Skills for faster innovation in financial services

Banks and insurance companies are going through a lot of changes. Read on to see my thinking on how to facilitate that change if you are working in financial services.

Pathways to innovation

There are two major pathways to innovation in financial services, and they are not exclusive. 

One is by employing cloud infrastructure (either public or private), so that the speed of software development can increase. The other is by using, incorporating, integrating, or even buying FinTech companies. More often than not, these FinTech companies have all the characteristics of SaaS providers.

Both pathways involve external IT providers.  And as the financial services sector is heavily regulated, proper risk management is not an option but mandatory. This impacts both of these innovation pathways. Governance and risk assessment is therefore on the critical path of innovation. By the way, banks cannot avoid taking risks.

Research tells us that the average company has hundreds, if not thousands, of cloud applications. Let’s have a look at how that impacts the risk assessment volume.

Suppose, just for the sake of argument, that there are 730 cloud applications in the company. Imagine that you have to review each of these every 2 years. That means that you have to review one cloud application every single calendar day of the year. And what is more, you want a lot of people to review each of them: legal, procurement, IT, audit, compliance, and so on. That is significant work.

How are you going to do that? And do all cloud contracts need the same level of scrutiny? And who is going to decide on that?

You need to develop a process

You need an effective and efficient process to review cloud usage. But there is no single process that works for all projects across all companies. One project works on sensitive data. Another project does not. One project understands security very well. Another less so. One organisation has a culture of central policies, another hasn’t. It all impacts how the adoption process is best done.

I believe that any process improvement needs to be driven by the people who are running that process. They probably need some assistance, and they definitely need an understanding of what is changing.

Team skills

When it comes to cloud adoption, I find that there are a number of specific skills that are required of almost every person in the cloud adoption and evaluation process. These include: figuring out what exactly is the (cloud)service, how it depends on other services, who is responsible for which part of which service, articulating cloud business cases, and a few more things.

When a team has these skills, they will be in a much better position to understand what the contribution of each team member is. And that will lead to swifter and more efficient secure cloud adoption. In the end, that drives innovation.

P.s. do you agree or disagree with my analysis? And then you may be thinking: so what? In any case, I have a draft of an e-book on that, and would love to hear your thoughts about it. Drop me a line.

Banks love to take risks, or not?

The common opinion seems to be that banks are largely occupied by avoiding risks. That may be true to some extent. In reality banks (as well as insurance companies) are actually in the business of taking risks. And scary risks as well, for that matter.

Think about it. You hand over a sum of money to a person that is equivalent to two or more years of his or her salary. And then you hope to be paid back in 20 or 30 years into the future. All of that for a few percent of ROI. Sounds scary to me, but is exactly what the mortgage business is about.

And that is just one example.

How to manage?

How does a bank manage to take these risks?

If you dive deeper into the operation of a financial services company you see a great divide. On the one hand there are business units who are pressed into finding new opportunities for making money, and are potentially willing to take huge risks for that. On the other hand, there is the banks’ risk management, which tries to control that risk. They listen to this saying from the aviation industry: “There are old pilots and bold pilots, but no old, bold pilots.

This tension between risk and reward is good and without the two of them the company would not survive very long.

But problems creep up if one of them gets the upper hand. As an example, one former bank compliance officer I interviewed recently told me their bank had no less than three risk committees, and they often opposed each others findings.

In that climate, little innovation is possible. In the long run, that is not going to be healthy for the company.

A lot of financial services companies are stuck in their acceptance of cloud computing. Plenty initiatives float around on the one hand, few get accepted on the other hand.

Root cause

Companies differ in how this stagnation comes about, but I see a common root cause.

Often there is a lack of a common understanding of what cloud computing is about, and what its most relevant risks are. As a result of this, innovation and growth opportunities are limited by true understanding of cloud risk management.

Financial services companies that do not resolve this conflict, will never get their move to the cloud off the ground.

I am writing an ebook on the drivers and barriers to cloud adoption in the financial industry. If you work in the industry, and want to compare notes on specific points, drop me a line. I’d love to talk.

Cloud computing is the new IT supply chain and is going to change your job

You may have come across the idea that cloud computing is just another hype, and it will be over in a few years.

Sure, there have been trends in IT that didn’t last forever, such as expert systems or gopher.

It is here to stay

But cloud computing is a manifestation of a deeper trend in the management of information technology. True, there is more to this trend than just cloud computing, but it is here to stay, as parallels in other industries show.

