The emergence of new technology is affecting financial services in a multitude of ways. Today, with the power of the cloud allowing organizations to share information anywhere and everywhere instantaneously, banks can operate across the globe, providing on-demand services worldwide.

In Singapore, this systematic push towards cloud technology has inspired the Monetary Authority of Singapore (MAS) to issue new guidelines around the use of cloud services by financial institutions. MAS is requiring that these firms take steps to enable and secure data access, confidentiality, integrity, sovereignty, recoverability, compliance, and auditing.

However, historically, many organizations have resisted embracing this new style of business due to various security concerns and misconceptions. As such, if financial services firms and cloud security service providers work together, financial services in Singapore can be more on demand and secure than ever before.

David Shephard, Vice president of Sales for Asia Pacific and Japan (APJ), Bitglass, shares with our readers his views on the struggle between security and costs pertaining to a company’s cloud strategy.

 

 

The emergence of new technology is affecting financial services in a multitude of ways. Today, with the power of the cloud allowing organizations to share information anywhere and everywhere instantaneously, banks can operate across the globe, providing on-demand services worldwide.

 

According to research from IDC Financial Insights, the majority of financial services firms in the Asia Pacific region have embraced cloud technology in order to pursue the flexibility and cost savings that it provides. Despite previous trepidation stemming from uncertainty around security and regulatory compliance, the research indicates that financial services firms are increasingly adopting cloud-based tools, with 80% of these organizations expected to run on a hybrid cloud architecture in 2018^[1].

 

In Singapore, this systematic push towards cloud technology has inspired the Monetary Authority of Singapore (MAS) to issue new guidelines around the use of cloud services by financial institutions. MAS is requiring that these firms take steps to enable and secure data access, confidentiality, integrity, sovereignty, recoverability, compliance, and auditing. In other words, as banks and other financial institutions take advantage of the cloud, they must simultaneously bolster their cybersecurity to defend against modern threats.

 

The pros and cons of the cloud

When organizations use the cloud, they are provided with lower operational costs and improved flexibility. Unlike on-premises infrastructure that is expensive to acquire, maintain, and upgrade, cloud platforms are cost-effective and fully scalable. Despite this, a significant portion of business leaders in the financial industry are quite timid about embracing cloud technology. Financial services firms handle large amounts of confidential information in the course of their daily operations. Leaking financial data or personally identifiable information (PII) can cost an organization customers as well as its reputation – something that takes years to earn and only minutes to lose. Because of this, financials are hesitant to disrupt the status quo and risk exposing their data – even though cloud-based solutions can actually improve security.

 

The above concerns were reflected in an (ISC)² Global Information Security Workforce Study wherein Singaporean respondents indicated a higher level of concern for various threats than their APAC and global counterparts. In particular, data breaches (81%) and data loss (78%) were the most pressing concerns for Singaporean respondents^[2].

 

A different approach to security

Security is a critical component of any functioning enterprise. This is particularly true in the financial services sector where there are strict regulatory requirements around data residency, data access, and more. Unfortunately, the traditional strategy of maintaining centralised security at the device and network level no longer works in an environment where critical systems are moving to the cloud.

 

Once data shifts beyond the firewall and employees begin to access it from uncontrolled, unmanaged devices, a new approach to security is required. Firewalls only work on corporate premises, while privacy-conscious users tend to resist having agents installed on their personal devices. To overcome these challenges, many financial services firms are adopting cloud access security brokers (CASBs).

 

A CASB is a policy enforcement point that delivers visibility, identity management, data protection, and threat protection in the cloud. Because they offer comprehensive visibility and control over data – wherever it may go – CASBs are indispensable assets for all IT teams. These solutions can even extend existing data security policies to third-party tools like Office 365, Box, and other SaaS (software as a service) apps.

 

In short, a CASB provides a suite of security capabilities that function across various cloud platforms. They offer many benefits, including those listed below.

 

1.  Security

Before an enterprise can obtain control over its data, it must identify the unsanctioned cloud apps, or shadow IT, that its employees are using to store and process corporate information. By leveraging shadow IT discovery tools, basic components of cloud access security brokers, IT departments can identify all cloud apps in use, detail the relative risk that each poses, and enable the security capabilities offered by CASBs.

 

Once thorough visibility is achieved, enterprises can begin enforcing policies to secure their data in the cloud. For example, contextual access controls can govern access to different types of data by user device, location, job function, and more, while data loss prevention (DLP) can redact, quarantine, or perform other actions on sensitive information as it is accessed by parties with varied levels of authorization.

 

In the financial services space, mobile security is a critical part of ensuring that data is completely protected. Given the growth of bring your own device (BYOD), more unmanaged mobile devices are accessing corporate data than ever before. Because of this, a data-centric approach to security, whereby IT focuses on protecting data rather than controlling the ever-growing number devices touching corporate data, is incredibly effective. This can be attained with agentless CASBs.

 

 

2.  Regulatory compliance

 

Because the financial sector is among the most heavily regulated industries, compliance is critical and dictates the capabilities that financial institutions need to have in place in the cloud. In particular, financial services organizations are required to protect PII, or personally identifiable information. This sensitive data is often stored in structured, spreadsheet-style formats wherein each column houses a different type of PII; for example, credit card numbers, Social Security numbers, and more.

A common tool for protecting this data and complying with various regulations is encryption. However, selecting an appropriate solution can prove challenging. Organizations are typically forced to choose between full-strength encryption that breaks functionality like search and sort, and weak encryption that enables functionality. No enterprise should settle for one or the other. Additionally, financial services firms should select encryption tools that grant them control of their own encryption keys, ensuring that cloud app vendors and hackers don’t gain visibility into sensitive data.

 

3.  Rapid deployment

 

Unlike traditional security solutions, select CASBs can be deployed in the cloud, meaning that they take an agentless approach that eliminates the need to install and manage agents on users’ devices. This agentless approach greatly accelerates deployments as IT departments don’t need to gain physical access to all of the devices that will be used to access corporate data.

 

In addition to the above, users are far more accepting of data-centric solutions than device-centric solutions. While employees reject agents on their personal devices because they can harm their performance and give employers visibility into all personal web traffic, these issues do not exist with agentless security solutions. As such, employee acceptance also enables rapid deployments.

 

By selecting a CASB that offers a complete set of features and functions in an agentless fashion, a financial services firm can be confident that it has the technology necessary to maintain comprehensive visibility and control over data in the cloud.

 

Final thoughts

 

The cloud and its myriad services are incredibly helpful tools for increasing corporate productivity, collaboration, flexibility, and cost savings. However, historically, many organizations have resisted embracing this new style of business due to various security concerns and misconceptions. Fortunately, there is now an abundance of security solutions that are able to protect sensitive data as it is stored and processed in the cloud.

 

Cloud security service providers have the expertise to ensure that banks and other financial services organizations migrating to the cloud can retain the same levels of data security that they’ve enjoyed in their on-premises-only environments. As such, if financial services firms and cloud security service providers work together, financial services in Singapore can be more on demand and secure than ever before.

 

[1] IDC MaturityScape Benchmark: Cloud in Banking in Asia/Pacific,

https://www.idc.com/getdoc.jsp?containerId=prAP42386217&pageType=PRINTFRIENDLY  

[2] 2015 (ISC)² Global Information Security Workforce Study, https://www.iss.nus.edu.sg/community/newsroom/newsdetail/2016/05/20/cloud–adoption–spurs–concerns–for–infosec–pros–in–singapore