Dealing securely with Clouds

Security and trust are both terms that are closely related, and they are also termsthat we associate with financial institutions and that financial institutionsassociate with themselves. At the core of the financial services industry is theconcept of risk and the costs that are associated with those risks. In some cases,risk hinders business and even stops business happening – for example, wherecustomers don’t trust new technology-based banking services.

In other cases, risk creates business opportunities: for example, financial marketsare based around risk, and without risk these markets would shrivel up. In a similarway, security can be applied properly and appropriately in a way that helps tocreate, enable and grow business, rather than acting as a hindrance to growth. A key factor is that the market is changing rapidly, and standing still is not anoption: in nature things are either growing or dying, and nothing ever stands still.

Introduction

BT Whitepaper: Dealing securely with Clouds 1

In the 20th century, major changes in technology were often driven by militaryneeds and space exploration, and generally slid quite slowly into the businessworld. In the 21st century the financial community is at the heart of high-speed and ongoing technology change that is being driven by commercialcompetition and customer needs across all industries, because underlyingalmost every business transaction in every industry is a financial transaction.The financial community’s customers represent every type and size oforganisation as well as hundreds of millions of individual retail customers. Allof those customers will use Cloud approaches as part of their financial life,whether they know it or not, and irrespective of whether they are making aretail purchase and paying with a mobile phone in Kenya or trading millions ofbarrels of oil on-line in real-time from a dealing desk in Texas. And all of thosecustomers expect those Cloud approaches to be secure.

The Personal Computer was launched 30 years ago, empowering evenindividuals to have their own computing capability. The public Internet wentcommercial just 20 years ago, and it empowered users to own their ownaccess to shared networks. All of those computers and network access pointsshare a common infrastructure – the public Internet – and without thatsharing, much of the progress of recent years would not have been achieved.These concepts of “sharing” and “communities” underpin the principlesbehind what we mean by Cloud: a community of multiple service providersand multiple service users sharing a common communications platform. ACloud can be infinitely extendable, like the public Internet, but equally aCloud can be restricted to support a “gated community” with a higherdegree of security.

Big Data is also driving this need to share resources securely. The days arelong gone when any single organisation could consider storing all of theinformation that it needs to run its business within its own large centralcomputer. Storing the same Big Data in each and every individual financialinstitution is just not economically viable. And Big Data isn’t all static – muchof it is alive and on the move. Financial institutions today are eachprocessing flows of millions of messages per second per institution, and thedata flows that they deal with as a matter of course are growing significantlyyear on year. To be able to manage Big Data effectively, financial institutionstap into and share the same sources and flows of information as well as thesame services and infrastructure, thereby avoiding duplication of systemsand networks and avoiding the multiplication of costs.

The financial services sector operates as a community of service providersand service users, where some community members are both providers andusers of services, and where more and more infrastructure is shared. Thissharing of infrastructure and services makes security even more critical,because a security breach can impact not only one institution but can spreadquickly to the whole financial community as well as to the wider communityof customers that are served by financial institutions. The potential systemicrisks are clear, and the speed at which damage can propagate has alreadybeen seen: think back to 2008 and how the failure of one organisationtriggered a global economic crash from which the world is still recovering.

Financial regulators have also turned their attention to the systemic risks thatrelate to the technology that is used by the financial community, and recentregulations have started to include mention of this. For example, the currentEU Markets in Financial Instruments Directive (MiFID) states that investmentfirms must have “effective control and safeguard arrangements for informationprocessing systems”. National regulators are insisting that business continuity

BT Whitepaper: Dealing securely with Clouds 2

Big Data is also drivingthis need to shareresources securely. Thedays are long gonewhen any singleorganisation couldconsider storing all ofthe information that itneeds to run itsbusiness within its ownlarge central computer.

plans must be in place and that the senior management of financial institutionsshould be personally liable for failures in those systems.

