"Banks should develop their private cloud and should not connect with public cloud"
Use and Implementation of Cloud in business
Banks in India have been adopting technologies, but at a considerably slow pace. Over the last few years, Banks have made significant progress in technology implementation which has resulted in the centralization of various products and services, enabling banks to provide at any time and place through traditional, as well as alternative delivery channels.
Cloud Computing technology is a relatively new technology which leverages virtualization technology. As banks are as usually averse to adopting new technology without security, they could make a beginning by implementing their non core applications and subsequently move to other applications as they mature in the learning curve and are comfortable with adopting Cloud computing.
Following are some of the control measures which should be looked at while implementing Cloud.
• Banks should develop their private cloud and should not connect with public cloud.
• To maintain segregation of duties, administration of Cloud Computing environment and Application server should not be with the same person
• Maximum resource utilization should be managed in such a way that minimizes the impact on other applications sharing the same physical resource.
• Resource utilization should be monitored and additional resource provisioning should be done in a timely manner to avoid any performance issues.
• Network level segregation should be ensured to different server instances belonging to different applications and access to them should be granted on “need to know” and “need to do” basis through an auditable process.
• Data movement control should be in place to restrict movement of certain data to a location in different jurisdiction to adhere to the regulatory guidelines, if any.
Ensuring that you secure the new wave of mobile devices to minimize
threat, loss and overall risk
A new wave of mobile devices pressurizes the IT departments to implement the same and CISOs have responsibility to ensure that they are secure enough to enable the transaction in a safe manner. Following control measures at a minimum should be implemented to protect confidential information while leveraging the benefits of mobile devices.
• Appropriate level of encryption should be used to secure sensitive data being transmitted through communication medium.
• In addition to the password/MPIN, efforts should be made to incorporate additional authentication measures depending upon the sensitivity and feasibility of such authentication.
• User devices should be operated with technologies such as sandboxing, to reduce threat of any attack.
• Role based access controls and restrained user interface should be provided to avoid disclosure of any unintended information.
• Users should be made aware of the security threats of using mobile devices and should be advised to not store any sensitive information on such devices.
• Users should be advised to take suitable steps from malware threats.