Storms ahead for cloud-based infrastructure?

The move to cloud-based infrastructure and outside services promises to reduce expenses and remove headaches from overtaxed community bank IT departments. We look at how this ongoing shift could affect the security of banks’ data and systems.

By Karen Epper Hoffman

If banking technology were a weather report, this year’s forecast would assuredly call for continued clouds.

Indeed, like many sectors, the financial industry has been rapidly embracing the use of cloud service providers and cloud architectures in hopes that this more efficient and cost-effective computing approach will better streamline data operations. In 2017, researchers at Deutsche Bank predicted that cloud technologies would carry as much as 30 percent of all global banks’ operations by 2019.

But, as with any move to a new computing infrastructure, there have been a few bumps in the road as banks and their vendors learn how to best use cloud computing, while also making sure it is secure and meets a growing list of regulations. According to a recently released report, almost two-thirds (64 percent) of databases in the public cloud are not encrypted. The same study also found that cyberthieves were “piggybacking” off the computing power of large corporations to mine bitcoin, since cryptocurrency mining involves complex and time-consuming mathematical calculations.

Johannes Ullrich, dean of research with SANS Technology Institute, says that he expects “a lot of [community banks] will be using services offered by service providers like FIS to implement cloud services, not [just] the more generic Amazon Web Services [AWS, a public cloud service].

“Like all banks, [community banks] are looking for anything to reduce spending, and cloud computing is simply a cheaper way to do data management.”
—Peter Cherpack, Ardmore Banking Advisors

“Cloud services and cloud servers often escape corporate perimeter controls,” Ullrich says. “If not implemented in a controlled fashion, this can lead to insecure services exposed directly to the hostile internet without sufficient authentication.” For example, cloud service users often have issues with insecure implementations of storage services, such as Amazon S3, or databases deployed with cloud service providers. In addition, Ullrich says the ease and low cost of cloud services can lead to the emergence of so-called shadow IT, the uncontrolled and insecure use of cloud services by individuals outside of traditional IT roles (as would be the case if bank employees used free GitHub accounts to develop proprietary code, or stored bank or work data on public cloud services like Dropbox without sufficient monitoring).

Despite the potential security issues, cloud computing is “ready for prime time,” according to Peter Cherpack, executive vice president and director for Ardmore Banking Advisors, a credit risk consulting firm that works with community banks. “Like all banks, [community banks] are looking for anything to reduce spending, and cloud computing is simply a cheaper way to do data management,” he says. Increasingly, community banks are looking to cloud services and cloud architectures to run core accounting systems and other crucial operations, such as loan origination and regulatory reporting.

The use of cloud services and systems can provide a 30 percent (or greater) cost savings, according to Cherpack. But cloud service providers vary greatly in their ability to handle bank customers’ security and compliance needs. For example, Cherpack cites one community bank client who had to “drag their cloud vendor through the compliance process. Some vendors just are not properly prepared.”

Unforeseen ramifications
Cloud computing is, for better or worse, a case of out of sight, out of mind. As more and more cloud servers replace in-house servers, they are often “not added to proper inventories and are easily forgotten,” Ullrich says. “As a result, they are not properly secured, monitored, or maintained or patched. These servers will often be compromised and used to attack other assets, either within the organization that deployed them, or resources at other companies.”

Insider tip #5

ICBA’s innovation guru, Kevin Tweddle, will emcee the ThinkTECH showcase of seven fintech leaders breaking boundaries in banking on March 13 from 2:10 to 3:30 p.m.

These compromised cloud servers make up a large number of malicious systems used to host malware; they are difficult to identify and block, because they occupy the same network address space as many legitimate services.

As a result, an insecure cloud server has “a high risk of unforeseen ramifications,” according to Jason Macy, chief technology officer for Forum Systems, an API security company. “This problem is imposed by major cloud providers such as AWS.” Amazon’s AWS Marketplace allows vendors to provide Amazon Machine Images (AMIs), the format required to launch a virtual server on Amazon’s cloud service. Amazon forces the vendor to build an AMI that has root administrator accessibility by the AWS infrastructure in order for the AMI to be available on the AWS Marketplace for running in the Amazon Cloud.

“This requirement alone creates a vector of compromise where someone else can gain root access to your machine,” Macy explains. “Once this access is granted, [bad actors] can impersonate users and take complete control of applications running on the server.”

In their earliest days, public cloud services have often “been deployed and configured by end users who are not part of the IT organization and who are not familiar with current best practices,” Ullrich says. “It is also difficult to inventory these systems, which leads to them being forgotten when it comes to patching.” Ullrich underscores that “perimeter controls like firewalls and intrusion detection systems, [as well as] proper host configuration, are even more important but often not implemented right. Cloud service providers are already improving default configurations and offer checklists, as well as warnings to identify configuration mistakes. But in the end, it is up to the client to implement these recommendations.”

Karen Epper Hoffman is a writer in Washington state.