By Parth Desai
Cloud based Software-as-a-Services (SaaS) is here and here to stay.
Services that we all use everyday, and now take for granted, in both our personal and our professional lives such as SalesForce, Netflix, Amazon and Dropbox are cloud based SaaS offerings and we probably never even give the delivery environment a second thought. And interestingly even industry stalwarts like Bloomberg, SAP and SWIFT are all clamouring to offer cloud based solutions as standard, something that once would have been unthinkable.
And it’s not that hard to understand why. The economic and practical reasons for adopting a cloud computing strategy are many and varied. Ease of use, scalability, simplicity and rapid deployment, coupled with the reduction in upfront costs are all very compelling factors. In financial transaction processing systems, the cloud computing platform approach is normally associated with the Software as a Service (SaaS) or Pay-per-use business model. Until recently this approach was much more appealing to corporates, but now it is becoming an increasingly more attractive option for the banks as well.
The benefits are well documented:
- speed of deployment—just system configuration is required to start system testing
- elimination of capital expenditure—limited upfront investment in hardware and software
- scalability and flexibility—what you pay is dependent upon actual usage
- more effective use of operational budgets for pay-per-use monthly or quarterly fees
Managing Security Risks
However, the productivity gains and commercial benefits need to be balanced against the potential risks associated cloud computing. The primary challenge is security risk. All internet or web based applications are, by definition inherently risky. However, when you compare the cloud computing applications to in-house built web based applications, we have found there is no increase in risk, in fact quite the opposite is true. Of course, with home grown systems there is perhaps a false sense of security because of in-house “control”. However, we have also seen that most cloud based SaaS systems are much better architected and incorporate, as standard, the latest security features, designed to counter security threats much more effectively than most in-house web-based applications.
A SaaS systems architects’ first and foremost concern when designing a cloud application is that the system is secure. One typically ensures the same, by using various security techniques like use of point-to-point VPN, multi-factor authentication (tokens), disaster recovery and encryption. In addition, there are special threat monitoring and intrusion detection tools which continuously monitor and alert any perceived threat. Many SaaS providers support options to give a dedicated (private) instance for separating the data. Many are also getting themselves audited against some of the toughest security standards, employing more robust security features than virtually every other IT infrastructure out there. With these security features in place the modern cloud systems are many times, more secure than a typical in-house developed system.
Recent security studies have shown that most security breaches are as a result of internal issues, such as human error or malicious attacks using for example credentials from an in-house user or simply because of weak password protocol. Large cloud platform systems providers make the identification and location of a particular system almost impossible to compromise. Having said all of this, keeping the system in-house, definitely does not mean security risks disappear. Equally all cloud based systems are also not always insecure.
Times and attitudes they are a changing. Cloud systems like Amazon AWS have been authorised by Europeans financial regulators like Dutch National Bank for use in the finance sector. More recently several large US financial organisations such as NASDAQ and FINRA have started using AWS for computing and storage services. Even the normally ultra cautious US Government institutions like the National Security Agency (NSA) and Central Intelligence Agency (CIA) have started to adopted cloud computing. Another giant leap for mankind!
So which cloud based SaaS systems should I use?
The true answer depends on the nature of the application and the service provider. As with any decision related to the financial application, one needs to realistically evaluate the risks and the benefits. Normally the benefits are easy to calculate based on operational costs, speed of deployment and application benefits. These are normally significant when compared to in-house options. However it is also human nature to fear something we don’t fully understand. However, evaluating cloud security is often a daunting task to a person new to the field—again it is that fear of the unknown. But there is plenty of help available from industry working groups like Cloud Security Alliance (CSA)—which promotes the use of best practices for providing security assurance within cloud computing. Also certification for ISO 27001—the international standard for information security management system and TRUSTe for privacy issues would provide customers additional assurance to demonstrate that the SaaS vendor has information security and privacy risks under control.
The reality is that cloud based service offerings are the future and are here, and are here to stay. Do not miss out on the chance to fly in the cloud ....