Securing the World’s Wealth: Cloud Data Security for Financial ServicesWHITE PAPER

2

White Paper | Securing the World’s Wealth

Once upon a time, the world’s wealthiest banks stored their treasures in deep underground vaults protected by complex passageways, magic spells, and a dragon or two.

Or was that Gringotts Bank, in the Harry Potter movies?

In the present reality, banking CIOs often wish it were that simple. As security breaches grow in number and size around the globe, the financial industry faces an urgent question:

Cloud applications, such as automated customer relationship management (CRM) tools, complicate these security challenges. But we’re not likely going back to the days

of well-dressed goblins—or even long teller lines. The ability to offload non-core business functions to an online third party who can manage them in a more scalable, cost effective way has become a key component of any competitive strategy. Banks are joining the move to the cloud because of those benefits—and because of increasing demand from employees and customers.

The threats to data security, however, become clearer every day. While SaaS providers such as Salesforce.com take great pains to secure their infrastructure against attacks, the fact remains that much of the world’s financial data currently sits naked on third-party servers. Should that infrastructure be compromised, the result could be catastrophic.

Is there a viable way of securing financial information with so much critical data lying around in the public cloud? Fortunately, the answer is yes.

How to secure the world’s wealth in an age when hacker thieves can download millions of credit and debit card numbers, and PINs in just a few minutes?

© 2014 BITGLASS, INC.

3

White Paper | Securing the World’s Wealth

The Middle Way: Public Cloud Flexibility + Private Cloud Security Comprehensive data security starts with combining public cloud applications such as Salesforce and Box with on-premises data storage that you control and own. This mandate becomes even more important when you take into account regulations governing the storage of sensitive information, and country-by-country data residency requirements for personally identifiable information (PII).

Today, an emerging set of products known as Cloud Access Security Brokers (CASBs) allow you to deploy a security platform within your own network infrastructure, putting you in complete control of both your data and its security, even as you move to the cloud. This platform acts as a proxy between users and cloud apps, encrypting data at rest and ensuring that only authorized users can access the data they need to do their jobs. A CASB logs, monitors, and facilitates everything that happens within the SaaS application, while remaining completely invisible to users.

When choosing a CASB solution, keep these five points in mind. You want the end result to be a data security system as tight as any underground vault—real or imagined.

1Data Encryption with Keys that Only You Control

If an intruder does happen to access your data in the cloud, you want to make sure he has no way of exploiting that data—and that’s where data encryption comes in. But here’s the catch: encrypted data in the cloud can’t be searched, which renders most applications unusable.

First-generation cloud encryption gateways tried to solve this problem by encrypting data on the fly, using a form of cyclic cipher. Such systems limit the ways each piece of data can be encrypted, which makes it possible to search “encrypted” databases. But it also makes it quite easy to decipher the encryption using relatively unsophisticated techniques, such as chosen plaintext attacks.

SKIP THE FANTASY ENCRYPTION—USE TRUE 256-BIT AESWe recommend using well-known and vetted encryption algorithms, such as 256-bit AES. Avoid the AES-256 compromise that some commercially available cloud encryption products offer: They limit the number of initialization vectors to facilitate search and sort functions, but the work-around makes it impossible to achieve true semantic security. AES has 256-bit encryption strength only when you use 256-bit initialization vectors.

3© 2014 BITGLASS, INC.

4

White Paper | Securing the World’s Wealth

Always seek out technologies that offer the best of both worlds: dynamic data decryption that merges the real data into the application as it’s being used, and super-strong 256-bit encryption. Authorized users can then view and modify data as needed, but cloud application vendors and intruders have no visibility into the data.

When choosing an encryption proxy, don’t forget these additional considerations:

Data encryption keys are your maps to everything. Keep them under your control.Encryption is only as strong as the security of your encryption keys. Nobody outside your organization should have the ability to view, rotate, or delete them. That way, you retain complete control over if and when the data-at-rest in your cloud apps is divulged to third parties—including any evil wizards disguised as government entities.

Your cloud data will morph, and that’s a good thing. Insist on flexibility.To preserve application functionality, such as search and sort, the best CASBs make it easy to encrypt the data that needs to be kept secure, while leaving other fields unencrypted. Ideally, you should have a quick and easy mechanism for selecting whether to encrypt data in specific fields, or not. That way, you can quickly adapt to any changes to regulatory or security policies, or to the type of data you’re storing.

