Community banks have taken advantage of “the cloud” for many years through third parties providing outsourced core processing and other back-office services. Today, however, cloud computing has become an ubiquitous, virtual solution capable of handling almost any business-critical application with an array of benefits, including reduced costs, flexibility, scalability, improved load balance and speed. From mobile banking and payments processing to data backup and business continuity, cloud computing has become an integral part of the financial services industry.
“The initial outsourcing to processors turned over entire core systems and connected business applications to third-party vendors for complete management,” said Lisa Stanton, executive vice president of payments for Monitise, based in London. “More recently, we see institutions taking a more laser-focused approach to specific cloud-based services with capabilities they can customize through their own development or by integrating best-of-breed business application solutions.”
Public vs. Private Cloud
Two types of clouds apply to community banks: public and private. The PCI Security Standards Council defines the public cloud as being made available to the general public through the Internet and normally unencrypted. The private cloud is often encrypted and operated solely for a single organization or client, although it may be managed on-premise or off-premise by a third-party provider.
“When thinking about the private cloud, the security challenges of the cloud are really no different than the challenges related to legacy computing infrastructure,” said Steve Bacastow, chief technology officer and senior vice president for Mozido of Austin, Texas. The private cloud provides the ability to deploy, manage and scale resources using virtualized infrastructure.”
“Ultimately, the type of cloud model a financial services company uses will depend on its IT team’s familiarity and comfort implementing that model. Each cloud model has its own advantages depending on the user bank’s existing resources,” said Pravin Kothari, CEO of CipherCloud, a provider of cloud encryption gateway technology with offices in San Jose, Calif. The company recently worked with a bank interested in using a public cloud platform to improve time to market at a fraction of the cost of developing a custom on-premise consumer loans portal. CipherCloud provided enterprise-grade encryption technology that worked in real-time to prevent unauthorized access to customer data, as well as malware protection to scan third-party documents (e.g., loan applications) for possible threats.
The Security Factor
Security is unquestionably the No. 1 issue all banks must confront when considering a cloud solution. The greatest risk for banks as they move to the cloud is doing so unprepared, says Kothari. Banks need to understand exactly what data is moving through and residing in the cloud, and they must assess their cloud information protection strategies for countering cyber intrusion and theft. Adding more technologies to an IT ecosystem, for example, increases data exposure to cyber attacks.
CipherCloud’s approach is to encrypt data before it reaches the cloud. If, in the worst case, data security is breached, all the unauthorized entities see is gibberish; customer information remains safe. For an extra measure of security, the company’s key management model gives encrypting and decrypting capabilities to the customer instead of a cloud service provider, or CSP.
Mozido deploys all its services using a secure, private cloud. Its Enterprise Cloud Payment Network is an ecosystem of service providers enabled through a secure, multichannel delivery capability. The core processing consists of APIs, workflows and connectors that allow these services to be used by any registered mobile device or authorized Web client.
“Using this design,” said Bacastow, “we can offer a wide variety of services ubiquitously to a broad range of devices and end points, including smartphones and feature phones. The benefit to a financial institution or merchant comes from the one-stop-shopping for a wide range of pre-integrated services that can be quickly and securely deployed to their customers.”
Monitise enables financial institutions’ mobile and tablet banking solutions with cloud-provisioned payment and commerce solutions. The company’s Mobile Money products — Bank Anywhere, Pay Anyone, Buy Anything — are based on its Enterprise Platform, which is available as a cloud-based solution or deployed on-premise.
“Usually, our client chooses whether they prefer to install on-premises or use our hosted solution,” said Stanton. “Typically, the larger North American banks prefer on-premises. If a bank has a data center and is used to hosting third-party applications on-site, then this can work well and saves on commissioning and testing. It also saves on hosting costs. On the other hand, it can be faster to implement a platform on our known hosted platform. In either case, Monitise monitors system performance remotely and can still manage upgrades.”
Making the Move
As mobile banking continues to evolve, mobile commerce and mobile marketing become more commonplace, and the competition for customer retention and acquisition intensifies, it is a safe bet that banking on the cloud will gain momentum. In fact, the question is no longer, “Should we move to the cloud?” It is, “What are the main considerations when moving to the cloud?”
This one question, however, can yield multiple responses depending on the persons being asked: operations, business development, compliance, marketing, IT and so forth. Senior management and the board of directors, who are ultimately responsible for ensuring appropriate vendor oversight, also have a stake in migrating to the cloud.
The first step, therefore, is to bring together a management team to determine the functions or applications to be moved to the cloud; the implications of such a move (e.g., compliance, security and potential risk); the type of service model to adopt (e.g., software-as-a-service or platform-as-a-service); and the due-diligence guidelines for the selection of a CSP. In addition, it is important to review the guidance on vendor management issued by the Federal Financial Institutions Examination Council (www.ffiec.gov) and the PCI Security Standards Council’s PCI DSS Cloud Computing Guidelines (www.pcisecuritystandards.org).
For community banks with limited resources, the speed, agility and cost-effectiveness of cloud-based services, such as being offered by CipherCloud, Mozido and Monitise, are compelling reasons to move in this direction. The caveat, though, is that the bank must be thorough in its selection of a CSP; and, most important, it must implement a vendor management policy and oversight team to ensure that ongoing safeguards are in place to mitigate potential risks, security breaches and compliance issues.
Michael Scheibach is executive editor of BankNews.
Copyright (c) August 2013 by BankNews Media