Cloud computing and security

As financial institutions increasingly opt for public cloud deployment, financial regulators worry about the stability and safety of such options.

By Paul Skeldon

Relying on the web is a dangerous game for any business. In early September, an undisclosed UK energy company saw cyber criminals use artificial intelligence (AI) to mimic the voice of the company’s German chief executive to access the business’s accounts and take $200,000.

Everything today is in the cloud. With the proliferation of devices driven by ever-richer data services and the step changes made in broadband speeds, putting all processes out on the cloud seems the obvious choice. However, while it delivers in spades when it comes to convenience, is it digging a huge cyber security hole for organisations relying on cloud computing? Are firms creating a vulnerable single point of failure ready to be exploited by cyber criminals?

In the UK energy company example, cloud computing wasn’t to blame, per se, but it does illustrate just how advanced cyber criminals have become. In fact, according to research by magazine Computing in the UK earlier this year, 33% of businesses and organisations in the UK experience multiple proven cyber attacks each week. Each week.

Despite this threat many banks and financial institutions are switching to cloud computing for some or all of their IT services and, as a result, this level of sophistication in online criminality is now a code-red matter for the industry. According to research by analyst firm 451 Research, 41% of financial institutions will be using some form of public cloud to carry out some of their operations by the end of 2019 and that has many in the financial services world – and their customers – worried.

With this fear in mind, however, many businesses across the board are looking at using public cloud computing – hosted by the likes of Amazon, Microsoft and Google – to expand, reap economies of scale and to focus not on running large IT infrastructure projects, but on their core business. This is already true in e-commerce and is increasingly becoming the norm in banking.

Of course, a public cloud-focused strategy has many advantages; it offers far more agility in terms of both processing – and by dint of that the services that can be offered – and storage for financial institutions. A public cloud strategy also offers banks the opportunity to lower operating costs and reduce in-house footprint, again leading to a reduction in real estate costs. It also lends focus.

But such a switch to using public cloud services has regulatory bodies worried. In fact, following the financial crash of 2008-9, regulators around the world have joined forces to assess the risks of how new technology ushered-in across the intervening decade affects the structural safety of the financial industry. Public cloud computing has them worried; Mark Carney, the out-going governor of the Bank of England and chairman of the Financial Stability Board (FSB), said of the work done so far by the G20 members of the FSB: “… the FSB is assessing how fintech developments are affecting the resilience of the system by identifying the risks associated with new and existing financial institutions and activities and the supporting financial market infrastructure”.

In particular, the FSB’s analysis report concluded that: “Third-party service providers to financial institutions are quickly becoming more prominent and critical, especially in areas of cloud computing and data services. The fact that many third-party providers may fall outside the regulatory perimeter places increased emphasis on the importance of managing related operational risk, which could ultimately undermine financial stability”.

While businesses have turned to cloud computing to create more agile ways to run their businesses, so too have criminals. The flexible and scalable nature of cloud computing has enabled cyber criminals to ramp up their processing power and bandwidth and launch dedicated denial of service attacks on banks’ cloud computers, do what they want, then scale back and ‘disappear’.

Similarly, concentrating banking operations on cloud computing can make it potentially more open to cyber crime – cloud-on-cloud criminality, as it were – with criminals able to leverage the same capabilities that banks do from cloud computing to launch attacks and then evaporate.

Figures from the Office of the Australian Information Commissioner are instructive. Australian organisations reported 245 data breaches between July and September 2018. Of those, 20% occurred when personal information was sent to the wrong recipient, by email, mail, fax or other means. A further 20% of breaches were attributed to phishing.

The latest mode of attack by many cyber criminals is ‘form jacking’, which takes advantage of the weakness inherent in all customer-facing businesses looking to engage more fulsomely with their customers. Criminals use online sign-up forms, sign-in pages and online checkouts as an on-ramp for hacking.

“The threat of form jacking is a widespread and growing problem,” says Alissa Knight, cybersecurity analyst for Aite Group and author of the In Plain Sight series of research on the subject. “Because so many web applications are lacking in-app protection, adversaries are able to easily debug and read a web app’s JavaScript or HTML5 in plain text. Once the web app code is understood, malicious Javascript is then inserted into the web pages of target servers that deliver the web checkout form. Once weaponised, these credential pages will simultaneously send a consumer’s credit card information to an off-site server under the control of the Magecart group while also allowing the compromised site to process the credit card so the consumer and the organisation are unaware of the theft.”

Knight says it is important to adopt solutions that implement multiple layers of security, such as detection of code tampering and analysis, active response that shuts a browser down upon detection of form jacking, along with threat detection and real-time alerting and response.

Cyber crime, hacking and hijacking are only the tip of iceberg, however. Among the biggest risks identified by the FSB and others is concentration risk. Since the financial crash, regulators have focused on systemic risk and the role of concentration risk therein. Concentration risk centres on a system, process or policy in the banking world forming something akin to a single point of failure. And public cloud computing potentially creates that concentration risk, warn some analysts.

Richard Harmon, global industry leader, financial services at cloud computing firm Cloudera, says: “Financial institutions should be looking at the long-term implications of a public cloud strategy. Diversification of risk is always a key concern for financial institutions and the seeming safety of having a single cloud provider is not being properly measured from a systemic and operational perspective.”

The concentration risk with public cloud computing for banking and finance is almost always shorthand for a cyber security risk. While the largest and best known global public cloud providers – Amazon, Microsoft and Google – have progressed in making their security strong and reliable, the risk of cyber crime cannot be ignored. However, there are many other facets of concentration risk that could potentially set up cloud computing as a single point of failure. The very location of servers, clustered together, can make physical damage – let alone the damage done by criminals – a potential hazard.

For many financial organisations, such as hedge funds and traders, these servers are often located near the institutions themselves to limit latency. This too, offers potential risks associated with physical concentration of assets.

The inference from all this is that cloud computing is somehow more of a problem than traditional ‘in-house’ set ups, but that isn’t necessarily true. Cloud computing is no less inherently insecure than any computer network. Even the Pentagon gets hacked and the Magecart hacks on the likes of British Airways, Ticketmaster and Forbes were not related to cloud computing.

So how can banks and financial institutions manage the risk of cyber crime in an increasingly cloud-computing orientated world? Richard Watson, Ernst & Young Asia-Pacific cybersecurity risk advisory leader believes it has to come from the top. “It can be tempting to think that cybersecurity is a problem for your company’s chief information security officer – but the more our businesses digitise and automate operations, the more open we are to attack,” he says. “The solution? A ‘when, not if’ proactive approach to cybersecurity, led by the board, which embeds the right systems and technologies to not only respond to attacks, but also to enable enterprise growth.”

Watson’s colleague, Kris Lovejoy, EY global cybersecurity Leader, Advisory, at Ernst & Young agrees. “It is imperative for organisations to have a strategic, proactive approach to cybersecurity incidents, encompassing not only the right technologies, but also the right people for their holistic protection, detection and reaction process,” he says. “As companies continue to disrupt or be disrupted, the role of trust with customers and employees alike is essential, particularly as new technologies like robotics, machine learning and artificial intelligence are deployed.”