Cloud Computing Risk Management - Is Data Safe in the Cloud

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

okay um welcome everybody I thought we would just start with a very quick round of introductions so starting with Matt on my left hello everyone Matthew Chung I'm the CIO for technology and information risk for Morgan Stanley I'm also the head of cyber security for the firm my work out of our New York headquarters I've been there for about four years my career has all been in financial services all the big bulge bracket Universal banks prior to Morgan Stanley I was the chief operating officer for amia for Barclays as well as the group chief information security officer and head of governance risk in control Thanks yeah hello everyone my name is Pierre Legrand I work for PwC are I'm the chief technologist for advisory function and I run our technology consulting business for Southeast Asia I've been in around technology for about 20 years and funny enough little anecdote I haven't seen this guy in over 15 years and I found out that he was on the panel it's the first time that we've seen each other in 15 years having worked at Barclays together so I'm pretty excited hi good afternoon folks my name is Miles Hosford and I lead the financial services compliance team at Amazon Web Services so I basically work with our customers around the region to establish security and governance processes when they move to the cloud so thank you and happy to be here thank you right so I thought when I was putting this panel together that I would start really with my perspective on cloud computing and this might be awkward I suppose but I come at this from a place of slight frustration you see I own over II I'm a lawyer and I want to use legal tech startups and oftentimes they are creating massive efficiencies for lawyers but I get to the point where I try and actually utilize the technology and my financial institution client will often tell me that they don't allow me to use that technology and so for me it's actually extremely frustrating process and it's with that lens that I put together the questions that we're going to be asking the panel today so I suppose we need to start really at the beginning which is with the advantages of cloud computing over a conventional data center and Pierre maybe you would yeah love that there's numerous sides to both of that element of the equation but when we look at traditional data centers that corporate enterprises undertake a lot of those are limited by scale of capital investment and what's happening in the market from a cost perspective the second thing is that the way compute storage and network are provisioned in those environments are very much around supporting business applications and technologies that are typically deployed by the enterprise which are usually quite important but also limited in scale and scope and technology breadth of what the divisions and the IT departments are used to delivering as banks versus technology companies this very important point and I'll make that distinction whereas if you're a technology company where your sole mission in life is about provisioning compute which you will attest to provisioning storage where that is your your modus operandi in terms of applying evergreen applies a real-time provisioning in terms of DevOps in terms of refreshing your hardware it is a completely different environment so the advantages that you get is this scale this ability to adopt new hardware implement compute scale quicker deliver services in a much faster way simply because that is the way your business works that is a technology company as opposed to events so when you look at a cloud or bank or a mining company or you know telco you know usually the ethos is very different than a pure technology company whose sole purpose is on provisioning these environments at scale so it's a fundamental difference between the two miles maybe yeah just to add to that I think obviously cost is important but I think you you you really call that a really key bear it there and it's agility and I think a lot of customers or procurement teams focus on the cost but it's really important to remember the agility that you get when you move to the cloud and not just from a hardware and a service in a computer perspective but you know AWS as an example has been in business for over 12 years now and over the last couple of years you've seen a shift to more managed services so things like artificial intelligence and machine learning just out of the box so instead of having to build up a data science team and they take their engineering team you essentially get access to these capabilities at the click of a button and in real time so we really moved past the kind of the computing storage which are the basic bare-bones into this world of managed services and that's where you really drive the business value you know three days ago I think it's Singapore we announced that we've just launched Amazon Sage maker which is a fully managed machine learning platform for the financial services teams to have the ability to just press go and start to use that and consume it I think it's game changing from an agility perspective for for the organizations right so so far so good it seems to me but when I from my law firm perspective started to dig into this a bit deeper people started talking to me about the different models of cloud and I think it's helpful for everyone to start from the same base level of understanding so perhaps PA you could elaborate on what's out there and why we have different models of cloud yeah and and there's a good reason I mean in the end in terms of cloud it's about you know really about the provisioning of specific technology components from compute to storage to network all in provisioning services and some of those services may be required to be delivered in a regulated environment and as a