To understand the future, you must understand the past. I wrote my first computer program in 1973 on punched cards. A lot has changed in how people manage computers since then. That, and how other maturing industries such as automobile manufacturing have evolved, show us how the future might look like.

Watch the full story on YouTube:

How my site got hacked, and how you can learn from that

Detection

I should have acted on the first signals more aggressively. But let’s talk about that later.

Here is the story of my site being infected with malware, viewed by a professional cloud security expert. So I am going to apply all that cloud security theory to it.

The hack led to business damage at the end of one of my webinars. A couple of weeks ago, on a Friday, I did a webinar, at the end of which I had two links to my site as a call to action, www.clubcloudcomputing.com to be precise, and www.clubcloudcomputing.com/cloud-risk-scan/.

However, three participants reported in the chat that they could not access those links as their corporate firewalls blocked them. Three different security programs (Microsoft, McAfee and Kaspersky) rated the site as unsafe for various reasons, ranging from detected Trojans to mention of “Malicious software threat: This site contains links to viruses or other software programs that can reveal personal information stored or typed on your computer to malicious persons”.

So, instead of continuing the conversation of how I could be of help to these people, and talk about my next program, I stalled. Nobody bought my program. Business lost. And my time suddenly had to be diverted to fixing this. Another loss. This is all real damage. The only upside is that I can write this article about it.

That was the detection phase. And as I said, I could have found it earlier.

Analysis and eradication

Now for the analysis and eradication phase. What the heck was going on? I had very little luck in getting the security programs to tell me what was wrong with the site. www.virustotal.com reported 1 hit by Yandex, though the diagnostics on their webmaster pages where vague. McAfee and Kaspersky don’t seem to have any service that is helpful with this.

In the mean time, 3 more reports came in on the site, adding TrendMicro to the list of blockers.

It took my site manager until Tuesday to fix it. Very disappointing. He also was not very communicative about the real underlying problem, other than that is was caused by a WordPress plugin that had not been updated. He did manage to restore the site and clean it. I think.

After I discovered the problem, independently I got a report from a SEO expert, who noticed funny code in the pages, and weird statistics in the analytics. He told me that the malware was in fact a 5 year old Mozilla exploit, which is number 17974 on exploit-db (I removed the link, because it gives my site a bad reputation).

It appeared to be an automated infection targeted at Mozilla users who had not updated their browsers. My site does not store any customer data, all form submissions go to a separate autoresponder and shopping cart service. So no data was lost or breached.

Recovery

Now for the recovery phase. Malware gone does not equal business problem gone. Even as the malware is erased, my site’s reputation is still suffering.

Getting off the blacklists is a hard process; they seem to parrot and echo each other. A week after the alleged site fix, I managed to get it off one or two engines. But it is still listed at Yandex, Clean MX, SCUMWARE and CRDF, all of whom don’t appear to have an expedient process of getting off their blacklist. http://www.urlvoid.com/scan/clubcloudcomputing.com/ actually increased the number of blacklisting sites in the past days and added Fortinet’s FortiGuard.

One of the engines rates my site badly because it links to a bad site, namely itself. How Catch 22 can you become?

Sounds like a bad vigilante movie, where the main characters don’t care too much about the collateral damage they inflict. Listing malware sites is easy enough, delisting apparently is harder.

So this reputation might haunt me for who knows how long. Maybe the domain will never really recover.

On the positive side, some corporate firewalls now seem to allow my site again (but please help me assert that). But be aware that most corporate firewalls are extremely paranoid, as they probably should be. Just having a simple link in my email message pointing to my homepage will have that message marked as [SUSPICIOUS MESSAGE] by one of the big four advisory firms.

Preparation

Finally, back to preparation. What could we have done to prevent this, or at least reduce the impact of the problem?

I have a backup running of this website. It is a WordPress plugin that dumps the entire site’s content in a DropBox which is synced to my PC. Weeks before the webinar, I had installed F-Secure on the PC, and it barked on one of the files in the DropBox folder. I reported this to my website manager, but I knew that it was in a part of the website that was not in use, nor accessible to the users of the website. That led me to believe it was a false positive, but I should have known better.

In the end, having the site itself generate a backup is not sufficient. The advantage is that the backup should be easy to restore, but malware might take the backup software or its configuration as a first target. In fact, I suspect that in my case the malware created a few hundred thousand files, which clogged my DropBox synchronization. However, I could not finish the forensics on that.

The site manager restored the site from a file system backup. I do not have access to that.

