The security debate in cloud computing
2 November 2011
The recent demonstration of hijack attacks on the Amazon Web Services (AWS) brings back to the table the key issue in the adoption of cloud services for financial service firms i.e. security. While the conservative way is the adoption of private clouds, in some sense, it defeats the purpose of clouds itself. The recent demonstration of hijack attacks clearly opens up the question of whether financial service firms are ready for cloud adoption and whether the systems are secure enough for firms to confidently adopt them. During the Oracle cloud launch, one of the key arguments made by Oracle chief executive Larry Ellison was that the security model offered by the Oracle cloud is far superior to its competitors since it has developed the whole solution end-to-end – right from the hardware to the software. It is still not clear whether the trust in the security features goes up if the firm builds an end-to-end proprietary solution or whether it is driven by higher transparency of the methodologies. This question reflects a trend in certain cloud service providers attempting to become more transparent and build the trust of their clients by increasingly providing access to all the technical specifications while others focusing on the complete hardware and software control argument. In order to provide much needed operational review, NYSE Technologies has launched an advisory service which will help the financial service clients to develop a much clearer understanding of the industry specific capital markets cloud platform which NYSE Technologies launched a few months back. The advisory service is important to enhance the trust of the technology decision makers in financial service firms where the general perception is that the data storage in an Infrastructure-as-a-Service is less secure than on-premise storage. One approach which is debated right now is on-premise encryption of data such that cloud service providers cannot read into the customer data. While this increases the security in clouds, it defeats the adoption of cloud-wide services on offer which might parse through data for searching or faster data retrieval functions. It also raises the question of whether the firms need to ultimately bear the responsibility of the security of firm data despite the vanilla security features offered by the cloud service providers. Another approach involves clearly demarcating the information to be stored on clouds and information that must compulsorily be on the premises and further defining what portion of the cloud data should be encrypted. This involved the definition of a new process wherein compliance officers and the business groups and the CTO need to co-operate on their data definitions. This coupled with a good understanding of the various offerings will help in a safe transition to cloud computing.