.
Business analysis of the kind of data being handled gives insights on the right security level that needs to be deployed.
- Identifying & Labelling the most important assets – Banks need to know what are the assets and where are they being stored in the Cloud, to save it from attackers. Once identified, the correct security measures can be identified.
- Clear and detailed agreement with the Cloud Service Provider (CSP) – The Institute for Development and Research in Banking Technology (IDRBT), India, in its report has stressed upon the importance of a robust agreement between the organization and its Cloud Service Provider (CSP), clearly laying down the adequate procedures and Service Level Agreements (SLAs).
- Employee awareness – With the constantly online workforce of today, employees are most prone to be targeted by cybercriminals. Adequate trainings must be provided to employees on handling confidential data with care, and avoiding falling prey to cyberattacks.
- Robust Incident response plan – Many of the reputed Cloud service providers also offer incident response plans. With cyberattacks becoming a real menace, such as the recent Ransomware attack, it is best to have an incident response plan ready in case of any security breach.
Banks should adopt an evolutionary approach towards Cloud computing based on the type of applications and nature of data, for a smooth and delightful Cloud experience.