result you may see the constant I'm dumbing this down but you may see a concept of a private cloud which is some sort of cloud implementation that's within an environment that's managed on your behalf so you were talking about managed services that may be in a physical location that is either sequestered on your premise that but that may have some of the hardware and hardware capabilities that would be deployed in a cloud the second would be sort of a hybrid environment where you have some of your private machines interfacing with some of the public cloud elements as well so you'd have a little bit of both deployed and then you have a pure public cloud where this is where you go out to you know AWS or Azure where your full your workloads are fully deployed in the cloud fully in a distributed environment and and don't think about it's just one physical location it may be stripped over a number of different locations so those are the typical deployments and then within there you have the way services that are delivered from infrastructure to software to platform to communication to different styles of services that are delivered so hearing you talk about the various different models in particular the private instance it would feel to me that that should be the end of this conversation and that someone like Matt and Morgan Stanley should be happy to use technology that is cloud-based so that's not the case I thought would be helpful to just move on then to the risks involved in using cloud maybe Matt from your perspective yeah I think I think the distinction between public private and hybrid is very important as Pierre laid out the fact of the matter is for companies for private companies you know we are beholden to our regulators and by that I mean we are highly regulated whether you're in financial services or you're in energy you have regulators that want to make sure that you are operating within control within governance understanding your risks and on in control and so the journey from legacy today to public true public cloud is not that simple right the question around how do you manage your key risks like how do you manage PII in the cloud is obviously a big question remember our regulators will hold us accountable hold the firm accountable for a breach not for the cloud service provider so there's a level of comfort that has to be has to be determined when moving from a private cloud construct to a to a public cloud construct there's also a bit of a trust betrayed that occurs when you start to move your data and your work flows into the cloud you still have to be able to tell your clients where their who has access to that data essentially you have to explain to them data lineage right so when you log in where does your data go where is it stored who has access to that data if there is a breach who do I talk to do I talk to you as the company or do I talk to the provider so this becomes a real classic supplier management problem right so we're a private enterprise using an outsourced function like the cloud it's still responsible for all the workloads all the data that's it there and so you have to be able to govern that in some way and there is a bit of opaqueness like in a private cloud you own the stuff you own the kit you own the workflow once you start to transition out into the public cloud it becomes a little bit more opaque and just picking up on the question you've just mentioned about data lineage what is the implication of having your information stored in various different geographical regions for you as a bank well there's a lot of there's a lot of sovereign laws and regulations that require data to be domiciled in in the country probably the best example that in in financial services maybe 20 years ago Switzerland right for data privacy or for client privacy purposes you've got a lot of new cyber laws whether they be in China the one that just passed in Russia in January India that talked about ensuring that that data of citizens sit in that country so when you start to move to a cloud construct obviously you want elasticity right you want to be able to use the services that an Amazon or or Google or IBM or Microsoft can provide for you a lot of those things are global in nature right so it becomes when you start to do that and we kind of talked about a bit earlier peer when you start to talk about that sort of cost-benefit analysis when you have these kinds of regulations and these laws that require data to be domiciled in a particular country you lose some of that flexibility in terms of where you can spread that data around miles what trends are you seeing on this particular topic yeah good question I I think before I get into the data localization item I think we focused on cost as a benefit and we've mentioned agility but I think we've maybe overlooked you know at risk of poking the bear here that the the probably the main benefit of moving to a hyper scale public cloud is security and compliance and the Apple if that you're going to get as a regulated organization from your cloud provider and what I mean by that is if you think about the way that the public cloud model works is the the service provider be AWS or another public cloud provider is responsible for controls up to a certain level and you know cloud providers like AWS appreciate that security is a top priority or financial services so they've really got to get that right and I think there's a significant investment on the service providers side of investing in kind of industry standards and global programs like ISO 27001 soft one and sock two to really uplift the control environment for all customers that use the cloud now from a data localization perspective you know we do realize that financial services are highly regulated and they need to meet their requirements so I think a good approach that public cloud providers take and particularly speaking on behalf