12:25 PM
Managing Mobile Risk in the Cloud
With firms increasingly dependent on mobile computing platforms for everything from customer apps to enterprise process management, there’s been an upswing in software development and management activity taking place in the cloud. Jumping on the mobile trend also means that potential for exposure to hackers, malware, and plain old code errors is higher than before. Yet the ever-increasing importance of speed-to-market makes it more and more likely that data security and data privacy will be neglected. With firms focused on critical state-of-the-art trading and payment apps, how to make sure they are not?
Few research studies have been completed on the success rate of major cloud implementations. However, it should not be a complete surprise that while companies will publicly assert confidence in their cloud implementations, in private they may have more doubts and issues to deal with. This is not surprising. First, like any other project, implementations of cloud-based applications are subject to execution failure. Second, in many ways, the opportunities for failure are greater than in traditional projects. As we shall see, the iterative development process and rapid speed-to-market demanded in this market require new ways of working and planning. The result of poor planning and execution is often the failure of critical business applications.
The demand for mobile and remote access capabilities is generally linked to a requirement for cloud computing. Cloud is key to delivering mobile and remote access to customers and employees along with an ability to provide and upgrade apps on the fly. This enables firms to test quickly and put out new versions of apps and software at a premium.
Iterative and agile software development methodologies and tools are the buzzwords of the moment because they capture how software developers are ideally working in this environment. Perfection will not be achieved before code is released, but at the same time certain minimum standards of data security and privacy, as well as release objectives, need to be met. This can be done, but certain preconceptions about the cloud need to be overcome in order to do so. The most important misconception about the cloud is that it necessarily exposes apps and data to the outside world. However, this is not so. Remote space that is purely for use by a single company provides the convenience and cost efficiencies of the cloud along with the ability to protect data and provide privacy to the required level. Known as private clouds, most banks will likely need to deploy this capability to meet their regulatory and customer obligations for privacy and security.
The typical business is not going to be making this journey above the clouds alone. It is going to be working with a partner with expertise and real estate up there. In some ways, this is somewhat similar to Web 1.0, when many new firms were quick to emerge with expertise in website development. These firms came to the fore and enjoyed rapid growth because they had expertise that few traditional providers appeared to have.
Similarly today, many new vendors are emerging to claim leadership in cloud computing. The differences between Web 1.0 and today, however, are significant, and enterprises employing the services of cloud providers should pay attention. In the Web 1.0 development cycle, firms were often simply looking to obtain a presence on the web and were not looking to build out critical and core functions. Today, since firms are looking to host core functions on the cloud and, with that, some of their most sensitive data, they can ill afford errors to occur in core business processes, nor for gaps in security and privacy to be exposed inadvertently or exploited intentionally. While few companies will acknowledge such failures, they do occur. So how to avoid such a scenario?
First, firms should assess their apps and data being exposed to the cloud for the level of security, privacy robustness, and frequency of development update they require. It’s now become an imperative to easily control, manage, and secure where data and apps reside. Second, they should map their assessment to the type of cloud solution required -- public, private, or hybrid -- as well as vendor capability in solving for rapid development and testing scenarios. Paramount is creating the right environment.
Third, firms should select cloud computing providers that provide development platforms and testing solutions that are always available with tools suited to rapid and agile software development, including the ability to ensure the constant availability of a testing platform and that access to the development layer is tightly controlled. These capabilities enable institutions to quickly integrate existing and new services and data to drive new innovations.
Cloud computing has proven to be a valuable tool for marrying a financial institution’s existing infrastructure with new cloud workloads driven by trends such as the rise of data, mobile, and social. Companies just need to ensure they are taking advantage of what is an appropriate environment for them at the mobile, social, and traditional computing levels.
Andrew Waxman writes on operational risk in capital markets and financial services. Andrew is a consultant in IBM's US financial risk services and compliance group. The views expressed her are those of his own. As an operational risk manager, Andrew has worked at some of the ... View Full Bio