By Peter Gerdenitsch, RBI |
When it comes to information security, the financial sector can be considered as one of the most mature industries in the market. Security concepts have always been part of banks in the form of organizational and technical security measures, which structure the continuous effort to protect customer data and the bank’s assets. The surrounding legal framework is in a state of constant evolution, creating more and more demanding requirements for the industry to meet.
The change of the global threat landscape and the fast development of technology is what makes information security interesting and vibrant. New technologies put information security in continuous development, in the desperate need to be one step ahead. The most disruptive set of technologies and services, which has changed the ways companies approach IT systems, the way companies work, and that has generated a very tough debate among security experts is cloud computing.
What is the cloud?
This is not an easy question to answer as the concept of cloud computing can be very confusing. Some people define it as a set of technologies that typically make up a cloud environment, but this can be a limiting definition as this itself does not make the essence of cloud. What makes cloud appealing and gives it a sense is the group of services it offers. Obviously, most IT experts cooperating with cloud computing companies gain a lot in terms of flexibility, scalability, ease of deployment, ease of management, automation of the processes. IT departments can finally get rid of all the burden of managing hardware and equipment. There is space even for efficiency increase and cost savings, but there is one frequently asked question still to be fully answered: Is cloud secure?
Security of the cloud and security in the cloud
In order to fully answer this question, the topic must be further elaborated. Usually, this question is split in two parts: Security of the cloud and security in the cloud. Regardless of the type of service offered from the cloud provider, whether it is SaaS (Software as a Service), PaaS (Platform as a Service) or IaaS (Infrastructure as a Service), the security responsibility is always shared between the cloud service provider and the customer using the service – being it a bank or an IT Service provider. Cloud providers are responsible for the security of the cloud while the banks are responsible for the security in the cloud. This responsibility shifts from left to right and vice versa depending on the type of service a bank is using in the cloud. Nevertheless, one topic is always clear: The bank is always responsible for the security of the customers’ data.
In the last years, an incredible growth can be noticed in the number of customers of the main public cloud providers and in the endless possible use cases that the cloud offers. Hand in hand with this development, an undeniable increase on the level of the security maturity of the cloud service providers and the services offered is notable. Most of the big cloud providers support all the well-known security standards and compliance certifications (like PCI-DSS, ISO, GDPR, FIPS 140-2, NIST 800-171 etc.) helping satisfy compliance requirements for most of the industries, including the financial services sector.
Being compliant to regulatory requirements
Raiffeisen Bank International leverages the advantages of the cloud by focusing on the security of the cloud and on the security in the cloud. The first goal is achieved by putting a lot of effort in the due diligence process on selecting cloud providers by being compliant with regulatory requirements. The second goal, which is in general the most challenging one for all enterprises, is fulfilled by incorporating information security in all new cloud developments. Internal Security standards and industry best practices are strictly adhered to while developing new systems in the cloud. The great flexibility provided by cloud in terms of security configuration, automation and testing opens new horizons for security.
The combination of both worlds – cloud providers with their technical expertise and banking sector with their mature processes – open a lot of opportunities to improve the overall security. Thus, customers can be served with innovative and secure products.
Peter Gerdenitsch is Head of Group Information and Cyber Security at Raiffeisen Bank International.