Answer

The Challenge of Security in Adoption of Cloud Computing By Banks

Cloud computing is one of the emerging technologies that majority of banks have decided to adopt. Dynamic changes in the banking industry over the past decades have placed control in the hands of customers. With the proliferation of technological innovations, the traditional business models used by the banks have been transformed (Harris & Alter 2010).  Cloud technology provides an ideal platform for banks to offer innovative services to customer and optimize operations, while at the same time giving a business a competitive edge over other players in the market.

Cloud computing is associated with various benefits to the banking industry including providing a vast array of almost unlimited software and hardware resources that allows the firm to use the pay-as you-go approach through the internet. By so doing, this innovative technology drives down the cost of operating systems and also makes the firm more flexible to adapt to changes in the market.  Despite the numerous benefits associated with cloud computing, banks have been a bit reluctant to embrace it due to the security risks associated with it. Banks handle highly sensitive personal data that can be used by fraudsters to steal from their customers. Instances of security breach and leakage of confidential information have been on the rise. For example, in February 2009, Gmail service in Europe collapsed and the firm was forced to publicly apologize for this mishap (Stefanet et al. 2015). The famous wiki leaks that revealed confidential conversation between the US and other leaders in the globe are a clear indication that no system is secure from hackers. In fact, IT security experts have warned that cloud computing is becoming very attractive to cyber crooks.     

What is cloud computing?

To understand the risks associated with cloud technology, it is important to look into the basics. Cloud computing can be defined as a network system that allows for the sharing of resources among users. The beauty is that users use computing abilities transmitted through the internet from a network of a remote servers (Harris & Alter 2010).  When companies source for this service from independent entities, they can eliminate the costs associated with installing, maintaining, operating and upgrading computers and networks commonly found in data centers. In addition, they do not need to purchase and renew software for these hardware devices as they can tap into the services when required, and pay for what they have used. To use cloud, organizations only need internet connection using the broadband and personal computer or a phone that supports wireless connections. Cloud technology has the capability of changing the financial services setting (Harris & Alter 2010).  Banks can access the latest banking systems without incurring the prohibitive costs by using cloud technology. In addition, the pay-per-use- basis is a cost effective strategy and flexible for banks.

Banks can use three different flavors of cloud to support the implementation of this technology in their firms. The first variant is the public cloud whereby a third party provides IT services through a network. In such a case, the service provider has a data center with the necessary infrastructure that is shared among the customers. Such a facility can be located in any place in the globe (Stefanet et al. 2015).  Private clouds use the bank’s data centers and apply the virtualization strategy.  Most bank tend to think that these are the most secure because they are not exposed to external parties and use them for storing and accessing customer data. Hybrid clouds are a blend of both private and public clouds. The choice to use either is determined by the sensitivity of the application or the data concerning a specific process. Majority of banks have adopted this strategy whereby they have a data centre within their premises, but all its operations are carried out by a third party (Nicoletti 2013). Another emerging variant is the public sovereign cloud whereby a provider processes and keeps the cloud data within a stipulated jurisdiction. This variant ensures that personal data does not go beyond the national borders thereby ensuring the bank complies with the data protection regulations laid down in most countries.      

Security challenges associated with cloud

Security issues resulting from cloud computing can be classified into two broad categories. The first one is those faced by the providers and secondly by organizations or customers who store data and host the applications on cloud. Security responsibility extends to the two parties. The provider must secure their infrastructure to ensure that applications and data pertaining to the client is well protected (Nicoletti 2013).  At the same time, users must secure applications by taking serious measures, such as using strong authentication measures and passwords. Though the responsibility of securing the cloud system falls on the provider and customer, their level differs considerably.

Cloud providers have the biggest responsibility of providing security as they offer the infrastructure that supports the other delivery models. In particular, the public cloud providers have a bigger responsibility of ensuring successful migration of data and security of applications and data (Nicoletti 2013).  A firm that stores its data and applications on public cloud does not have the capability of physically accessing servers that host the information. Due to this, there is a high possibility that confidential and sensitive data is at a higher risk of insider attacks. A recent report released by the Security Alliance Report has showed that the third biggest threats to cloud technology are insider attacks. Cloud service providers can prevent these attacks by carrying out comprehensive background checks of all their employees who can physically access the data centers (Nicoletti 2013). Another important measure that service providers must undertake is monitoring suspicious activity frequently.  Majority of cloud service providers strive to cut down costs and enhance efficiency. Due to this, a server can store more than one customer’s data, which increases the chances of private data being viewed by the other users. For banks, this is a sensitive situation that can lead serious legal implications. Service providers can handle such situations by ensuring logical data isolation and storage segregation.

Other risks that banks face in using cloud computing include the security of the database and the server. At times, security for the two aforementioned components is usually enhanced when the bank is using the various services available in cloud computing. However, there is laxity when the bank is not operation, which presents an ideal chance for hackers and fraudsters to compromise the system (Nicoletti 2013).  It is not coincidental that most fraudulent activities in banks take place during the weekends and at night when the usage of the essential services are at their lowest. It means that banks must work closely with the service providers to ensure security of servers and database is maintained all the times.