Externally spidering the website, and versioning it may be better. At any rate, this is a case for generating fully static websites.

So, obviously the best direct preparations is regularly updating software, and removing software you don’t need. Case in point: the malware was inserted into a piece of forum software that we never got to work properly. In the end we abandoned it in favor of a managed cloud solution (an e-learning platform).

Cloud security reference model

The cloud security reference model asks us to identify who is responsible for what piece of the software stack. I don’t think there is much confusion about who was supposed to keep the site’s software up to date. My site manager never denied that he was. But he did not put in any warning system, and ignored my F-Secure warning.

He also did not yet provide adequate forensics to me after the fact. Maybe a regular customer won’t need those details, I can see that. But I have professional interests beyond that, as this article proves.

Of course, my site manager is not the only one responsible for the software. He did not write it. The site’s software and plugins are either commercial or open source. Both have their own update policies or lack thereof. Both can be abandoned by their developers. But somebody needs to track that too.

Managing one custom WordPress website at a time is not likely to be a very viable business model in the long run. If your website is not very complicated functionally, you might consider static hosting, or move it to a cloud based website builder like squarespace.com or wix.com. You would still have to check their competence, but with thousands or hundreds of thousands of websites at stake, these companies are more likely to have the motivation and the resources to properly manage these risks.

As a business owner I am ultimately accountable for all IT risks that affect my business. Remember, any provider, including a managed hosting provider, can fail. You need a plan B. I do have some backup of the most important documents on my site. I wrote them. But in the end, the most irrecoverable asset lost here might be the domain name. As a precaution against that, I could have considered to have the most important pages also hosted on another domain. In fact, I might have to do that, if this domain isn’t delisted quickly enough. It is a telling and disturbing sign that registrations for my newsletters these days mostly come from public email providers, not companies.

Wrapping up

I am disclosing my misfortune so that it may be of help to people. Whether you work in a large corporation or a small one, are on the consumer or on the provider side, you can use this case to improve your own management of IT risk.

What are the biggest lessons you should take?

Reputation damage that gets its way into the firewalls and proxies of customer companies leads to real and lasting business damage.

Exit and recovery plans can be considered on multiple levels. Sure, the basic backups matter, but at all times consider your business continuity from the top down, starting at your domain name.

I have multiple training programs developed, or in progress, to help improve IT risk management. Stay tuned.

So, in case you want to sign up to my newsletters, and cannot access www.clubcloudcomputing.com for whatever reason (LOL), hop over to www.ccsk.eu. That page is focused on the CCSK certification, but you will be updated on cloud risk in general. And if you have problems accessing www.clubcloudcomputing.com, please tell me which service is blocking it, when, and with what message.

Agile development requires modern digital infrastructures

Agile development is all the fashion nowadays. Why is that and what kind of digital infrastructures does that require?

Back in the old days, business software was primarily written to automate existing business processes. Those processes might change somewhat as a result, but in the core processes were no different. Think accounting systems, scheduling, “customer relationship management” and so on.

Today we see that software not only automates these business processes, but becomes part of the product, or even becomes the product itself. And on top of that, this software is often an on-line service. Think of the smart room thermostat. Or financial services, where software increasingly is the main part of the product: think online banking. And in social media from Facebook to Tindr, software really is the product.

The dance

Every product changes the world that uses it. Think how cars have changed the way people commute, or even choose where they live. Software is no different. But a changing world also changes the products we can use or want to use. There is a kind of dance between supply and demand. Do we have breakfast out of our house more often because there are more opportunities for this or does the supply of breakfast places increase as a result of us going out more? Just as in a dance, it is not always easy to tell who is leading who.

Because software now has become the product it will also participate in the dance, and then it becomes more important to quickly adapt to the dance partner. As a developer, you change the world that uses your software in ways you cannot always predict, so in reaction you have to adapt to that world.

The faster the better.

This explains the need for agile development. Between idea and realization (time to market) there should not be two years, but only two weeks, and preferably less.

What kind of digital infrastructures does that require?

The prime objective of digital infrastructures is to enable the deployment of application functionality. The quality of digital infrastructures used to be measured in the number of users it could support well. I.e. we used to talk about a system supporting 10.000 concurrent users with less than 4 seconds response time.

But agile development comes with a new goal: ‘feature velocity’. That is the speed with which new features can be deployed. The time between inception of a feature and its deployment to a large user base has to be shorter than the time it takes for the environment to change. In a dance you want to anticipate your partner, not stand on her toes.

