Other companies have shied away from cloud computing because of security concerns, but the Sun National Bank subsidiary of Sun Bancorp Inc. has taken a pragmatic approach to taking advantage of the cloud's potential for rapid deployment. That approach isn't just a matter of connecting routers and VPNs, the bank's CIO said, but a detailed series of cloud security best practices for partner evaluation, risk assessment and contractual negotiation.
Last month Sun National began offering mobile banking, a feat accomplished in less than four months with cloud services, according to Angelo Valletta, senior vice president and CIO of the Vineland, N.J.-based bank, which employs about 800 people in more than 70 offices. Sun National now offers Short Message Service, or SMS, texting for account information inquiries; browser access to its website from Internet-enabled phones and PDAs; and an application that customers can download to their PDAs for one-click access to the site.
"We decided in the fourth quarter last year that we wanted to provide the mobile channel to our customers," Valletta said. "We wanted to be ahead of the curve before our customers demanded it, so we partnered with a cloud platform provider to assist with the delivery."
Sun National chose mFoundry Inc., based in Larkspur, Calif., a cloud provider whose hardware and software back-end infrastructure is widely used by banks, payment companies and merchants for mobile banking and mobile payments. mFoundry's platform also can serve as a foundation for mobile wallets.
"A lot of people choose a cloud provider and wash their hands of it, expecting that everything will be taken care of. In my opinion, it's what you put into it. The cloud will be as secure as how you are managing it," said Valletta, who will participate in a roundtable discussion, "Reality in the Hyped-up Cloud," at The CIO Forum in New York City on May 18.
To begin with, Sun National required mFoundry to have SAS 70 (Statement on Auditing Standards No. 70) Type II certification, an audit that assesses the internal controls within service organizations. This requirement is a baseline for all the bank's cloud providers, Valletta said. "It's an investment [that our partners make] to have a third party come in and evaluate them."
Sun National then reviews the SAS 70 audit to understand where the provider's vulnerabilities are, and uses an internal process to address them within a specific period of time. In addition, if mFoundry or another direct service provider outsources to a third party in a federated model, that provider needs a SAS 70 audit as well. This is all beyond the service-level agreements that Sun National typically negotiates.
Many IT professionals have argued that an SAS 70 audit isn't enough to ensure security in the cloud. Valletta agreed, but said it's a beginning. "We also build within contracts the right to go into an organization to do our own audit and inspection from a vulnerability standpoint," he said. That's an investment on Sun National's part to maintain the transparency that outsourcing functions to a cloud provider threatens to remove.
"We also have a risk assessment performed," Valletta said. "We rate partners based on the application, and ask, is this a critical application for our organization? Finally, our providers don't house our data -- they support us with the business process."
It takes more than money to manage security in the cloud -- it requires a new skill set in the IT department, namely, people who understand the technology and can navigate the business environment, and who are accountable from the top-down perspective, while being able to approach contracts from a partnership perspective.
Expert advice for cloud security
Sun National's experience shows a level of sophistication in a rapidly changing environment that has yet to be tamed with de facto standards, according to Rich Mogull, CEO of Phoenix-based consultancy Securosis LLC.
"The biggest problem with the cloud is that it's not only the Wild West, it's a seedy bar," Mogull said. "Buyer, beware. You need to understand what [applications] you're moving to the cloud, and what is in the SLA you get from those providers."
The applications and IT processes most often being moved to cloud environments include development testing, collaboration, analytics, batch jobs and disaster recovery, industry experts said.
"It all depends on risk tolerance," Mogull advised. "Start with lower-value portions of the business; don't move private, heavily regulated databases."
It's important to know how the data will be protected, because even giant providers have outages," Mogull continued. Firewalls and Secure Sockets Layers that provide data security over networks are not enough; businesses may want to encrypt data they put on a cloud, but they need to manage the keys themselves, he said.
Jim Reavis, executive director of the Cloud Security Alliance (CSA), agreed with Mogull's cautious assessment of the cloud frontier.
"It's not our point of view to steer companies away from the cloud, but as with any new disruption in technology, we see a lot of startups that are likely to go out of business in the next few years," Reavis said. "And larger providers may decide to change strategy and migrate you to another product."
Nonetheless, Reavis expects that within three years large companies will move from internal cloud deployments, where they are experimenting with such things as multi-tenancy (as in the case of a large bank that needs to segment brokers and trade analysts), to public cloud deployments. As was the case with Internet security, "competitive business drivers will force people's hands before they have it all solved," he predicted.
In December, the CSA released a set of cloud security best practices guidelines that apply to internal and external efforts. More recently, it released a document that outlines the top security threats to cloud computing, and will soon publish a cloud controls matrix for security controls as they relate to existing standards.
"Organizations should be taking a business use-case and application approach, then looking at the specific security concerns," Reavis said, echoing Securosis' Mogull and Sun National's Valletta. "It's a pragmatic approach with the low-hanging fruit where solutions are readily apparent."
Sun National's best practices resulted in the secure deployment of a nascent technology approach. "From the decision in the fourth quarter, to a soft marketing campaign in mid-February, to hard delivery to our customer base in March -- we would not have been able to implement that rapidly if we did not leverage an outside provider," Valletta mused. "The cloud platform assisted us [in bringing] mobile to market very quickly."
Let us know what you think about the story; email Laura Smith, Features Writer.