Guest blog by Raef Meeuwisse, passionate about cyber, AI, keynote speaker, CISO consultancy and author of numerous cybersecurity publications, including the highly successful title ‘Cybersecurity for Beginners ’.
Did you ever imagine there would be a time when a CEO could lose their job or bonus due simply to a technical issue? In the past week, the CEO of TSB, a major UK bank has come under intense personal pressure to relinquish his bonus and potentially step down from his role.
The reason: Somebody messed up the transfer of customer records from the legacy system into a new location.
At points during the past week, all 1.9 million customers have been locked out of their accounts. Customers have been venting their grievances on social media and in bank branches. Personnel in the branches have complained of extreme physical and emotional stress. The press have had a field day.
The move was expected to save the bank around £100m per year. Unfortunately, the bank has now already had to agree to blanket customer compensation measures and has suffered brand damage that will offset at least a few years of those planned savings.
Within the bank, the CEO has publicly placed the reporting line for the IT migration project directly into him – a move which seems (to me at least) to be unwise. After all, when your tech team failed, probably the next best tech lead you can lay your hands on is not the CEO.
What the TSB example shows is that when it comes to technology and security, you need the expertise in the team to be something you are comfortable to bet your career on.
Although there has not been much technical detail coming forward about the chaos yet, it seems the move was part of the separation out of TSB customer information as the Lloyds Bank systems are migrated to a private cloud . That move was itself triggered after a hacker instigated cyberattack  targeted the legacy data centers of Lloyds and other banks back in January 2017.
Between the options of running your own data centre, using a public cloud infrastructure or implementing a private cloud, most banks have selected the private cloud option. So why choose private cloud? Are private cloud environments more secure and dependable than anything else? Are there any easy ways to avoid issues like the one TSB is encountering?
1. Why choose private cloud?
In a private cloud you can be sure that all of the data in the environment is your own.
Unlike a public cloud – but just like a traditional data centre, a private cloud also gives an enterprise the ability to fully control the physical access, digital access and security architecture of the environment.
It is even possible to locate the private cloud in a place where it can be fully isolated from the Internet but still accessible to bank staff in the event of a major cyber attack or Internet outage.
The ability to fully control access, physical location and security can make private cloud environments ideal for achieving a balance between high security, improved scalability and faster deployment of new applications and services.
In a private cloud, new virtual computers can be set-up in minutes.
However, a private cloud does not have the level of economies of scale and other size advantages that can be achieved by a public cloud. That is because a large public cloud service will have many tens of thousands of physical machines. A private cloud will be buying and using a far smaller number of computers.
2. Are private cloud environments more secure and dependable than other options?
The simple answer here is; It depends.
Not all private clouds are of equal quality or security.
The integrity of each private cloud is entirely reliant on the skills, competencies and expertise of the team managing the design, procurement, implementation and operation of the environment. For example, if you are an existing team looking to build a new private cloud environment, you will benefit by augmenting your team with people who have proven experience establishing secure private cloud environments.
Public clouds have so much size and are attacked so frequently, they have more experience, size and security features than most private clouds can afford. For example, a major public cloud service (such as Azure or AWS) handles so much data traffic, they are nearly impervious to certain cyberattacks, such as DDoS (Distributed Denial of Service).
However, provided you use the right skills and expertise to implement and operate your private cloud, it will be more secure and dependable than a public cloud service. It will also be more expensive to operate.
If your private cloud is operated in an external data centre, it is also worth remembering that some of the physical and digital access can still be vulnerable to any security gaps in the processes and technologies used by that supplier or their sub-contractors.
The key to achieving private cloud security is to get the right team and expertise in place from the outset and not to under-fund the security.
- The security budget and measures in a private cloud have to operate on a fraction of the budget of a public cloud service.
- The costs of running a private cloud are higher than using a public cloud service but usually much lower than a traditional data centre.
- You cannot always trust what a supplier will tell you. After all, they want to sell their product and sometimes it is not what they do tell you that is an issue. Often, it is the items they may not mention that could lead to gaps in your security.
3. Can issues like the technical failure at TSB be avoided?
Yes they can. Here are three simple tests to help you.
Firstly, all good migrations involve rolling out and testing pilot versions of a new service. Once tested any failures or issues are addressed before the trial size is increased. Usually any initial trial rollout will only involve friendly customers who agree to provide prompt feedback on any issues, for example, the customer accounts of selected staff or project members.
Secondly, after the trials are adequately proven, the full migration should be rolled out in stages and each migration should have something called a rollback plan. A rollback plan allows the services to be restored to their old technology in the event of a crisis. If your team doesn’t know what a rollback plan is, or does not have one, you should look to add the relevant expertise.
Finally, any changes to critical applications or their environments are always worthy of security investment. Security should be included by design and also tested before deployment. In this case, with customers able to see and make transactions on accounts that were not their own, it is clear this step was also below an acceptable standard.
The moral of this story is this: Private clouds and banking technology can be great – as long as you have the right technical and security skills and expertise in the right positions within your team.