Cloud computing has hopefully seen its worst ever PR disaster this week as perhaps the most used cloud service in the world suffered some truly worrying leaks. But are our cloud-dwelling banking details more secure then Jennifer Lawrence’s naked selfies, asks Billy Bambrough
There’s a quote that is oft overheard at security events and meetings – "If it’s online then it’s hackable." This was certainly the case with the recent iCloud leaks involving many female celebrities in various states of undress, which spilled onto the internet much like some kind of sordid x-rated digital Christmas.
Whenever companies lose any kind of customer data there is always a degree of debate over whether the company is the victim or at fault. In this case it seems Apple did the corporate equivalent of leaving the car unlocked with the valuables in plain sight, something that we should be able to assume banks working in the cloud will not be doing.
According to Celent, banks spent almost $180bn on IT in 2013. For the moment cloud-based services make up a tiny fraction of this amount, but by some estimates financial services spending on the cloud will total $26bn in 2015.
Without getting into unnecessary details of what Apple didn’t do, a quick rundown is that the company didn’t patch a security flaw that was vulnerable to brute force attacks for months, Apple’s iCloud picture settings are set by default meaning many won’t be aware that sensitive images are being uploaded, and finally, Apple pretends that two factor authentication doesn’t exist, stopping people from making the service more secure if they want to.
Fortunately we have regulations in place that mean banks would be able to get away with none of the above and need to take measures a whole lot further. If Apple is guilty of too little care with its customers’ data, banks are, if anything guilty of too much, but perhaps the wrong kind (a bank, for example would build a 50 metre high wall just as someone invents a way to walk through walls).
Banks use the private cloud as well as a public cloud for banking services. In this model computing capabilities and resources are owned and maintained by both the bank and the cloud provider; a bank uses computing capabilities and services for general computing, but stores customer and sensitive data in its private cloud to help with security (although this is the same model Apple runs for the iCloud).
Cloud computing is almost par for the course these days with small and new banks, being free of legacy constraints, able to quickly and easily hop to the cloud.
Renaissance Credit’s embrace of cloud computing has been almost total. Its employees type documents, run spreadsheets and read e-mails in the cloud. Its banking software, which keeps track of clients, payments and loans, runs on a cloud-computing platform using off-the-shelf banking software provided by Temenos.
But larger banks are doing it too, although often at serious cost: Barclays and Deutsche Bank have moved some functions into private clouds.
For small banks with limited resources, the large data centres provided by firms such as Amazon or Microsoft are probably safer and more reliable than any they could build themselves.
One of the biggest factors holding banks back from moving to the cloud is that they are not in control of the entire process, having to accept that they will have to hand over some part of the process to a third party.
As a result some larger banks have already built their own bomb-proof secure data centres, due to their reluctance to hand over client data to outsiders. The theft of data or a major systems failure by a bank with its operations in the cloud would doubtless prompt regulators to slam the brakes on the whole thing.
It’s worth remembering the industry quote that nothing online is secure. Eventually banks will lose something from the cloud and when that happens we will see the regulator’s hammer come down heavily on the practice.