TFM: A secure stairway to heaven



As the financial services industry migrates from the physical to the ethereal, Peter Martini, President of iBoss, explains why it’s important not to leave your security back down on earth

Forced by the seemingly endless growth of data worldwide, the financial services industry is gradually joining the virtual mass exodus from terra firma to Cloud-based hosting.

The problem comes, according to Peter Martini, president of US-based Cloud security specialist iBoss, when the checks and balances that firms attach to their earthly storage don’t climb the same stairway to heaven. According to Gartner, just 29 per cent run their security from
the Cloud.

“This effectively negates many of the benefits,” he wrote in a recent blog. “For instance, an employee wishing to use a Cloud-based service securely must be routed via the appliance and is restricted by where that device is physically located. This introduces latency with potential virtual journeys, over expensive bandwidth, of thousands of miles for each server request. As the amount of company data increases, it requires continuous hardware upgrades just to keep up.”

iBoss’s answer is to offer IP address retention but with a customer-by-customer data separation, a global Cloud footprint and geo isolation of employee data,
all combining to provide increased flexibility, better compliance with new data regulations and reduced cost, according to Martini.

The ‘bandwidth problem’

The irresistible shift to Cloud storage in financial services – despite some residual security concerns around public Cloud hosting – is being driven by the sheer weight of data in existence, and the speed of response and scalability demanded by today’s market. On-premise appliances simply can’t take that pace, resulting in the so-called ‘bandwidth’ problem.

All of this is coupled with the increasing trend of employees – including C-suite executives – using mobile devices in out-of-office environments. This necessitates alternative means of entry to files while restricting access to sensitive data, all the time protecting individuals from unwittingly contravening data protection in whichever host country
they happen to be operating from.

It’s not just in the area of financial data that protecting organisations and individuals is important, of course.

In fact, one of the most compelling demonstrations of  the iBoss technology’s capability is in education. It has worked with US schools to turn their security networks for protecting school data on student Chromebooks and other portable devices, into tools to passively track students’ internet access and flag individuals at potential risk of self-harm. It’s an arresting example of how shifting the emphasis from setting network perimeters to following users, providing security where they are, leads to better outcomes.

In April, iBoss announced the native integration of its iBoss Cloud and Microsoft Virtual WAN. This allows branch offices and other remote locations to securely access the Cloud from where they are, independent of centralised data centres, increasing internet speeds and productivity, and reducing cost by removing the need for private internet connections to transfer data backwards and forwards.

“The old bricks and mortar four walls, putting appliances inside your organisation to protect user data, doesn’t even make sense,” says Martini. “The data is no longer there, so there’s nothing to protect. Users are everywhere, they’re accessing your data across multiple different Clouds, so protecting the users accessing data in third-party Clouds is the reality we live in.”

“We grabbed the concept of security in the Cloud, and leveraged a containerised gateway architecture which allows us to cohabit across multiple different clouds. We can protect the data where it resides and is being accessed by users remotely.”

This approach helps to overcome issues with so-called ‘Cloud sacrifice’ – when appliance-based functionality is lost.

“Cloud security provides lots of benefits, including scale and elasticity, and the ability to secure a user from anywhere. The question that usually arises is ‘how do I move the security policies in my appliances into this Cloud architecture?’ and ‘where do I have to make a sacrifice?’,” adds Martini. The answer, is they don’t.

Some of the first Clouds, what we call Cloud 1.0, had a monolithic design, so all the data had to flow through a central Cloud. Cloud 2.0 is based on containerised architectures that allow the security to reside across multiple different Clouds – a micro-Cloud approach. When you move into a Cloud 1.0, you have to sacrifice elements of how you operate your environment. We want to ensure organisations can apply the same security policies they had for their on-premise equipment – such as IP restrictions ensuring only the authorised user can access Cloud data and applications when they’re on their own corporate-owned device versus a personal device – to ensure they’re meeting compliance and not accessing company data with an infected personal device.”

Where is your data?

Compliance is becoming ever more complicated for those organisations with employees operating across multiple jurisdictions.

“Some of the biggest questions we face, when people move to the Cloud, especially with the General Data Protection Regulation (GDPR) and similar worldwide data privacy regulations, are ‘where’s my data in the Cloud?’, ‘who’s accessing it?’ and ‘is it compliant in the Cloud?’. It’s really important to implement a Cloud security platform that allows you to control these things in a containerised architecture.

“Because this architecture can separate the data plane from the multi-tenant user plane, it allows you to isolate and control all those variables that you typically have to sacrifice when you move to the Cloud. You can define where your data lives and who can access it, setting geoplanes around it – so it’s only in the UK, for example, and only employees in the UK can access it while they’re in the corporate headquarters and then only certain applications – protecting the organisation and its customers.

The idea of protecting your data via a virtual castle and moat-style arrangement, where people walk in the office, open their desk and log in to their desktop using a VPN or similar appliance, no longer exists.”

The Europe, the Middle East and Africa region, and the UK in particular, is a target market for iBoss, as for other Cloud services providers, given the country ranks third in the US’s top 20 target export markets for Cloud services worldwide. iBoss, established by Martini and his brother Peter in 2004, is already established in the UK education sector,  but is now looking for partners to expand into financial services and elsewhere, in the second half of 2019.

The fact that financial institutions are more willing than ever to adopt Cloud technology should help. Traditionally, they’ve tended to keep their IT in a vault, but as many as three out of four systemically important financial institutions may now already be using the Cloud, according to statistics released by Microsoft Azure. In the UK, the migration has been encouraged by the Financial Conduct Authority and made commercially desirable by the revised Payment Services Directive and open banking in Europe.

It’s pointless waiting to make the leap says Martini: “Because, in reality, your data is moving to the Cloud, and either you are adopting it or staying behind.

“We’re going to see more and more applications moving to the Cloud, and your security has to shift there, too.”

But he adds a word of warning: “If you don’t do it in a secure, planned fashion, you could end up creating what is called a ‘shadow IT’, where people start using their own Cloud. They want to send a file to somebody, so they use their own Dropbox, for example, because they don’t wantto VPN into the corporate office. You might believe you’re not using the Cloud, but your employees could be, and that’s a scary thought.”



This article was published in The Fintech Finance Magazine: Issue #12, Page 88.

Author: Yash Hirani

Share This Post On