For financial institutions, increased regulation has typically added tooperational costs. Some of these regulations have been specifically aimed atincreasing the level of competition between financial institutions, and thistogether with normal competitive pressures has forced financial institutionsto reduce their business margins. At the same time, transaction volumeshave been increasing while the size of individual transactions has on averagebeen reducing, resulting in an increased load on technology systems withoutnecessarily resulting in increased revenue. These combined pressures havemade it even more important for financial institutions to examine what theybelieve to be their core business activities, the non-core business activitiesthat can be outsourced, and which services they need to have dedicated orthat can be shared. The availability of Cloud approaches has been critical toenabling financial institutions to make the necessary technology changes tosupport their business decisions.

The IT world had already moved from centralised mainframe processingthrough "distributed processing" to client/server architectures. Graduallynetworks were being used more and more like the hardware "bus" thatinterconnects the components of a computer, as those networks becamefaster and less costly to use. The concept of the Cloud has been a logicalprogression in terms of both hardware architecture and software architecture.Providers of application software have gradually recognised the increasedbusiness opportunity presented by being part of a Cloud, rather than havingto build out private networks themselves, enabling them to becomeapplication service providers and address a broader sector of potential usersacross a wider geography. The "pull" from financial institutions and asimultaneous "push" from application service providers, marketinfrastructures and industry utilities have enabled the financial community -service users and service providers alike - to become more cost-efficient in abusiness world that is less and less able or willing to accept inefficiency.

Financial institutions have traditionally been used to having dedicatedtechnology. The increasing network capacity that has become available atever-decreasing cost, in line with Butter’s Law, has helped to bring intoquestion the reasons why financial institutions would continue to usededicated infrastructure. Internet service providers link up the average retailcustomer with tens of megabits of capacity per second at a cost of only a fewpounds per month, while banks have paid many times this amount fordedicated connectivity with a fraction of the capacity. Traditional privatenetworks tend to lock in the financial institution and its old business model,and tend to lock out new customers. The retention of the status quo hasoften been due to concerns about security.

Security is of course made up of many elements. Security can be the certaintythat systems will continue to work, even during times of external disruption.Security can be the certainty that the wrong people cannot access data thatthey shouldn’t. A goal is to achieve that certainty without locking out the rightcustomers and to reach out to more potential customers than ever before.Building silos is probably not the best or most likely way of achieving thatoverall goal. Silos lock out potential customers and lock out opportunity.

Sharing works in two directions: sharing what you’ve got but also sharing inwhat other people have got. Breaking down financial silos and sharing in thebusiness model of customers has been a dream of financial institutions for

BT Whitepaper: Dealing securely with Clouds 3

Security is of coursemade up of manyelements. Security can be the certaintythat systems willcontinue to work, even during times ofexternal disruption.

many years. Recognising the difficulty of the financial sector to break thislog-jam on its own, governments and regulators have recently started tostep into the arena of security to facilitate and even force change to happen.Two recent examples of this are the UK Government’s Identity AssuranceProgramme and the G-20 governments’ Global LEI System initiative. Both ofthese initiatives are around Identity Management as a fundamental buildingblock of effective security.

The UK Government’s Identity Assurance Programme (IAP) aims to create ashared, federated environment for government and for businesses of alltypes – including financial institutions. As in a Cloud model, financialinstitutions have a dual role as both users and providers of services, in thiscase these services being around identity-related information. There isalready a degree of information-sharing between financial institutions, e.g.as part of fraud prevention operations, but the IAP will take this information-sharing to a higher level with information not just to be used by financialinstitutions but by every type of business of all sizes. Being an “identityprovider” will be a new business function, and identity informationmanagement will not just be a painful-but-necessary function that financialinstitutions have to perform in their own interest and to comply with KYC-and AML-type regulations. This new business opportunity results from theworld’s overall need for greater security and certainty, particularly in anetworked environment.

The G-20 governments’ Global Legal Entity Identifier (LEI) System initiativehas now progressed in just a handful of years from being an idea to being areality. Security and certainty at a global level was recognised as requiring asimpler, shared and federated approach to identity management. The term“simpler” may seem strange when one considers that this is a global project.However, when one considers that individual banks have each been runningthousands of separate identity management systems, the Global LEI Systemappears to be a model of comparative simplicity. The concept that a singlelegal entity should have a single and unique identity that can be used withcertainty by every organisation or individual in the world seems to be soobviously needed, and yet neither the financial sector nor industries ingeneral were able to achieve this goal.