of AWS is when you can kind of take your global infrastructure that provides you global resiliency and kind of global scale but be able to select within that global infrastructure where your data will be at any point in time and the approach that we've taken at AWS is to break that into physical regions all around the world we currently have 18 18 of them we have one in Singapore and you mentioned India and elsewhere in Asia but as a customer of the public cloud of AWS you can choose where that date that goes at any point in time so if you choose Singapore or you choose kind of Frankfurt or India the data will reside there and you half the data lineage around who's accessing it from where and when which is you know very powerful when you move to a cloud environment shooty I'm just gonna add a really important point I'm gonna ask you a question that you engage in the panel so you were talking about these concerns and risks in the cloud I often ask folks about the concerns and risks within your own environment how where are you because when I ask people I said have you actually ever stepped foot in your own data center however have you ever stepped foot and looked at the environment do you know how many security people that you have that engage in the security app activities and you don't need to answer I was gonna tell you my information security had ignores all my emails so that's my engagement with us but the reason why I asked that question and for all of you to get engaged is we we for many years have treated an internal environment almost like a black box that there was a tap that Chuck just turned on and we assumed internally that worked we didn't know that there were three security people working that they were working 24/7 we didn't know how logical or physical access worked but one of the things that comes with cloud and PwC has gone in the journey of go moving to cloud in itself is whether you go to an AWS or a Microsoft or Google you're comparing handfuls of security staff in your company versus thousands of the best people in the business working at some of these cloud providers their data centers are at the highest tiers of data center capability whereas yours may not be and yours is also limited potentially by investment that is under constraint right at some points in time now on that thing that's the case for everyone but what I typically advise all of us is to look at the balance of risk because it's that balance that's really important of measuring where the risk is really at and and working as Matt was saying with the regulators on how to manage that risk in the most effective way because in some cases you actually get more control and more results against compliance going to a cloud environment then you could actually ever invest in internally I mean a thing miles I think care I think those are spot-on I do think though that there is a the underlying question really for me as a boil it boils down to the question of multi-tenancy all right so if you think about the model if you think about the business model one of the things that we do we need to understand especially when we talk about things like insider risk firms have to understand when a an individual that works for AWS org or whatever for for a cloud service provider these are actually on the system and accessing data and I understand there's encryption masking tokenization I get that but the question becomes I fully agree with the fact that you get an from a cyber perspective you get the network effect right you will see a lot more data you'll see a lot more breach attempts a lot more a lot you'll get a lot more threat intelligence against your infrastructure than a single company could but the issue becomes if there is a if there is it's really around containment if there is a breach on one side of the one portion of them of the cloud how do we prevent it from bleeding across and how do we prevent it from bleeding back into the company and I think those are the sort of the fundamental questions that we've got to ask when we talk about going full public cloud that seems to me that's where the stepping stone is right trying to get that answer yeah I think to add to that point you mentioned it you know in a multi-tenant environment you're gonna see potentially more attacks but the benefit of that is that you get that extra threat intelligence and you know AWS as an example as millions of monthly customers running on the platform and if you take millions of monthly customers and times it by the number of events you're going to see we're gonna get unique insight into you know who the bad guys are what they're doing on the internet and to Pierre's point the you know the investment the cloud providers can then make on behalf of the customer you know we can bring out cybersecurity products to market faster than probably an individual bank could do and taking the lessons learn from all of these customers around the world not just in financial services but in healthcare or manufacture and you know military and government agencies I think it really allows you know an individual company that maybe doesn't have a significant investment in security themselves to leverage this shared platform is protected by the cloud provider from the lessons learned from you know the millions of customers that run on it deal well just because you poked this bear I'm gonna poke this bear to ask a question about cost because you all seem united in the view that there are cost efficiencies in using cloud but I suppose the converse is that you could easily lose track of costs and how do you assess the different model I suppose for the uneducated amongst us how do you assess the different models and using cloud and the implicit implications that that has and you know in using something which has unlimited flexibility and agility versus something which is slightly more restrained so as open to any of you