Cloud Banking: How Best to Avoid an IT Crash

Vishal Salvi, SVP & CISO at Infosys, explains how cloud adoption in banking needs to be adopted with rigor. In a third interview with Bill Mew, Digital Ethics Campaigner and CEO of CrisisTeam.co.uk, he highlights how banks need to address complexity and dependencies in IT, while ensuring that their approach to compliance addresses the real threats that they face.

Building on the themes in the last two articles Countering the Ransomware Menace: busting 5 big cyber myths and Cybersecurity Maturity – moving beyond ABC, Salvi asks what can be learned from recent cloud outages and vulnerabilities and how this can be applied to one of the most regulated sectors - financial services.

Confidence in the cloud has been shaken, following a number of recent outages at major cloud players like AWS and IBM and new vulnerabilities relating to the recently discovered Log4j security flaws. Enterprises definitely need to learn lessons about dealing with complexity and dependencies in modern IT environments (we identified complexity as the main problem for CIOs and CISOs in our last article). However, it is essential not to overreact or draw the wrong conclusions.

These cloud outages followed upgrades and maintenance by cloud providers, and the Log4j vulnerability resulted from their use of Open Source code. Just because there has been considerable recent alarm, does not mean that organizations should avoid cloud or that cloud is any less safe than the alternatives.

This could be likened to air transport. This is tightly regulated with rigorous standards not only for maintenance, but also to prevent the use of faulty parts. Just because an aircraft could crash, does not make air transport unsafe. Indeed, it is safer per passenger mile to fly than it is to drive.

On premise systems are also open to the same problems with regard to maintenance and components. They often include legacy applications that may no longer be supported. And when maintenance problems do occur, on premise teams tend not to have the skills and resources to fix them as fast as the major cloud vendors do. Also, with almost all cybersecurity innovation occurring in the cloud these days, on-prem will become gradually riskier and riskier with time.

The conundrum is most acute in the financial services sector, where many banks have legacy core banking systems that date back to the 1960s. They have also bolted on numerous other systems following either mergers and acquisitions or the addition of new ventures such as online banking. This has resulted in a complex maze of spaghetti that is not only hard to maintain and secure, but almost impossible to upgrade. Indeed, core banking system transformation has been likened to trying to change the engines on a jet airplane ‘in flight’. Many banks continue to put off this challenge and some of those that have attempted the transition have seen it go horribly wrong - such as the UK’s TSB.

At the same time the cyber threat is increasing exponentially. Banks used to be the primary target for cyber attackers. The attackers are opportunists in the same way that bank robber Willie Sutton was, and when asked why he robbed banks, he simply replied, “Because that's where the money is.” There never used to be any point in attacking schools and hospitals because you could not steal money from them. This all changed with ransomware, as cyber criminals found a way to earn money from attacks on any kind of organization. Nevertheless, the finance sector remains a key target for them.

The security issues don’t just apply to legacy IT systems either. They also apply to legacy processes. For example, the US market remains stubbornly wedded to the use of cheques, which opens them up to many kinds of cheque fraud. Europe by comparison was quick to adopt the ‘chip and pin’ card system, which is far more secure, but still open to fraud if endpoint devices can be tampered with. Some countries in Africa and India have leapfrogged both of these and gone directly with mobile money which has the advantage of being tied to a device that is uniquely associated with you (and your phone number), that often has biometric identification built in (with fingerprint or facial recognition) and where multi-factor authorisation (MFA) is easy to enforce.

Fully aware of these challenges, the finance sector is as heavily regulated as the airline sector. Unfortunately, though regulation and compliance tend to be lagging indicators. Regulations take time to agree and deploy and tend only to be introduced to address a problem that has already occurred a number of times and even then only when the problem either becomes unmanageable or is seen to be getting out of control.

Regulation and compliance can also lead to a tick box response that is focused on appearance over optimization. Ideally firms would implement controls in a way that reduces risk and maximizes business alignment. Audits that are focused on appearance over substance, tend not to actually provide an accurate picture of what is happening, leading to a false sense of security or to decision-making based on flawed assumptions.

Unfortunately, being non-compliant is often far more visible than being vulnerable to cyberattacks. Much of the focus therefore tends to be on ensuring or appearing to be compliant, while not enough focus is on addressing the complexity and the many vulnerabilities that this typically masks.

So YES - cloud outages are a potential problem, as are vulnerabilities in the cloud (like Log4j), but the alternatives aren’t any better. And YES - there is plenty of regulation in the finance sector to address major issues, but these aren’t necessarily the issues ahead of us which aren’t always as easy to see or predict as you might think.

Financial services firms have to avoid putting off digital transformation and the move from complex and increasingly risky legacy systems to the cloud, but any migration needs to be meticulously and rigorously planned. And they need to ensure regulatory compliance, but in a way that does not distract them from the real threats ahead.