The rationalisation and clarity that can result from these initiatives atgovernment and regulatory level demonstrate how security can be abusiness enabler, breaking down barriers that hinder business, reducingunnecessary risks and accelerating the speed at which business can betransacted reliably. One word that is common to both of these initiatives is“federated”, where resources and information are shared across the usercommunity. A federated approach for identity management clearly meldswith the shared, community environment of Clouds and the public Internet.

Security services can be a competitive differentiator in the eyes of clients andpotential clients. Customers can change financial service provider moreeasily than ever before, whether due to the common access to all providersthat the public Internet and the Internet Protocol provide or due to recentnew account-switching regulations. However, the customer’s view of thesecurity services that a financial institution provides as part of its overallservice can be what stops the customer switching. A challenge that financialfirms face is how they can attract new customers and how they can usesecurity services to support that. This is particularly critical because securityis not just part of their core business – it’s because security is a fundamentalreason for their existence. The same is not true of other organisations

BT Whitepaper: Dealing securely with Clouds 4

As in a Cloud model,financial institutionshave a dual role asboth users andproviders of services, inthis case these servicesbeing around identity-related information.

against which they compete today and will compete against tomorrow, suchas on-line retailers, mobile network operators, etc.

Security is also not a static environment, where traditional solutions cancontinue to be used successfully forever. A recognised characteristic of thedevelopment of new software functionality is that it is first implemented inspecialised hardware and then converted to software that can run incomputers. One example of this is Software Defined Networks (SDN), wherefunctionality was originally built into specialised hardware - routers - andnow is being provided as software that can run inside general-purposecomputers. Another example of this is Host-based Card Emulation (HCE)that is now being used in the world of Payments, where hardware-basedsecurity devices are replaced by software-based functionality withinsmartphones and tablets. Once functionality is converted to software, thenext logical step is for that software to be used in a Cloud environmentbecause this helps to reduce the cost and increase the speed of roll-out ofnew functionality. It also reduces the dependency on and cost of physicalhardware at retail point-of-sale. Being able to deliver and take advantage ofnew approaches to security is a key competitive business differentiator.

Pressure is on not only from customers but also from governments toincrease the efficiency and speed of on-net transactions. An example of thisis the recent change required by UK Government to ISA re-registrationprocesses, shrinking a process that might have taken a month down to same-day: secure message exchange across the ISA community was critical to thisrequirement. Another example was the introduction of the UK FasterPayments scheme. Staying at the forefront of security technology is vital forfinancial institutions as these pressures continue and as the number ofcustomers wanting to use off-net services continues to reduce. At the sametime, the increase in the use of network services by more and morecustomers is increasing the size of the potential community that financialinstitutions can address.

Much is written about security threats and the potential damage tocustomers, to revenues and to long-term business reputations. At times thiscan seem to mirror the introduction of the motor car, emphasising thedangers and not looking at the incredible changes to industry, work andlifestyle that motor cars offered and the opportunities that they created.

Security is not just about threats – it’s also about opportunities. The publicInternet has shown us the importance to networked business of two keyfactors: sharing and communities. In the future, more security solutions willbe delivered in a shared, federated manner to reach and serve largercommunities. Security is a core characteristic of a financial institution, butbeing at the forefront of technology is no longer something that eachfinancial institution has to achieve on its own and independently. Sharing insecurity solutions and sharing in community-wide security approaches ismore likely to be critical to business success than ever before.

BT Whitepaper: Dealing securely with Clouds 5

Author: Chris Pickles

Chris Pickles is an independent consultant and has worked in the financialtechnology sector for 40 years on behalf of organisations including BT, Reuters,Deutsche Boerse and UK Government. He specialises in interpreting the impactthat financial regulations, industry initiatives and standards will have onbusiness operations and IT within financial institutions around the world.

Offices worldwide

The services described in this publication are subject to availabilityand may be modified from time to time. Services and equipmentare provided subject to British Telecommunications plc’srespective standard conditions of contract. Nothing in thispublication forms any part of any contract.

British Telecommunications plc 2014.Registered office: 81 Newgate Street, London EC1A 7AJRegistered in England No: 1800000

8 September 2014