really maybe I'll take the first swing at that um yeah you're right so moving to a cloud environment it does allow your developers to have flexibility that probably they didn't have before so if you think about an on-premise world the developer would have to request probably from group IT or group infrastructure a deployment and that would take six to nine months maybe in some organizations to get access to those resources in public cloud environments that's almost instant if you want the server or a database or some storage it's right there at the fingertips off of the developers but one of the great things about public cloud environments is almost every interaction with the cloud is via an API so if you're making an API call into the cloud to provision Hardware of it you know logical hardware that can be tracked and monitored and recorded with a kind of a granular level of visibility that you couldn't have got before so you know a good example that I use is in an on-premise world if someone went into your datacenter and try to make a firewall rule change right so they've gone into the data center they've maybe badged in physically and then they've gone to the hardware and maybe pulled out cables and logged into systems and made some changes very rarely any of that activity would be thoroughly logged and made available to security teams and also cost and procurement teams now in a cloud environment all of that activity that I've just described is logged and stored indefinitely so if you want to go back in time kind of last year or the year before and see you know who provisioned update the base or made that firewall rule change and from what IP address or from what office within the bank you're gonna get all of that visibility and be able to action you know against it so I think the benefit of being able to move fast and agile for your development teams combined with the visibility that you're gonna get is really powerful to organizations so another angle on the cosplay is having done a lot of this work around cloud assessment and cost there's sometimes customers find it if you were to take a point-to-point view of workload deployment that actually costs more to go to cloud but I need to qualify that because it's it's very short term is what I try to advise people is you have to look at a long term journey take a take off take two cycles of hardware refresh where you have to significantly refresh and that was one of my jobs when I was working with Matt at Barclays where you have to significantly refresh your entire platform at some time because you are the custodians of the hardware so if you were to look at just a compute based view of costs you are not creating a business case that's actually comparative the comparative case is a four to eight year refresh cycle where you have to invest in your data center you have to invest in replacing the hardware and that comes with men hours intensiveness plus the actual hardware the second thing that people don't pay a lot of attention to is the deployment of new software features onto the platform or new platforms or new services that are just available so you you turn on a switch and it's available so if you look at your ec2 console all of these services are just there they just appear miraculously whereas if you were to manage your own platform you would have to have development that's continually doing that at a cost so really when looking at the cost of cloud computing you have to have a view of an entire service delivery that's real-time that's agile that's rapid and that's over a term as opposed to is a single level of compute cheaper than another level of compute which is not a correct analysis yeah great point and I think also it's important to kind of when you move to the cloud you you have an opportunity to reimagine what your infrastructure looks like as well so you know taking your point there let's say that on premise you have a hundred hundred servers or hundred instances of compute when you move to the cloud do you still really need a hundred instances of compute even that the way that the cloud has scale up and down on demand maybe for the most part of the year you could get away with 50 instances and then just spiked up to kind of the hundred as and when you need to also there's a big kind of movement within the cloud organizations for something called serverless and in the service kind of versions of software you only actually pay for the resources as and when you use them so for databases for example you only pay on the rights or the reads to the database and you're not really paying for the 24/7 running of that instance as well so there is an opportunity to reimagine what infrastructure looks like in the cloud I think those are great points I do I mean I do think here is he's hit it on the head I think there is a it's a bit of a journey to get to a full cloud-based architecture and from a cost perspective there are some startup costs or there's some initial cost so large companies large global companies tend to have large global data centers and those are under lease for a long time and there's there's underlying cost built in there so I think the the concept of you know going through a couple of refresh cycle is absolutely key I think so when you do the initial analysis especially for big global organizations and I'm not talking financial service I'm just talking generally you've got a lot of sunk cost that's sitting on the books so it's it's not an instantaneous journey in terms of moving from where you are legacy to where you where you want to be in terms of cloud also there is the there is the problem of legacy stuff right legacy applications specifically you've got to rewrite those things those those are not those those were never written to be cloud aware and so all that has to get changed so there is a bit of I think to your point there is a bit of an upstart cost and then it