Banks opt for private cloud, SaaS and SOA to save costs, as the fear of data loss hinders migration to public cloud.
There is an ongoing debate on the subject of whether IT related services should be delivered or managed within the bank or should it be outsourced. Banks are expecting the outsourced service organization to understand their business and bring in the relevant changes.
RBIs mandate to appoint CIOs and steering committees on information security at the board level is a welcome move. The IT heads will be able to address cyber security challenges in a scenario where there is continuous rise in the usage of internet banking, ATM, credit and debit cards etc. Banks are looking at cloud computing as a business enabler and working out ways to adopt cloud.
Analysts such as KPMG point out that the unique aspect about information security in banking industry is that the security posture of a bank does not depend solely on the safeguards and practices implemented by the bank, it is equally dependent on the awareness of the users using the banking channel and the quality of end-user terminals.
When it comes to computing on the cloud in the Indian banking sector, CIOs restrain themselves from embracing this new technology, as they intend to keep their sensitive data to remain secure.
Questions like where is my data, who can access my data and whose responsibility is security when data is in transit between the cloud provider and the end user etc., are the concerns of the IT heads. Other challenges revolve around concerns over regulation, location of the cloud, liability and recoverability in the cloud.
Challenges and recommendations
The biggest challenge in front of the IT managers in the banking sector is addressing the risk of sensitive data being leaked, misused, or even misplaced when it is placed in the cloud.
Regulatory compliance also poses a challenge. RBI has issued guidelines to all banks on the issues of information security and IT governance. In these guidelines, RBI has dwelled on the controls that a bank should have in place before putting data on the cloud. The idea of the third party managing the banks entire regulatory procedures, audits and certifications is deterring the IT heads from moving to the cloud.
Prasad C.V.G, CIO of ING Vysya Bank says that security is their topmost priority and their focus is on compliance with new RBI Information Security Guidelines on prevention of data leakage. Phishing attacks, advanced persistent threats are the key challenges at this point of time. We do a periodic review of new vulnerabilities, which is followed by penetration tests, code reviews and vulnerability assessment test.
There is a gradual migration happening towards third party players when it comes to managing and monitoring of security services. This might eventually pave way for adoption of cloud security. For instance, ING Vysya has a 24x7 security monitoring service by third party vendor, who takes care of the security aspect of their entire infrastructure and sends alerts on latest threats, which are then addressed by various security tools or policies. The bank is currently evaluating latest and advanced security tools/solutions for their online banking system.
Yusuf Lanewala, IT consultant to various banks such as Saraswat Bank, Abhyudaya Bank and Punjab National Bank identifies three key challenges in front of IT heads. The first challenge is the cyber laws, which he feels are weak and difficult to enforce. The second challenge is our ineffective data privacy laws. The third is the poor data secrecy laws. He also feels that many banks, especially the smaller ones do not have effective IT security policies and practices in place.
Vishal Salvi recommends that before going for cloud computing, the security heads should have better understanding of cloud computing products and technologies. He adds, The key challenge is to get engaged with various IT teams to build security designs around the cloud. Understanding migration from one environment to the cloud environment is another key area which should be considered by the security heads.
Rakesh Sinha, Director of Banking & Capital Markets, Microsoft, informs that not only is it necessary for banks to go in for highest security controls, they should also keep getting their systems audited by external agencies. Sinha is a strong believer of imposing monetary penalties on the cloud service provider in case of a breach of information. IT managers opine that it is very important that enforceable laws be established to make cloud computing more acceptable and less risky.
Vishal Salvi, CISO, ISG-Information Security Group, HDFC Bank believes that banking sector would be the last one to opt for public cloud computing.
However, Rakesh Sinha, Director of Banking & Capital Markets, Microsoft says, Indian banking IT heads are showing great interests in cloud computing. In fact, a few banks have started putting their non-customer systems, such as the eLearning and HR systems, on cloud. In fact, a large financial company has placed their salary, investment portfolio modelling and management of insurance intermediaries on cloud.
Private cloud takes the lead
While scepticism prevails with regard to adoption of public cloud with data security being the prime concern, the private cloud adoption seems to be on its way. Says Sinha, Co-operative banks, as well as a few big banks, in India have been using hosted services for a long time now, which could be very similar to private cloud. Advantages of having a public cloud is that the service is offered by renowned big players like Microsoft, Google, Amazon and Force.com, so the client gets a guaranteed and assured service levels. They typically have greater controls for data security.
On the other hand, Salvi believes that banks are more comfortable opting for private cloud. In private cloud, virtualisation is the key element and banks have been adopting virtualisation technologies for quite some time now. He defines private cloud as software that sits on virtualisation environment and helps optimise your utilization of hard disks and processing power in most effective manner.
Many banks have started a private cloud set up within the banking premises, because this allows the CIO and his team to remain fully accountable for data security. Private cloud offers many benefits to banks such as proper data centre utilisation, uptime and cost efficiency.
However, we cannot ignore the key benefits a public cloud can offer. Explains Sinha, Most Indian financial institutions have their data centres located in Mumbai. This entails a substantial increase in cost due to real estate, electricity bills, etc. Expansion becomes impossible. Then there is the fact that managing of data centres requires a large team. These are the factors that are forcing banks to look at cloud as the most viable alternative.
Sinha opines that public cloud offers obvious benefits such as pay per use model, data backup, scale of economy, SLAs. Moreover, the vendor handles entire management and the user company need not require investing on big infrastructure.
Banks look at virtualisation and SaaS
If we look carefully, virtualisation and Software as a Service (SaaS) are the underlying elements of cloud computing. There has been prominent adoption of these two technologies in the BFSI segment.
Yusuf Lanewala says that several banks have adopted SaaS; most notably several Regional Rural Banks (RRBs) attached to SBI have gone in for SaaS. In addition to the RRBs several small cooperative banks have also adopted this model. There are several IT services vendors providing this service with software and data centre infrastructure being owned by the vendor. Banks pay either a per transaction fee or as per location fee for the basic CBS service and additional fees for various add on services. Other cloud based services such as Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) have also been adopted by a couple of banks, he adds.
ING Vysya bank uses next- level virtualisation for its core production systems. Says Prasad, SaaS has gained good acceptance amongst Indian banks and the reason being you have full control over the data unlike in the cloud. In SaaS, the best part is that you do not own the space, but everything else is in your control. So, there is no security issue as you know everything about your data.
The bottom line
Most suitable model for a bank could be a combination of the internal cloud and public cloud. Internal cloud could be used for all sensitive and critical data and the IT team can have the entire control and accountability. Public cloud can be used to manage non-critical data. Of course, in both the cases it is important that security aspect be taken care of. Private cloud seems to be a good option for short-term, but in long run as the data explodes, it will become impossible to manage it even in a private cloud.