Migrating banks old technology to cloud computing systems is creating a cyber security nightmare for their IT and risk teams, experts have warned.
Cloud infrastructure which enables software and data to be held off-site and accessed by any part of an organisation, in any location is helping the worlds banks develop digital services with greater ease and speed.
But experts warn that cloud adoption can also be highly risky for banks and financial groups, because cyber criminals are increasingly exploiting security holes and misconfigured settings in cloud platforms to steal data, defraud customers and disrupt operations.
With so much sensitive financial and personal information stored in the cloud, as digital banking has become widely adopted, data breaches have become a leading concern for financial groups, says Simon Crocker, senior director of systems engineering for western Europe at cyber security company Palo Alto Networks.
Cyber criminals approach is to access data by identifying vulnerabilities and misconfigurations in the cloud services used by banks, he explains. But the damage does not stop there; criminals can also take over customer accounts, commit financial fraud and access other banking resources, he adds.
One of the key threats banks face when securing their cloud environment is attackers gaining unauthorised access through their inbound traffic, such as a customers online banking transactions or account opening, or outbound traffic, which includes activities such as payment processing, trading and interbank communication, Crocker explains.
He says hackers can intercept banking traffic by launching distributed denial-of-service (DDoS) attacks, which overwhelm computer servers with large volumes of requests, as well as SQL (structured query language) injection and cross-site scripting attacks, which inject malicious code into applications and websites.
Moving to cloud systems is, therefore, a trade-off in terms of risk, Crocker argues. Ultimately, banks rely on cloud service providers to deliver secure and reliable infrastructure and services, he says. However, vulnerabilities in cloud platforms, misconfigurations, or security weaknesses in the underlying infrastructure can expose banks to significant security risks.
Vulnerabilities in cloud platforms, misconfigurations, or security weaknesses in the underlying infrastructure can expose banks to significant security risks
Banks best options for mitigating these is using encrypted communication methods, such as virtual private networks, dedicated private connections and web proxy servers, Crocker advises. In addition, he recommends using network segmentation whereby computer networks are separated into smaller parts to limit the impact of security breaches and improve control over outbound traffic flows.
A bigger challenge, however, is dealing with unknown, or unaddressed, security flaws that bank IT teams have not prepared for known as zero-day exploits.
Zero-day describes recently discovered security vulnerabilities that hackers can use to attack systems, and literally means that an organisation under attack has zero days to fix it, explains Sergey Lozhkin, principal security researcher at Russian antivirus software company Kaspersky, and former vice-president of cyber security operations for JPMorgan Chase. He warns that these can give cyber criminals a strong foothold in cloud banking systems.
Advanced persistent threats, or APTs, are attacks that can also go undetected, giving hackers a big advantage. APTs...exploit vulnerabilities to gain prolonged access to a banks cloud infrastructure, allowing them to exfiltrate sensitive data over time, says Lozhkin.
While both types of attack present significant cyber security risks, the sophisticated nature of APTs is forcing banks to step up their defences. Lozhkin points out that APT hacking techniques were instrumental in the 2016 cyber attack on South Africas Standard Bank Group, when cybercriminals stole $13mn by forging 1,600 cards.APTs are like a stealthy burglar that can sit within networks completely unseen for any length of time before striking, he says.
To mitigate zero-day exploits, Lozhkin recommends the use of advanced monitoring solutions to detect unusual activities indicative of a zero-day attack. Automated tools can also streamline this process and decrease the window of opportunity for attackers, he adds.
And, to mitigate APTs, he suggests threat detection solutions, network traffic analysis, and endpoint detection and response (EDR) systems, which provide continuous cyber security monitoring and user behaviour analytics (UBA).
Lozkhin is confident this approach will work. By implementing a comprehensive security strategy that includes regular updates, configuration management, advanced threat detection and robust incident response plans, banks can mitigate the risks posed by zero-day exploits and advanced persistent threats, protecting their assets and maintaining customer trust in an increasingly digital world, he says.
However, Jake Moore, UK-based global cyber security adviser at Bratislava-headquartered security company ESET, fears many institutions are not taking action quickly enough. The banking industry has been slow to adopt cloud security and this has been made slower due to the tough regulations the industry faces, he says. Ransomware attacks, which now commonly include data-compromising techniques, pose one of the most significant risks to financial institutions.