hopefully as you go out it starts to streamline well I don't want to dwell on the risks for too long but I feel like the elephant in the room that probably needs just a bit of a thought is the idea of data breaches and whether we are of all for all the hype and the discussion around you know in your view do we think that a these are genuinely a genuine risk today and if so do we think the bigger risk comes from internal inside an organization or from outside of an organization and that I suppose I would address that to all three of you so I'll start off back in and work my way forward I think when you talk about insiders versus outsiders remember anyone that's trying to any bad actor that's trying to create a data breach it's most likely going to suit it's going to assume an identity of an Insider probably one of the first things that a bad actor will do was is to steal credentials the second thing is they're going to try and escalate privilege and then third thing they're going to do is try to move laterally all right so so I think that there is a Insider out sorry I'm not sure it matters I think the insider threat is a keen one remember there is there is the bad actor an external bad actor assuming the credentials of an insider but there's also disgruntled insider right that that made you something untoward or malicious I think that the whole cut the whole conversation on data breach is relevant in the media is full of them so if you think about there's enough press around individual companies being breached and there's enough press about cloud vendors that are in the cloud that are being breached I do think and I think Miles was talking about this bit earlier it is really about the level of controls that you have implemented remember back in the day when we used to outsource IT organization as an IT kid if you had bad processes before internally and when you outsource that you typically had bad processes out there so you've got to be able to your workloads your your work your workflows I should say should be should be cognizant of the controls you need to put in place so when developers are building inside inside the cloud they should be following secure STL C practices if you don't do that then the possibility of a data breach still exists whether you're in the cloud or whether you're in the private cloud so being an eternal optimist I'm keen to sort of try and move into ok well here are the risks but what can one do about it from the service provider perspective you've talked about a few different things with respect to each of the risks and it seems to me like what you're saying is a general ethos is that you take the flexibility but where you need to you restrain it to ensure that you are able to provide a service to the customers that meet sort of the various requirements does that feel like a fair summary or yeah so so I think if I was to summarize the con the model and what kind of organizations need to do to make sure they have a good successful journey on the cloud is first of all to have a really good understanding of this concept of the shared responsibility model so what is the service provider doing for me and how do I know that that's accurate and us largely taken care of by contract or compliance reports like sock one sock two and the other independent audit reports that the service provider would provide and then on the other side of the shared responsibility model so what the bank or the financial institution themselves are responsible for and Martha made a great point you need to have secure processes and governance around how you operate the cloud on your side as a customer of a of a of the cloud provider how cloud service providers can help customers do that right there's a few things first of all just providing secure defaults for everyone on services that they provide so you know when a developer within an organization wants to launch a new technology stack you know as far up the stack as possible the service provider can control making sure there's appropriate controls at all layers of that and then secondly I think as an organization because everything is an p.i when you use cloud environments it allows you to actually kind of blueprint good security best practices at Amazon Web Services we have a service called cloud formation so once you've really designed one secure system once and you've had that approved by your cybersecurity teams and independent auditors and you know all the relevant stakeholders you can basically take that blueprint time and time again and deploy it for as many applications as you need knowing that the controls are always there each and every time and I think that drives consistency and it removes human error because you don't have kind of humans configuring the systems time and time again and what we're actually seeing is a move to internal audit teams actually audit in these blueprints rather than the running systems and I think when you move to that sort of concept where you're auditing controls that are defined in code that becomes really powerful for both internal auditors and actually regulators they want to see that these controls exist before they've had a chance to kind of miss configure the environment so that's something that we see in across the AWS right now so for me there's a more fundamental question I asked the first is who's accountable for the data right because we can talk about all the security we want but ultimately what is the data why is it there versus there who decides whether it goes there or there and what segregation do you apply and I think really where my advice is at a more business level is that you first have to have some level of accountability about your data and understand the type of data that you have and the positioning and the placement of that data so really in different environments of cloud you may even adopt a different security posture right you may