2 Data That Simply Refuses to Leak

While it’s relatively straightforward to construct dynamic decryption schemes for the structured data in apps, such as Salesforce, what do you do about next quarter’s financial projections or all those customer income statements? Unstructured data in file-sharing apps, such as Box, Google Apps, or Office 365, requires a combination of encryption and data leakage prevention strategies—aka even stronger magic.

Spend some time thinking about the kinds of data you deal with, and deploy a data-centric solution that offers protection capabilities that mirror the sensitivity of your data. See credit card numbers? Redact or block the transaction. Sensitive information that must be downloaded to end user devices? Encrypt the file. Corporate information that you want to keep tabs on? Put hidden identifiers on each piece of data and every time it’s downloaded, you’ll know who accessed it, and when they did so.

© 2014 BITGLASS, INC.

5

White Paper | Securing the World’s Wealth

3Streamlined Identity Verification

In the most secure financial vaults, you don’t see goblins walking around with notebooks full of passwords—or even rings of keys. Today, however, many corporate information workers end up with so many passwords that they can’t keep up with them all, a situation that causes endless frustration, productivity loss, and help desk calls. Employees with many passwords are also more likely to reuse them or write them down on sticky notes, adding to the likelihood of compromised identities.

The vaults at Gringotts could be opened at the touch of a certified Gringotts goblin, sort of like today’s single sign-on (SSO) systems. Give employees just one password to remember, and you can manage every account through your corporate identity system. That way, if you decide to decertify one of your goblins, he’ll be automatically locked out of all company applications in a one-click process. No more worrying about which information employees may have squirreled away in cloud apps after they’ve left the company.

4A Personal Crystal Ball

The Gringotts security system did not include a crystal ball with visibility into any and all bank activity—but perhaps that idea had already been overdone in fantasy literature.

For today’s banks, it’s a must. If “Hermione” logs into Office 365 from New York at 1:30, and then someone purporting also to be “Hermione” logs into your Salesforce.com account from San Francisco at 1:34, your cloud app vendors won’t know the difference. But it happens, and you need to know about it.

As a financial services institution, you may, in fact, be required to know about it. Regulatory compliance laws, such as the Dodd-Frank Act and Sarbanes-Oxley, require financial firms to maintain access to historical transaction data, audit work papers, and other information for five to seven years. Visibility into employee activity allows you to operate in compliance with those regulations and to survive audits.

Complete visibility into corporate activity across all company cloud apps may be more easily achievable than you think. When you implement a CASB, all data from your cloud apps flows through the proxy and is logged. To make sure high-risk activities don’t get lost in the noise, invest in one that offers alerts and gives you information in plain English, rather than offering an audit log of unreadable transactions.

© 2014 BITGLASS, INC.

6

In a world of cloud applications and mobile devices, IT must secure corporate data that resides on third-party servers and travels over third-party networks to employee-owned mobile devices. Existing security technologies are simply not suited to solving this task, since they were developed to secure the corporate network perimeter. The Bitglass Cloud Access Security Broker solution transcends the network perimeter to deliver total data protection for the enterprise—in the cloud, on mobile devices and anywhere on the Internet.

For more information, visit www.bitglass.com

About Bitglass

Phone: (408) 337-0190 | Email: info@bitglass.com

White Paper | Securing the World’s Wealth

5A Highly Secure Cloud that Retains its Economic Benefits

The cloud apps promise is indeed a magical one: Let day-to-day applications “run themselves” so that your IT staff can focus more on core business issues. But if your cloud security solution brings with it a heavy administrative burden, you’ve lost those operational advantages. Luckily, well designed cloud app control solutions don’t require an army of goblins (or programmers) to deploy and operate them.

Also, remember that any security solution you put into place must be virtually invisible to end users. You don’t want employees going rogue and working around IT because security is inhibiting their workflow.

CONCLUSION: Advanced Cloud Security—No Magic RequiredSecuring the world’s financial systems today may seem like a task fit only for a team of magicians. Fortunately, banks today can take advantage of advanced security technologies that seem magical only because they’re so new. Cloud Access Security Brokers like Bitglass can help you safely enable cloud applications like Salesforce, without compromising security or compliance.

Choose your security vendor carefully, and make sure you don’t get locked into an untested security platform. Your team of security wizards should earn your business based on the strength of their service and the support they provide—not because you can’t access your data without them. Avoid any vendor that doesn’t make it as simple to decommission their product as it is to deploy it.

Learn more about advanced security for the financial industry at http://www.bitglass.com/industries/financial-services-cloud-mobile-security.

© 2014 BITGLASS, INC.