David Cahill, security strategy and architecture manager at the Allied Irish Bank (AIB), took to the stage this morning to tell the crowd at Cloud Security Expo 2016 of the company's journey to secure the bank's use of the cloud.
According to Cahill, the AIB is a financial services organisation with big ambitions. Achieving its goals is dependent on innovation in IT services, which includes the secure adoption of cloud services.
However, with 15,000 users on its internal networks and data centres based in the US, UK and Ireland, the company's risk profile is increasing. It has myriad issues to watch out for including both US, UK and Irish banking regulations, data loss and data privacy – issues in which users are taking more interest.
It is for this reason Cahill says that the bank deems it necessary to design for the future, using the cloud to try and future proof the bank because of the speed at which the cloud allows the bank to deploy newer technologies.
These technologies include sensors which will use biometric data to secure the banking experience for the end user, contextual data to ensure the most up-to-date picture of the bank's IT infrastructure and ensuring all of these converge at the right places.
According to Cahill, this presents a multitude of challenges within the bank. "Everyone is always talking about securing the cloud, when in actual fact, the easiest way to break into someone's cloud is through the endpoint.”
Although the bank has a strong sanctioned SaaS policy – the cloud software an end user is allowed to use by the company – Cahill gave examples of sharing malware through shared Box accounts, having sharing and rights issues and having unauthorised content on the network like pirated films as just some of the challenges that using cloud apps present.
Furthermore, Cahill found that there were hundreds of unsanctioned SaaS applications in use on the AIB network because sanctioned software simply isn't “flavour of the moment”. These introduced much more of the same risks: malware, sharing and rights, data loss of sensitive PII and and IP rights (to use).
Finally, Cahill highlighted that where the responsibility lies should one of these apps go wrong is still a grey area, saying, “Can I outsource my responsibility?” and the need to tokenise and secure workflows to avoid this.
To solve this, the bank recognised that they needed visibility of what cloud apps were being used on its network. Once it did, it investigated upload and download traffic, revised the service based on multiple AIB attributes and defined its risk classifications – before it could quantify the organisation's risk.
To tackle these risks, Cahill said that the bank started with the highest risk profile and spoke to the relevant business unit to break down the risks. They then got employees to understand the cloud risks, promoted approved cloud services and encouraged their use, using policies to block, coach and redirect when appropriate.
Cahill said that some of the lessons learned from this process are that they found way more services than expected. Setting and enforcing classifications was a huge task as cloud-approval is multifaceted: it needs input from multiple departments and different roles need different services. It is because of this that Cahill found that the faster they defined trusted services, the easier it was to on-board users.
In response to this, the bank has implemented a security supplier relationship management function, which they use to perform reviews on cloud providers like Office 365 and Sharefile, looking to review, accredit and develop partner trust to ensure all of their partners are solid.
To sum up, Cahill warned that this is an endless journey. New requests for software come in every week and it is because of this that he and his team are unable to stand still – but they recognise they can't do everything in one go.