even decide that certain elements of that data do not go in the cloud or if they do go in the cloud there's a certain level of encryption the way that and how the keys are held but you have to understand your data what I try to advise my customers is that don't believe that security governance and controls the only measures by which your data is protected because in some cases they will still get breached the question you have is how did you manage that data how did you understand what that data was I know for this guy I'm preaching to his domain no you're absolutely right I mean I think if you think about a lot of companies today I'm sure you've seen many of them both of you how many companies actually do data classification in the right way I'm sure some of them do and I'm sure some of them don't if you don't do data classification in the right way you really don't know to your point how to protect that data I mean how much do you care by PII everyone understands PII but about the non-public stuff what about the non-public information oh that's sensitive the sensitive classroom information so I think you're spot-on if you're not doing that kind of if you're not if you're not governing data upfront like that moving at someplace else isn't going to help you right and so you've got to be able to you it's the share responsibility model you have to understand your data and like the question you ask is to me is quite specific the answer is quite specific which is if it's if it's my client it's my data right and so I've got to make sure that I can put hand on heart and when we talked to a regulator talked to an audit or talk to the client that's and I have to be able to say things like I know your data is important I know where it is and we're doing everything we can to protect it here are the things that we're doing right and I think that's really the ultimate goal I think cloud is inevitable I do think though that you have to have those controls wherever the data sets and that moves very neatly to my next question actually which was going to be the additional considerations that financial institutions have because as a lawyer I deal with a variety of different sectors but the big red flags often come from my financial institution clients so why is that and we're on the journey do you think the financial institutions are where do you think it's realistic for us to get just speak broadly I think there have been several studies in terms of where big financial services institutions are in that journey to the cloud I think it's interesting a lot of companies will say that we are all in in the cloud but they're still opening up data centers right so I do think today because of the things that we talked about getting that level of comfort and some of that is some of that is true and some of it is just what's perceived in terms of those risks that we talked about earlier I think most most financial services organizations not all because they're at the full end of the spectrum and most of them are in that hybrid space at the moment and I think and I think the reason for that is for the things that we just talked about it is gaining a level of comfort that the control that the state of controls in which you are moving to is equal to or better than hopefully better than where it's coming from and so I think that journey is still going I also think that there are companies you know big banks have been around for a long time they've got a lot of legacy stuff and we talked about that a bit earlier so from an economics perspective sometimes there isn't a rush to get to that to get to the cloud construct yet okay well the final question that I have before we move on to the questions from the audience as I say I'm an optimist I like to get myself into a good place is for those who are considering a move into cloud computing what should they do to set themselves up for a good successful journey sort of bearing in mind everything that you've said and it's kind of interesting to hear all of your perspectives I think from my perspective I think some the probably the most important thing is to make sure that your security risk and governance teams are engaged early I think if I look around the customers in the region and probably globally the most successful journeys to AWS have been when security risk governance line one line to risk teams are part of that journey very early and that allows kind of two things first of all for them to clearly establish what their requirements are to move to the cloud and also I mean if it's a net new project for them it gives them a lot of time to ramp up and rescale themselves for what is potentially a change of operating model when they move to the cloud so I would say you know in addition to many other things that engage in the right teams early it might be very tempting for maybe business teams or application teams to go to the cloud design something and then try to launch to production you know very fast but if you haven't taken your governance and risk teams with you on that journey you know you could potentially be a challenge for you that needs to be addressed so I think the right people is what I'm saying so one of the things that I love to talk about is imagine reinventing your business cloud allows you an opportunity to say goodbye legacy hello new world and if you're in that new world the first question you got to ask yourself is how can I use this platform to fundamentally differentiate the way I'm going to engage with customers the way my colleagues are gonna work in my business and the way we're gonna disrupt the industry that's the first strategic question I ask because if the first approach is around cheaper infrastructure or you know or having the latest software as a service you know solution what business outcome are you really trying to resolve and in today's market the disruption is happening so quickly you have to