Analysis: Can encryption bring banks to the cloud?

Regulation might drive the finance sector to lead cloud adoption.

One of Australia’s leading thinkers on IT strategy in the banking sector has proposed that encryption be used to overcome regulatory barriers preventing the finance industry from adopting cloud computing services.

The banking and finance sector has eyed off the potential to drive down IT costs using highly commoditised, virtualised computing stacks housed in offshore data centres – the largest in the region of which are based in Singapore.

But the sector is governed by regulations that prevent customer data from being hosted offshore.

All outsourcing agreements in the sector are signed with oversight by the regulator, the Australian Prudential Regulatory Authority (APRA).

Speaking at an Australian Information Industry Association breakfast, Paul Ventura, head of architecture, technology and integration for Westpac-owned BT Financial Group told the audience that he respected and even appreciated APRA’s oversight.

“Who here thinks [Government] policy is helpful?” he asked the room, the majority of which were made up of representatives from the banking and IT industries.

“It’s a double edged sword,” he noted. “While policy can sometimes be considered inhibitive, well-structured policy can in fact drive innovation in areas where we might have been complacent in the past.”

Ventura, stressing that it was his personal opinion and not necessarily the corporate position of his employer, said he was grateful for the clarity APRA’s November 2010 open letter on cloud computing to the banking and finance sector provided.

It recognised, he said, why the sector was attracted to the new business model, but clearly set out their obligations: “It was a reminder that customer information is sacrosanct and has to reside in Australian territories.”

Ventura now expects this clarity to drive innovation: “This is the carrot and stick that drives us toward different ways to approach the problem,” he said.

Ventura encouraged the audience to consider where the next wave of innovation might come from to solve the problem, and offered up his own suggestion.

“Yes, information has to be safe and secure, but what if we encrypted data in such a way that it doesn’t matter where it is at any point it is touched?” he said. “That’s an area policy hasn't yet addressed.”

Questions

iTnews has run this idea past various subject-matter experts in the days since Ventura's presentation.

On the technology available to date, analysts cast some doubt over whether encryption would be an adequate solution for legacy banking and finance applications. 

Most of today’s systems require data to be accessible by the application in an unencrypted format. Whilst encryption may be a solution for archival storage located offshore, data that requires regular access or manipulation by any given system hosted inhouse would therefore not make a great candidate for cloud storage.

Any re-architecture of the online banking system to cater for this issue could potentially cost more than the savings earned from taking the data offshore.

IT architect Rodney Haywood said encryption might be “standard fare” for archival data, but “for compute you need to see the data at some point.”

“If the keys are held onshore, does that mean all the data has to be shipped across the ocean to get decrypted here before it's usable?” asked Justin Warren, an IT management consultant and contributor to iTnews. “Is that cost effective, or would you be better off just building a data centre locally?”

IBRS analyst James Turner, who has studied APRA's attitudes to cloud computing in detail, also said he doesn’t expect “throwing encryption at the problem would instantly get a gold star from APRA”.

APRA’s outsourcing requirements are “fundamentally at odds with some of the basic mechanics of cloud computing," he noted.

“For example, the tenet that the data could be anywhere: depending on the architecture of the cloud vendor, data could be replicated multiple times in multiple locations. Data at one point it may persist in other locations.

“The introduction of encryption would add a whole new level of sophistication to the outsourcing model, which some cloud providers wouldn't be able to rise to. The process maturity around key management, securing any relevant communications from the cloud vendor back to the enterprise, and then the fun of auditing to verify that these processes are all being adhered to - that's going to present a challenge.”

Answers

But Ventura said the banking and finance sector need only look to the Defence sector for examples of how encryption could work for banks considering cloud adoption.

The encryption smarts available from local start-up Cocoon Data, he noted, are able to secure data when it is in transit, at rest or in use. Cocoon was recently certified EAL 4+ by Defence Signals Directorate (DSD),

The company already claims to count Defence, a major Australian bank and Federal Government departments as customers.

It's server-side encryption technology allows electronic files to be ‘owned’ by the creator of the document – allowing the creator to adjust security settings that allow access to the file even once it has left a secured system.

Ventura also noted technologies and services from Goldkey, Tarmin’s GridBank tools for securing cloud storage used in Microsoft Exchange and Sharepoint deployments, as well as open source alternative SECS as examples of where the innovation is headed.

These technologies are in-use, Ventura noted, and more are being developed with markets like Defence, government and banking and finance in mind.

IBRS’ Turner said he would not underestimate the potential impact any security breakthrough in the banking sector would provide the wider cloud computing industry.

He agreed that banking and finance offered a “lucrative market” to cloud computing which could drive innovation in the area.

“Larger cloud vendors are already working to provide solutions which will be palatable to the banking industry,” he said.

“Cloud vendors will win doubly when they can sell to the banks in volume – first from revenue from the banks, second as a proof-point to other industries. They could say, look, the banks trust us.

“That will open the door to a slew of late adopters who will be a very profitable market for cloud vendors, as at that time the cloud vendors will have mature practices and pricing models in place.” 

Paul Ventura talks at the Cloud Computing Conference at CeBIT Australia in Sydney later today.