Keeping secure in the cloud: Here’s how


More community banks are embracing the use of cloud services throughout their organization. With network and data security as a major concern, there are best practices to be gleaned from the community banks and vendors that have had their heads in the clouds for years.

By Karen Epper Hoffman

Cloud technology isn’t just for storing photos or documents anymore. Now many banks are considering jumping on the bandwagon.

Like many businesses, community banks are increasingly moving to cloud computing, which utilizes a network of remote servers operated by a third party to save costs and facilitate new technology options. And those new to the game can learn from enterprises, including community banks, that have already begun testing the waters.

Case in point: At the Black Hat USA information security conference last August, Netflix senior security engineer William Bengtson presented on how the streaming-entertainment giant used Amazon Web Services (AWS) data to find signs of potentially compromised credentials. Bengtson said Netflix’s methodology for monitoring AWS credentials was fairly simple and relied heavily on AWS’ own CloudTrail log-monitoring tool.

“At Netflix, we have hundreds of thousands of servers,” he said. “They change constantly, and there are 4,000 or so deployments every day.”

Big banks are projected to move as much as 30 percent of their operations to public cloud services by the end of this year, according to a 2016 Deutsche Bank report.

Quick stat


of databases in the public cloud are not encrypted

Source: RedLock

However, as with any move to a new computing infrastructure, security and compliance issues are a concern. Almost half, or 49 percent, of databases in the public cloud are not encrypted, cloud security company RedLock estimates.

But the pull to the cloud is strong. CBW Bank in Weir, Kan., has seen its assets climb more than 30 percent this past decade. “We got it done in 2010 for obvious reasons, not just security. We found efficiency,” says Suresh Ramamurthi, CTO and chairman of the $42.5 million-asset community bank. “Security is subject to your own policies.”

Peter Cherpack, executive vice president and director for Ardmore Banking Advisors, sees quick adoption of cloud computing by community banks due to the cost savings associated with delivery and support of cloud-based applications.

“We see aggressive vendor management programs from some, but all are looking for SOC1s and SOC2s to put in their vendor files for regulatory scrutiny,” Cherpack says, referring to System and Organization Controls reports on compliance and system security. “Some have a much more involved vendor management process that is often not really that relevant to the actual risk to the bank. On the other hand, larger financial institutions appear to be much more reluctant to use cloud-based apps, probably due to their larger IT staffs and a we-do-it-better-here attitude.”

Jerry Silva, research director of global retail banking for IDC Financial Insights, says most banks he speaks with get their services from integrated core banking providers, and are talking about using cloud infrastructures and services, if they are not already. “One of the major takeaways is that even the biggest organizations struggle with the compromise of their employee credentials whether they’re on the cloud or not,” he says.

Thinking small

And while larger organizations are more likely to be targeted, cybercriminals are increasingly going after smaller enterprises, including community banks. “Community banks are doing a decent job of keeping up,” says Silva, adding that these smaller institutions are particularly doing well in terms of their rules around user identification and authentication. Where community banks are running further behind their larger counterparts is in using voice or out-of-band authentication or other more “cutting-edge” forms of user validation, Silva says. “They’re just not yet as sophisticated as larger banks in terms of additional security,” he adds. However, considering bank customers—and employees—are using their mobile devices more frequently for work and to access their accounts, he believes community banks must look increasingly to these additional and often more reliable forms of authentication.

As the acceptance and usage of cloud infrastructure grows internally, and for customer-facing networks and applications, community bank IT departments, security professionals and even top managers are familiarizing themselves with the risk implications of these moves. And regulators are stepping up to offer their insights as well. Last May, the Federal Reserve Bank of Atlanta issued an advisory on cloud computing. Prior to that, the Federal Financial Institutions Examination Council’s (FFIEC) handbook discussed cloud’s use of shared resource.

The Fed advisory, for example, points out that while cloud usage offers opportunities, it also introduces risks not posed by in-house processing, and is an area of focus for regulatory supervisors and industry groups. “Moving data outside the institution’s physical environment creates additional risk-management considerations,” it explains.

Banks may have been slower than some sectors to fully embrace cloud services due to more rigorous regulations around how they must manage and store customer data, but wider options, more mainstream usage and greater cost pressure are changing things.

“As community banks look to add software and products, they recognize that moving services to the cloud elevates them to be more competitive with the largest banks.”
—Ryan James, Surety Bank

Ryan James, CEO of $125 million-asset Surety Bank in Deland, Fla., says there’s growing interest in cloud services—from hackers as well as bankers—because many business services have already progressed to cloud computing. The bank transitioned to cloud services with Nymbus in 2018. “As community banks look to add software and products, they recognize that moving services to the cloud elevates them to be more competitive with the largest banks,” he adds.

Rather than simply telling financial institutions to move to the cloud, vendors like Nymbus have spent the past several years helping community bankers understand the benefits of cloud, according to David Mitchell, president of Nymbus. “Many community banks and credit unions had not yet realized the urgency in going through a digital transformation,” he says. “Even today, we continue to have conversations to help them understand that such a transformation is critical to their ultimate survival.”

Cloud credential considerations

Netflix built its own open-source tool to make its use of cloud services more secure.

As with any major business decision, community banks looking to utilize cloud networks and develop cloud security must first look at what they want to achieve, James advises.

“You can dip your toes in and move over areas one at a time, such as review and enhance user roles and privileges, limit users with the most sensitive security needs and review what level of authentication best suits each user,” he says. Banks also need to take a look at their current internet provider since they might need to increase speed and ensure backups are secured.

James also recommends reviewing your bank’s service level agreements (SLAs). “Fixed repair SLAs are more expensive but offer limited downtime,” he says. “You will only be as good as your connection to your cloud.”

Cherpack says that many smaller banks still don’t fully understand the implicit security risks—and potential advantages—of cloud services, so they rely on vendors to explain it to them. “Since they don’t have internal expertise, they have to rely on the vendor and take their word for it. Instead of understanding it better, they sometimes rely on the audit certifications as the solution to the risk,” he adds.

To make the use of cloud services more efficient and more secure, many enterprises are developing and embracing the use of automated solutions. At the Black Hat conference, Bengtson discussed how Netflix built an open-source tool called Trailblazer to help it comb through the vast number of AWS application protocol interface calls that CloudTrail logged as potential credential compromises.

“Since we are not first adopters,” James says, “we have the benefit of hiring experienced professionals that have migrated many systems that know best practices. Additionally, we can look to professionals who maintain and monitor cloud services.”

For his part, Ramamurthi says CBW Bank, a relative cloud veteran among community banks, is focused on its own approach to computing, rather than being driven by vendors. He underscores the importance of developing business and security objectives and goals that serve the bank’s individual purposes. To that end, Ramamurthi says CBW stores no customer data on hard drives at the bank.

“Because we went straight into cloud, [our experience] is not necessarily comparable to other [banks’],” he adds, “but it does save us a lot of money via improved efficiency.”

Karen Epper Hoffman is a writer in Washington state.