What is more, global financial institutions spanning different regulatory frameworks like the US and EU have to address complex data-residency issues. There are even challenges within the EU itself too. For example, a central bank based in Luxembourg with operations across Europe, was challenged by data residency issues in-country. A multi-million dollar core banking application update could not proceed to production deployment due to the complex regulatory requirements related to where live customer data was accessible under Luxembourg’s CSSF regulations. Traditional access control based approaches couldn’t protect the actual data – and thus meet the regulatory need. The problem was solved by securing data at a data field level as it moved in and out of the private cloud architecture in Luxembourg, enabling the core banking investment to be used across multiple geographies while staying CSSF compliant.
Outside Luxembourg, the applications function on de-identified versions of the data – and are thus compliant. Likewise, the same data-centric service framework for security is being applied by global banks to blend of SaaS, IaaS and PaaS as an extension of core financial services organizations processing environments, bridging mission critical Mainframe processing systems to least cost cloud services to create new, quick to market services and applications – again without exposing live data to low trust cloud environments.
How to overcome the security barrier
Ask for the proofs. Ensure independent validation of the approach is available. If it isn’t, don’t trust it. These have to also be relevant and from trusted sources. Incomplete tests, or claims which don’t really have full transparency don’t cut it. For instance, solutions which claim to enable protection using new encryption techniques without security proofs and relevant independent validation by experts are worthless in the event of a breach. Even worse, they may not offer any security in the first place. Independent verification is critical.
That’s why new data security standards such as NIST Format Preserving Encryption and FFX mode AES are so important. They have the founation of security proof and standards body.
Data risk and compliance barriers can be solved by leveraging a “data-centric” approach in the enterprise cloud stack to enable data protection, de-identification and data masking in tandem with Identity, Authentication and Authorization service layers. This enables the CISO and CIO to enable business adoption of new competitive applications by aggregating business services and data sources rapidly without exposing live data to new threats or insider attack.
The spotlight is now on CISO’s to determine the architecture and strategy to make it happen, not to say no to the business. Otherwise the business will adopt it anyway – the train’s already rolling.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.