When the term was first introduced in 2006 by Eric Schmidt (then-Google CEO), ‘cloud computing’ quickly became an IT buzzword. Fast forward 15 years, and what was then seen by some as a pipe dream has now become a reality. The ongoing Covid-19 pandemic has only served to accelerate the growth of this already-burgeoning field. The lockdown-induced need for scalable, reliable, and secure off-premises IT services has seen cloud computing move from a luxury to an absolute necessity; as witnessed by the 35% jump in cloud spending seen in the first quarter of 2020 itself.
Despite this, a lot of financial institutions are averse to the cloud due to security and privacy concerns. At TRaiCE, we have stayed on top of the cloud curve by adopting cloud services from the get-go. But we understand the financial sector’s reticence towards them. While we cannot answer for everyone using cloud services, we are confident in our ability to secure sensitive financial data in the cloud environment because of the stringent measures we have put in place. We hope this blog will convince our customers in the financial sector of that too.
Cloud deployment Vs On-premise deployment
The basic difference
Cloud deployment is the process of installing an application virtually. In other words, all the planning, designing, implementing, and operating that comes with deployment is done through the cloud. You can then access this software through a web browser. In contrast, on-premise deployment entails installing the application directly onto your company’s computers and servers for you to then access internally.
Why the TRaiCE team recommends cloud deployment
According to a survey by market researcher Vanson Bourne, companies using cloud deployments see an 18% increase in efficiency and a reduction in IT costs of above 30% on average. There are plenty of other advantages to using a cloud deployment. Here are just 4 of the top reasons we recommend it:
1. Faster deployment
An on-premise deployment needs specialized IT infrastructure such as servers, operating systems, and data storage facilities, to name just a few. In addition, you may also have to train or hire additional software personnel to manage all this hardware. Since a cloud-based deployment does not require hardware installation of any kind, we can deploy our application much faster. With the time-sensitive nature of credit monitoring, this could be the difference between catching a default-indicating red flag or missing it completely.
2. Easier scalability
As your investment capabilities scale up, so should your credit monitoring prowess. Upscaling one but not the other would be like trying to power a space rocket with a set of AA batteries. It wouldn’t go very far at all! With an on-premise installation, the scaling-up process is harder as it may require you to add even more infrastructure. What’s more, your hardware may become incompatible for any future customizations you desire or any software updates from our side too. On the other hand, with a cloud deployment, we can upgrade your credit-monitoring capabilities in a flash without it affecting your business process in any way.
3. Credit monitoring mobility
With a cloud deployment, you don’t need to be tied to your desk to monitor your borrowing entities. Since our application is hosted in the cloud, you can access it from anywhere, no matter if you are in Texas or Timbuktu, at 1 AM in the morning or 2 PM in the afternoon. The cloud environment also gives us access to multiple servers. This way, if Murphy’s Law (anything that can go wrong will go wrong) should go into action, we can recover faster!
4. Better security and compliance
Cloud security, with its multi-layered approach to data protection, goes above and beyond the traditional, single-locked-door approach to on-site security. Apart from the sophisticated physical barriers to entry at their data centers (barbed-wired perimeters, concrete barriers, vanguard temperature, and fire gauging systems), cloud providers also have up-to-date online barriers that can stand up to newer and more sophisticated phishing maneuvers.
Conversely, on-premise security systems are harder to update. Therefore, having your mission-critical data physically in your office space makes it susceptible to burglars, acts of nature, and hackers with sophisticated software that can easily overpower an outdated security system.
Furthermore, cloud providers are answerable to several regulatory agencies and need a whole host of certifications to stay in business. These include PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, and NIST 800-171 certifications. So, using their services makes it easier for you to meet your compliance requirements too.