Another major risk that banks face when using cloud technology is user authentication. Only an authorized user who is the right owner of the account should be granted access privilege (Rani 2012). Considering that banks store sensitive and highly confidential personal and financial information, any unauthorized access to a user account can have dire consequences. Just like other technologies, cloud computing is not fool proof to the attacks by fraudsters and identity thieves. Banks must ensure they clearly define the access privilege for any user of the account (Rani 2012).  In most cases, the banks have adopted the use of a single sign on and multiple authentications to protect customers’ data. One of the challenges that the bank faces is to ensure that the administrator handles the user identification accounts together with the matching passwords to prevent any illegal access to the database.

Although cloud computing was taunted as the foolproof plan against fraudsters, this may not be the case. Fraudsters are working relentlessly to create new threats to the technology in what is form of what is being taunted as “the Dark Cloud” by IT security experts. Fraudsters are exploiting all the known and less familiar vulnerabilities pertaining to cloud computing with an aim of wreaking havoc (Rani 2012). With the proliferation of technological advancements that the world experiences on a daily basis, the fraudsters are working hard to create Trojans, such as Qakbot that target cloud computing.  Such Trojans may focus on attacking particular banking sectors or geographical regions.

Another challenge that banks face when using cloud computing is that they must comply with certain regulations laid down by the governments where they operate. According to the law, the banks are responsible for maintaining integrity and security of their data despite it being stored by the cloud service providers (Rani 2012).The latter must get certain security certifications and undergo external audits before they are allowed to start and continue operating. According to numerous banking regulations that are stipulated by the government, financial data pertaining to their customers must stay within the country. Also, to avoid leakage, some countries have regulations that make it mandatory for banking data not to be intermixed with that of other users on shared databases and servers (Rani 2012). In essence, the bank will have a specific cloud where their data is stored. At the end of it, when a bank chooses to integrate cloud computing in its operations, it must understand that the responsibility of maintaining data security solely lies in its hands. Banking regulations in most countries do not bestow this mandate on third service providers.

Potential solutions

Although cloud computing has numerous benefits to the banking industry, the issue of data security prevents most firms in this industry from implementing it. Ensuring confidentiality of data and preventing leakage are some of the topmost priorities for the banking industry. Most traditional models of data protection primarily focus on perimeter and network based strategies that have included devices, including intrusion detecting systems and firewalls (Stefanet et al. 2015).  However, all these approaches may fail to protect systems adequately against insidious attacks, such as privileged users. Most banking institutions will use monitoring systems and undertake database audits that keeps them updated on what is happening. However, this close monitoring does not automatically translate to data security and is more of a reactive approach. Banks should adequately separate IT security and operations and also put into place stringent access policies. Sensitive data must be properly secured to prevent any leakages or unauthorized access.

Banks should initiate certain controls to safeguard their cloud computing systems. Most of these systems can be classified as:

1. Deterrent: These are strategies that aim at reducing attacks on the system. Frequent monitoring and gathering information are some examples of deterrent measures. The main aim of these controls is reduce threat levels to warn potential attackers of dire consequences if they try to attack the system (Ghule 2014).
2. Preventative controls: These strengthen the system by minimizing the vulnerabilities by attackers. A good example is strong authentication that locks out unauthorized access to the account (Ghule 2014). Moreover, it also effectively identifies the cloud users. Most banks have put into place multiple authentications that minimize the chances of illegal intrusion.
3. Detective controls: These measures are put into place so that they can detect and appropriately react to the incidences that may occur within the system. if an attack occurs, the strategy will send a signal to the corrective and preventative controls so that they can address the issue (Ghule 2014). An example of a detective control is constantly monitoring the network and system security. If any threat is identified during the process, then the bank can be able to adequately deal with it before it happens. in essence, this is a proactive approach that prevents attacks on the cloud computing before they take place.
4. Corrective control: Some times, the attacks will occur even when the bank has put into place all the other measures discussed above. Corrective measures aim at reducing the consequences of this incidence by minimizing the damage. Some of the strategies that fit in this category include restoring system backups that will facilitate the rebuilding of a system that has been compromised after an attack (Ghule 2014). In essence, these measures will help the bank to restore its system before the attackers have an opportunity to access and leak any sensitive information pertaining to the customers.

Even when using cloud computing, banks still have the obligation to protect data loss and detection. It is advisable for banks to use private cloud to store the most sensitive data pertaining to customers, such financials (Ghule 2014). Within the database, data for every customer must be appropriately segregated and stored securely when at rest. It must also be securely moved from this state to another location when it is required. It is the primary responsibility of IT managers to make sure that the cloud providers that they chose have formidable systems that do not leak data and cannot be easily accessed by third unauthorized parties.

Summarily, banks, just like other users stand to benefit from cloud computing in terms of lower costs, flexibility, offering of innovative services and enhancing their operations. Despite all these benefits, cloud computing is also associated with one major challenge of data security. Just like other emerging technologies, cloud computing is prone to fraudsters and hackers. Considering that banks store and use sensitive information pertaining to their customers, they must put into place effective measures that can be able to monitor, counteract and protect the cloud computing system from any potential attacks.  After all, they are obligated by the law to protect dat integrity and confidentiality even when they outsource cloud services to a third party.