Analysis: Can encryption bring banks to the cloud?

By on
Analysis: Can encryption bring banks to the cloud?

One of Australia’s leading thinkers on IT strategy in the banking sector has proposed that encryption be used to overcome regulatory barriers preventing the finance industry from adopting cloud computing services.

The banking and finance sector has eyed off the potential to drive down IT costs using highly commoditised, virtualised computing stacks housed in offshore data centres – the largest in the region of which are based in Singapore.

But the sector is governed by regulations that prevent customer data from being hosted offshore.

All outsourcing agreements in the sector are signed with oversight by the regulator, the Australian Prudential Regulatory Authority (APRA).

Speaking at an Australian Information Industry Association breakfast, Paul Ventura, head of architecture, technology and integration for Westpac-owned BT Financial Group told the audience that he respected and even appreciated APRA’s oversight.

“Who here thinks [Government] policy is helpful?” he asked the room, the majority of which were made up of representatives from the banking and IT industries.

“It’s a double edged sword,” he noted. “While policy can sometimes be considered inhibitive, well-structured policy can in fact drive innovation in areas where we might have been complacent in the past.”

Ventura, stressing that it was his personal opinion and not necessarily the corporate position of his employer, said he was grateful for the clarity APRA’s November 2010 open letter on cloud computing to the banking and finance sector provided.

It recognised, he said, why the sector was attracted to the new business model, but clearly set out their obligations: “It was a reminder that customer information is sacrosanct and has to reside in Australian territories.”

Ventura now expects this clarity to drive innovation: “This is the carrot and stick that drives us toward different ways to approach the problem,” he said.

Ventura encouraged the audience to consider where the next wave of innovation might come from to solve the problem, and offered up his own suggestion.

“Yes, information has to be safe and secure, but what if we encrypted data in such a way that it doesn’t matter where it is at any point it is touched?” he said. “That’s an area policy hasn't yet addressed.”

Questions

iTnews has run this idea past various subject-matter experts in the days since Ventura's presentation.

On the technology available to date, analysts cast some doubt over whether encryption would be an adequate solution for legacy banking and finance applications. 

Most of today’s systems require data to be accessible by the application in an unencrypted format. Whilst encryption may be a solution for archival storage located offshore, data that requires regular access or manipulation by any given system hosted inhouse would therefore not make a great candidate for cloud storage.

Any re-architecture of the online banking system to cater for this issue could potentially cost more than the savings earned from taking the data offshore.

IT architect Rodney Haywood said encryption might be “standard fare” for archival data, but “for compute you need to see the data at some point.”

“If the keys are held onshore, does that mean all the data has to be shipped across the ocean to get decrypted here before it's usable?” asked Justin Warren, an IT management consultant and contributor to iTnews. “Is that cost effective, or would you be better off just building a data centre locally?”

IBRS analyst James Turner, who has studied APRA's attitudes to cloud computing in detail, also said he doesn’t expect “throwing encryption at the problem would instantly get a gold star from APRA”.

APRA’s outsourcing requirements are “fundamentally at odds with some of the basic mechanics of cloud computing," he noted.

“For example, the tenet that the data could be anywhere: depending on the architecture of the cloud vendor, data could be replicated multiple times in multiple locations. Data at one point it may persist in other locations.

“The introduction of encryption would add a whole new level of sophistication to the outsourcing model, which some cloud providers wouldn't be able to rise to. The process maturity around key management, securing any relevant communications from the cloud vendor back to the enterprise, and then the fun of auditing to verify that these processes are all being adhered to - that's going to present a challenge.”

Answers

But Ventura said the banking and finance sector need only look to the Defence sector for examples of how encryption could work for banks considering cloud adoption.

The encryption smarts available from local start-up Cocoon Data, he noted, are able to secure data when it is in transit, at rest or in use. Cocoon was recently certified EAL 4+ by Defence Signals Directorate (DSD),

The company already claims to count Defence, a major Australian bank and Federal Government departments as customers.

It's server-side encryption technology allows electronic files to be ‘owned’ by the creator of the document – allowing the creator to adjust security settings that allow access to the file even once it has left a secured system.

Ventura also noted technologies and services from Goldkey, Tarmin’s GridBank tools for securing cloud storage used in Microsoft Exchange and Sharepoint deployments, as well as open source alternative SECS as examples of where the innovation is headed.

These technologies are in-use, Ventura noted, and more are being developed with markets like Defence, government and banking and finance in mind.

IBRS’ Turner said he would not underestimate the potential impact any security breakthrough in the banking sector would provide the wider cloud computing industry.

He agreed that banking and finance offered a “lucrative market” to cloud computing which could drive innovation in the area.

“Larger cloud vendors are already working to provide solutions which will be palatable to the banking industry,” he said.

“Cloud vendors will win doubly when they can sell to the banks in volume – first from revenue from the banks, second as a proof-point to other industries. They could say, look, the banks trust us.

“That will open the door to a slew of late adopters who will be a very profitable market for cloud vendors, as at that time the cloud vendors will have mature practices and pricing models in place.” 

Paul Ventura talks at the Cloud Computing Conference at CeBIT Australia in Sydney later today.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
apra banking bt cebit2011 cloud cloud computing collaboration encryption finance financeit networking regulation security trust westpac

Partner Content

Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Tech For Good program gives purpose and strong business outcomes
Tech For Good program gives purpose and strong business outcomes
Channel can help lead customers to boosting workplace wellbeing with professional headsets
Channel can help lead customers to boosting workplace wellbeing with professional headsets
How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program
How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program
Kaseya Dattocon APAC 2024 is Back
Kaseya Dattocon APAC 2024 is Back

Sponsored Whitepapers

Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
Pulseway Essential Eight Framework
Pulseway Essential Eight Framework
7 Best Practices For Implementing Human Risk Management
7 Best Practices For Implementing Human Risk Management
2025 State of Machine Identity Security Report
2025 State of Machine Identity Security Report

Events

techpartner.news MSP index - Brisbane
techpartner.news MSP index - Brisbane
techpartner.news Channel Leader List / Golf day
techpartner.news Channel Leader List / Golf day
techpartner.news Pipeline Conference 2025
techpartner.news Pipeline Conference 2025
Integrate Expo 2025
Integrate Expo 2025
Security Exhibition & Conference 2025
Security Exhibition & Conference 2025

Most read articles

AI ambition: Nick Beaugeard looks to harness AI agents to provide tech services

AI ambition: Nick Beaugeard looks to harness AI agents to provide tech services
Vic gov to spend $100m on cyber security

Vic gov to spend $100m on cyber security
MSPs pressed to review ransomware response as new reporting rules commence

MSPs pressed to review ransomware response as new reporting rules commence
Tech Research Asia to present Australian IT M&A report

Tech Research Asia to present Australian IT M&A report

Log in

Email:
Password:
  |  Forgot your password?