really have a view of how you can differentiate then you say okay if I understand what that differentiation is what are the services and the platforms that will underpin that the capabilities to do that and having done this numerous times maybe eight out of ten times you're gonna have a set of really strong cloud services but you as matt said you will always have internal services that you'll need to provision so you won't get rid of the data centers or stuff that you need but it really gives companies a chance to reimagine their business and I actually think the limiting factor is not a risk or compliance one it's an imagination of how different you can make your business when you can open m/l out of the box that's the real question how am I gonna use it can I use it and then let's have the security discussion yeah I think to add to that I think we've just spent the last 30 minutes looking at this from a probably a large financial services organization lens where we've all kind of come from or or are but I'm sure there's many people in the audience I've come from fintax and you know fintax have an opportunity to your point clear about reimagining the way that they're gonna treat the IT and you know while it's likely that a number of large financial organizations will be in a hybrid mode for you know at the moment fintax don't have legacy technology that they can push changes to production this afternoon they can launch a new product in days and really as a large financial institution you're really competing with the you know the technology burden that you're you know you may be currently carrying when fintax you know hundreds of them year over the next three days they start off with a blank piece of paper and have access to these capabilities at a click of a button at a moment's notice so I think it's um you know something to think about there for large financial institutions okay thank you so we're gonna move on to the questions from the audience because I'm so naughty I'm not gonna go with the most popular question first mostly because my husband worked at Lehman Brothers and I watched the big short on the plane from London Singapore I'm gonna ask the question that most resonates with me which is our cloud providers entering the same too-big-to-fail as banks a while ago if no how is it different and if yes how are the risks being mitigated is that for me yes very clearly what I would say is the one I mentioned earlier the way that the cloud infrastructure and operating model is defined is that customers have access to this global infrastructure and that provides really to two things first of all it allows banks and other financial institution organizations to have true global resiliency so if we're talking about your risk or operational risk of of outages and impacted financial ecosystem I think you already are leveling up your control environment by being able to be in 18 cities or countries around the world at the click of a button and then secondly from a again an operational risk perspective by leveraging the shared responsibility of the cloud model and passing on the burden of you know I won't say half but a large number of the controls that you might originally have been you know responsible for it allows the financial institutions to actually focus their time elsewhere on development application changes so I would say by leveraging the global platform it actually probably reduces your operational risk by being able to either leverage the global infrastructure or rely on the service providers existing controls again I'm gonna look at it in a very different way so how many people ask the question of the largest banks in the world how many were running IBM mainframes let's say Zed series all of them so if IBM patched a bat passed on the bad firmware upgrade or a patch how is that different from the question that's being asked now in some in some basic level right and I go back to everyone and Boeing has the same issue or Airbus could have the same issue if there's a systemic problem with one of the planes that get shipped out there could be thousands of these that are out there I think the the real question that we're asking ourselves is what services do we need what do we put out in those clouds what are the risks associated with them are they too big to fail I don't know they're distributed data sharded we don't know some in some cases where it is it there's a number of measures that the cloud providers such as AWS and Microsoft and Google have taken that really understand this level of regionalization and how to use this data and secure it so I'm less concerned about that I think the risks I'm most concerned about in the cloud is you know really around you know have I truly understood from from a compliance perspective sovereignty do I understand where the data is gonna be Matt talked a little bit about that but if you're not if you think that just your environment internally versus an external environment is some protection from breach that's gonna happen anywhere that's not that's not my that's not my biggest concern it's how do we protect our customers from regulation and and concentration I think um you know we're spending a lot of time on one question but I think this is an important one I do you think that the underlying architecture in the cloud is inherently distributed right so there's a distributed architecture which is the most resilient much different than the IBM's back in the day however I do believe that there is concentration risk alright so in the doomsday scenario where you have contagion moving across the cloud infrastructure now at a high level it's easy to say but in reality is very difficult to do you have a potential of taking out a lot of infrastructure in terms of you know sovereign infrastructure it's a problem do I think that the current architecture is is well suited for resiliency I actually do I actually