Ransomware attacks, which now commonly include data-compromising techniques, pose one of the most significant risks to financial institutions
According to Moore, implementing a multi-layered security approach will help banks mitigate these risks. These layers should include stringent authentication protocols such as physical security keys, unique passwords and device identifiers to prevent unauthorised persons from accessing cloud systems.
Regular security audits will also help IT teams find and fix vulnerabilities in cloud-based banking systems, he suggests, while strong encryption can make sensitive data unreadable, even if it is stolen by cyber criminals.
But, with human error being the cause of most cloud security breaches, according to a report by defence group Thales, Moore urges banks to train their staff in tackling cyber threats.
Many can be mitigated using zero-trust models, says Tristan Morgan, managing director of security at telecoms group BT. These demand that everyone trying to use a banks WiFi network, whether employee or customer, is constantly checked and validated.
It also provides visibility of who is on the network, reducing risks, and supporting the operational needs of companies in a hybrid working environment, says Morgan.
Bernie Wright, chief information security officer at cloud infrastructure provider ClearBank, advises banks to operate a comprehensive supplier onboarding process, to eradicate security risks in their supply chains. He notes that many suppliers offer software-as-a-service products (licensed on a subscription basis) that are run in the cloud and, if improperly secured, can provide hackers with backdoor access to banking clients IT environments.
There are certain levels of trust that are needed so, as part of due diligence, its crucial to review how suppliers operate, their associated corporate policies, and resilience capabilities, Wright emphasises.
However, far greater cloud computing applications and threats are expected to arise in coming years from quantum computers. These devices harness quantum mechanics to carry out vastly more, and faster, processing operations than todays computers could ever manage.
Kamran Ikram, senior managing director in financial services at the UK and Ireland arm of consultants Accenture, sees both pros and cons. Banks can build more resilient and secure financial systems with quantum algorithms constructed to find opportunities for credit scoring and optimising trading trajectories, he says. But quantum computing will also allow encryption codes to be cracked in a fraction of the time they now take.
Continued here:
Banks moving into the cloud prompt forecasts of security risk - Financial Times
- Open source cloud computing slow to catch on, survey finds [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Oracle CFO: no acquisitions needed to compete in cloud [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- IDC Survey: U.S. Corporations Aim to Tackle IT Challenges with Cloud Computing [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Where does the ICO's new cloud guidance take you? [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- ChinaSoft International Signs Strategic Cooperation Agreement with Alibaba Cloud Computing to Develop PaaS Platform [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- IT Leaders Forum: Shedding light on cloud computing [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Oracle Public Cloud Computing [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Oracle Cloud Computing - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Cloud Computing 101 - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Lenovo Gets Into Cloud Computing - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Cloud Computing Certification Training | Cloud Computing Training By Simplilearn - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Cloud Computing - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Succeeding or Failing with Cloud Computing - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Demystifying the Cloud - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- N: Cloud Computing, Syria PM Defects, US to Clean Agent Orange and MORE! - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Cloud Computing - Tv9 - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- AWS 101 Cloud Computing Seminar-Bangalore - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Trust - The Key to Cloud Computing Growth in Europe [Last Updated On: October 6th, 2012] [Originally Added On: October 6th, 2012]
- Cloud Computing Saves Health Care Industry Time And Money [Last Updated On: October 6th, 2012] [Originally Added On: October 6th, 2012]
- Synnex CEO Kevin Murai: Tablets, Mobile, Cloud Computing (p3) - Video [Last Updated On: October 6th, 2012] [Originally Added On: October 6th, 2012]
- Enterprise computing IS the cloud [Last Updated On: October 8th, 2012] [Originally Added On: October 8th, 2012]
- 44 Percent Of US Execs To Tackle IT Challenges Through Cloud [Last Updated On: October 8th, 2012] [Originally Added On: October 8th, 2012]
- ZapThink Announces Expansion of Cloud Computing for Architects Course [Last Updated On: October 9th, 2012] [Originally Added On: October 9th, 2012]
- Euro Zone Eyes Cloud Computing to Kick Start Economy [Last Updated On: October 9th, 2012] [Originally Added On: October 9th, 2012]
- Advantages, challenges of cloud computing discussed Oct. 10 at NJIT [Last Updated On: October 10th, 2012] [Originally Added On: October 10th, 2012]
- Dell Expands Cloud Client Computing Solutions for VMware View®, Desktop as a Service and Channel Offerings to Europe [Last Updated On: October 10th, 2012] [Originally Added On: October 10th, 2012]
- Cloud West to Focus on Entertainment Delivery, Network Infrastructure, and Investment, More at Nov. 8-9th Forum [Last Updated On: October 10th, 2012] [Originally Added On: October 10th, 2012]