5 ways that TRaiCE ensures cloud security
For the TRaiCE team, securing our customer’s financial information is as important as developing our product itself. We take data security very seriously. To that effect, we have developed a ‘zero trust’ security environment that asks tough questions of anyone trying to use the system, be it internal employees or external clients. Our default cloud deployment option is the Amazon Cloud (AWS). However, we can also deploy to other cloud environments such as Google, IBM, and Microsoft, if required. Here are 5 ways we ensure tight security with cloud deployment no matter what platform we use:
1. Infrastructure security
With every TRaiCE implementation, we first create and establish a private environment within the cloud infrastructure called a Virtual Private Cloud (VPC). We deploy the TRaiCE application only within this private space. This way, the application can stay isolated and protected from other cloud users. In addition, network and instance firewalls furnished by our cloud providers protect all communication with the TRaiCE servers. Importantly, communication with the application is possible only through a designated portal (in techy terms, this is called a bastion host or jump server).
Any person or device wanting to communicate with this portal can only do so through a private network called a virtual private network or VPN. The VPN must in turn be whitelisted (the IP address has been pre-registered with us and is on an approved list of server visitors). Furthermore, only those who can pass the multi-factor authentication test (give two or more ‘proofs’ of who you are) get access to this private network.
Think of it as a private island with two sets of fortified, electric fences around it. Its only channel of communication with the mainland is through a covered, private tunnel that, in turn, can only be accessed through a tiny door, and that too only by pre-registered users who must first go through multiple ID checks! In this way, we ensure that the TRaiCE application stays separate from the public cloud space and that only authorized personnel has access to it.
2. Data encryption at rest
As you can see above, we’ve placed an impregnable fortress around the TRaiCE servers. This is over and above the security furnished to us by our cloud providers. But just in case, someone unauthorized gets through, we have another layer of security in place to ensure no harm is done. All data stored within the private TRaiCE servers is scrambled or encrypted. This goes for any system data on underlying storage devices too. So, even if hackers somehow get a hold of this information, its scrambled and gibberish nature will ensure that it is utterly useless to them.
3. Data encryption in transit
You’ve probably seen several heist movies where the robbers target the loot when it is in transit. That’s because there’s less security for them to deal with on the road. Data is the same way. It is vulnerable in transit. Hackers are waiting in the wings, trying to insert themselves into a data transfer and intercept valuable information. We ensure this does not happen with TRaiCE in two ways.
First, we encrypt all communication and data transfers that happen to and from the TRaiCE servers with SSL/TLS certificate-based encryption. Second. all data files sent to a TRaiCE server are transferred through an SSH authenticated, secure, encrypted, and a private channel called an SFTP (Secure File Transfer Protocol). With this, encryption algorithms keep the client’s files unreadable throughout the transfer process so even if highway robbery happens, it causes no data breach.
4. Database encryption
Of course, all the precautions we take would amount to nothing if we stored sensitive data as plain text within our database. To avoid this, we first identify and then encrypt all sensitive information we receive from our clients with industry-standard encryption algorithms before saving it in the database. This ensures that even in the event of a database breach, the stolen data is unreadable, and therefore, useless to anyone getting their hands on it.
In addition, we store all encryption keys securely using the AWS Key Management System. The system uses a master key to generate the encryption keys, which in turn can only be accessed using AWS APIs. Importantly, AWS stores this master key internally and it never leaves its repository unencrypted. It’s like hiding the code that unlocks a puzzle in another code, all of which makes it that much harder to decipher.
5. Strict access control policies
At TRaiCE we follow the security principle of ‘least privilege’, where we give an employee only the minimum level of access needed to get his or her job done and nothing more. Like in the military, everyone is on a need-to-know basis here. This prevents any unnecessary exposure to sensitive data. In addition, we have set strict password policies and multi-factor authentications in place that ensure fool-proof identity verification. All these security benchmarks are also extended to any contractors or third-party vendors that may need to work with our system, so there are no security loopholes in the system.
Conclusion – A layered approach to security
As a side note, while we do recommend a cloud deployment, we are ready to do an on-premise deployment if our customer insists on it. Here, we will work closely with the client’s infrastructure team to ensure that our application remains secure and compliant using many of the above-mentioned security tactics. Either way, data security remains a priority with us. TRaiCE’s security measures can best be described as layered. This multi-faceted approach allows us to cover most, if not all, the security bases. We are a company that prides itself on achieving ISO-27001-level security standards with every TRaiCE cloud deployment. We worry about security so you don’t have to.