do think the Amazons and the Microsoft's and the googles do a very good job in this regard thank you okay so then moving on to I suppose a more practical consideration when you're using the cloud I love this question it says encrypt your data on the cloud but keep your encryption keys with you is this approach addressing the problem of safety slash security of the data on the cloud effectively I mean as I think encryption encrypting the encryption algorithms themselves like AES for example aren't if really the issue it's really the key management right key matter if it's real issue when you think about when you think about breaches that have occurred in the past that involve encryption system that's it's almost always key management until we get to quantum computing and that's the mill then bets are all and all bets are off I do think that these are table stakes today and I think this this the fact that companies can bring your own key or hold your own key essentially trying to mitigate that risk of that multi-tenancy risk in terms of a breach being breached someplace else affecting you I think this is the fact that we can do those things we can own our own keys is one of the reasons why financial services are at the table now talking about cloud that casts B layer that the cloud access security broker layer that allows firms to to get some comfort that the keys are theirs I think is absolutely extremely important yet to up to that what I think is a great opportunity for financial services when they move to the cloud is how easy cloud providers have made it to have encryption everywhere so all of your infrastructure all of your trunk network intron in transit it's almost click of a button or two in key if you want encryption using you know algorithms like aes-256 you just check a box now on premise it's very difficult to run key management infrastructure at the scale required to encrypt or you know hundreds of thousands of servers on-premise and you know i think you might agree with this what we see in an on-premise world is finance financial institutions focus in their encryption capability on maybe the the most sensitive data in their organization but then there's still large portions of sensitive data that largely goes unencrypted and the reason for that is key management is difficult at scale and I think one of the great things that cloud providers are brought to the table is because they have to fix this once for millions of customers they've done done a really good job of automating it and making it accessible for everyone and I think that's an opportunity that financial institutions as you mentioned that's why they're at the table talking can take that immediate benefit of encryption everywhere and I do think they're just real quickly I take those reading the question again it is addressing the problem of safety and security but it's not the end-all it's not the end State right so encryption technology is quite it's not quite where we need it to be at the moment so field level encryption today is very difficult to do separating segregation of duties of individuals on a privilege access and have the capability of decrypting keys and then seeing a company's data that's not quite where we need it to be either definitely trending in the right direction definitely much more comfortable now than you know security professionals are much more come from that comfortable now than they ever were because of that but we're not quite there yet ok well I've got 15 seconds in which to sneak the very last and most popular question today so right to inspect and right to audit a tug of war game between the regulator's financial institutions and cloud service providers what's your experience on that oh great alright look I think I think that's a tough one right I mean sis let me talk systemically and I'm not I wouldn't call me the super best qualified for this but I'm gonna try and do it best based on the best I understand I think we have a systemic obligation to ensure that the industry if we're talking about the financial services industry is secure and safe yeah and the ability to audit and the ability to understanding the environment is something very important especially for those that are providing a duty of care to customers so the fact that you want it I think and the fact that you're requesting it from our cloud providers is actually ok right there's no reason we shouldn't be asking that question the next level you have to get to is can we do it right and how do you do it and so that's where we need to work with our regulators and the cloud providers to say what is an efficient way to ensure that systemically we can protect the environment the customer in the system the cloud service provider wants our business in the game does not want us to go out of business the regulator wants to protect the system we want our clients to be happy there's a successful entendre that I think could be had and I think that's the balance that you need to strike the conversations now are happening much more than they ever did before so I'm seeing regulator cloud provider customer talking in ways I haven't seen before and being very transparent and actually I would end this panel talk by saying that seems to me to be the common theme really which is the conversation between all the various different stakeholders which will get us to a place of successful use of cloud so it just remains to me to thank very much each of our panelists Matt Pierre Mars think you've done a fantastic job I for one definitely feel well educated and slightly less scared from reading all the press I've read and Matt if Morgan Stanley went used cloud next time I try though at least to cool thank you very much

Info

Channel: Singapore FinTech Festival

Views: 1,022

Rating: 5 out of 5

Keywords:

Id: VSV9ti-SfUU

Channel Id: undefined

Length: 47min 17sec (2837 seconds)

Published: Mon Nov 26 2018