- IBM, AT&T Offer Secure Passage to the Cloud [Last Updated On: October 11th, 2012] [Originally Added On: October 11th, 2012]
- Cloud computing company hits new fundraising heights [Last Updated On: October 11th, 2012] [Originally Added On: October 11th, 2012]
- Cloud computing firm hits new fundraising heights [Last Updated On: October 11th, 2012] [Originally Added On: October 11th, 2012]
- Cloud computing: here we go again [Last Updated On: October 11th, 2012] [Originally Added On: October 11th, 2012]
- Chinese Want to Put Computer 'Brains' in the Cloud [Last Updated On: October 11th, 2012] [Originally Added On: October 11th, 2012]
- CenturyLink Unveils Cloud Product [Last Updated On: October 12th, 2012] [Originally Added On: October 12th, 2012]
- Cloud Security Evolves in Wellington [Last Updated On: October 14th, 2012] [Originally Added On: October 14th, 2012]
- 2X ApplicationServer XG Joins the Intel AppUp SMB Service Hybrid Cloud [Last Updated On: October 15th, 2012] [Originally Added On: October 15th, 2012]
- Piston Cloud to Exhibit and Present at the 2012 OpenStack Summit in San Diego [Last Updated On: October 15th, 2012] [Originally Added On: October 15th, 2012]
- How to get your first cloud computing job [Last Updated On: October 15th, 2012] [Originally Added On: October 15th, 2012]
- DreamHost Adds Public Cloud Computing Service: DreamCompute [Last Updated On: October 15th, 2012] [Originally Added On: October 15th, 2012]
- Aryaka Receives 2012 Cloud Computing Excellence Award [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- Making a Europe fit for the cloud [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- Cisco Execs Plumb The Limits Of Cloud Computing [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- Cloud firm invests in new network [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- AirWatch Receives 2012 Cloud Computing Excellence Award [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- Dell Extends Cloud Client Computing Portfolio with New Solutions Validated by Citrix [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- Pano Logic and Alliance InfoSystems Join Forces to Deliver Zero Client Computing [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- 5 Cloud Business Benefits [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- Alteva Receives 2012 Cloud Computing Excellence Award [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Open Text profit beats estimates on cloud services [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Cloud computing improves nurse call system [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Cloud computing: Top five tax considerations for your business [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- OKI and ISID to Provide Chemical Information System as Cloud Computing Services [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- As Mobile Grows, So Does Cloud Computing [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- IBM Analytical Decision Management SaaS - IBM Cloud TechTalk October 2012 - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- JAX London 2012: Achieving genuine elastic multitenancy with Waratek Cloud VM for Java - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Microsoft 2020 technology future vision - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Infinity Cloud Point of Sale and Complete Retail Suite.mp4 - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Small Business IT Support, Computer Support, Web Design Atlanta - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Cloud Computing - Simplified - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- How Allied Valve Used the Cloud to Expand in Bakken Oilfield - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Cloud Computing in the Public Sector - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Cloud Computing | Sacramento | Data Protection | IT Consulting | Symmetry Managed Servces - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- The Business Value of Cloud Computing - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- GYMNAZO Owner/Coach Michael Hughes is excited about edufii - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Automation in the age of cloud computing - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Cloud Computing.mp4 - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Cloud computing in 2013: a conversation with Appcore's CEO [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Cloud adoption growing in India: study [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Eastday-Microsoft picks city for cloud computing [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Towards a blue sky: How SMEs can avoid Cloud Computing confusion [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Consultancy Services - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Axxis Solutions Sponsors FIBA Technical Seminar on Cloud Computing - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- RightScale Webinar: 451 Research Webinar: Cloud Dos and Don'ts - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Apple Technology (Vishwa Bandhu Gupta) - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Mind Tree Ltd. - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- BIM Cloud Computing [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Entreda discusses cloud services for small and medium businesses - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Austin IT Company | Computer Networking [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Cloud Computing and Services - After Effects Template - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- FieldStorm App Tour - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- The Hon Brendan O'Connor's speech: AccountRight Live launch event - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]