Your digital infrastructure should not be a bottleneck. This requires features such as automated testing, quick scaling up and down of resources, and as little manual intervention as possible. This is the only way to shorten the lead time for a change.

Cloud computing

In summary: agile development requires cloud computing. Remember: the essential characteristics of cloud computing include fast, elastic and self-service provisioning of resources. That is what is required for agile development.

And then the dance continues. Because if we can do that, we can do other new things. Like better security. If you can respond quicker to new functional requirements, you can also respond quicker to security issues.

If you want more cloud security look here.

A Dutch version of this article appeared earlier in: Tijdschrift IT Management, een uitgave van ICT Media.

Cloud migration strategies and their impact on security and governance

Public cloud migrations come in different shapes and sizes, but I see three major approaches. Each of these has very different technical and governance implications.

Three approaches

Companies dying to get rid of their data centers often get started on a ‘lift and shift’ approach, where applications are moved from existing servers to equivalent servers in the cloud. The cloud service model consumed here is mainly IaaS (infrastructure as a service). Not much is outsourced to cloud providers here. Contrast that with SaaS.

The other side of the spectrum is adopting SaaS solutions. More often than not, these trickle in from the business side, not from IT. These could range from small meeting planners to full blown sales support systems.

More recently, developers have started to embrace cloud native architectures. Ultimately, both the target environment as well as the development environment can be cloud based. The cloud service model consumed here is typically PaaS.

I am not here to advocate the benefits of one over the other, I think there can be business case for each of these.

The categories also have some overlap. Lift and shift can require some refactoring of code, to have it better fit cloud native deployments. And hardly any SaaS application is stand alone, so some (cloud native) integration with other software is often required.

Profound differences

The big point I want to make here is that there are profound differences in the issues that each of these categories faces, and the hard decisions that have to be made. Most of these decisions are about governance and risk management.

With lift and shift, the application functionality is pretty clear, but bringing that out to the cloud introduces data risks and technical risks. Data controls may be insufficient, and the application’s architecture may not be a good match for cloud, leading to poor performance and high cost.

One group of SaaS applications stems from ‘shadow IT’. The people that adopt them typically pay little attention to existing risk management policies. These can also add useless complexity to the application landscape. The governance challenges for these are obvious: consolidate and make them more compliant with company policies.

Another group of SaaS applications is the reincarnation of the ‘enterprise software package’. Think ERP, CRM or HR applications. These are typically run as a corporate project, with all its change management issues, except that you don’t have to run it yourself.

The positive side of SaaS solutions, in general, is that they are likely to be cloud native, which could greatly reduce their risk profile. Of course, this has to be validated, and a minimum risk control is to have a good exit strategy.

Finally, cloud native development is the most exciting, rewarding and risky approach. This is because it explores and creates new possibilities that can truly transform an organization.

One of the most obvious balances to strike here is between speed of innovation and independence of platform providers. The more you are willing to commit yourself to an innovative platform, the faster you may be able to move. The two big examples I see of that are big data and internet of things. The major cloud providers have very interesting offerings there, but moving a fully developed application from one provider to another is going to be a really painful proposition. And of course, the next important thing is for developers to truly understand the risks and benefits of cloud native development.

Again, big governance and risk management issues to address.

Next

Need to know more about the details of the service models and their impact on risk management and governance? You may find my training on cloud security very relevant for that. Click here for online training or classroom.

How the NSA hacks you, and what cloud can do about it

At the recent Usenix Enigma 2016 conference, NSA TAO chief Rob Joyce explains how his team works. By the way, TAO means Tailored Access Operations, which is a euphemism for hacking. See the full presentation here.  Rob explains their methods, but between the lines he implies that other nation states are doing the same, so in a way he is here to help us. For that reason he also explains what makes their work hard.

After Snowdon I should not need to explain the extent of what is going on here.

In summary, the NSA’s method of operation is: “reconnaissance, initial exploitation, establish persistence, move laterally, collect and exfiltrate”.

In this article I won’t go in more detail on each of these. But here are a couple of rephrased quotes for illustration.

  • Reconnaissance: “We aim to know your network (i.e. infrastructure) better than you do”
  • Initial exploitation: “Zero day exploits are hardly ever necessary”
  • Lateral moves: “Nothing frustrates us more than being inside, and not able to move”

What is the implication of this for cloud security? Of course, if you replicate your legacy infrastructure into a cloud provider, it is not going to be more secure. So you need to do some more.

Cloud to the rescue?

Can the cloud model actually help with security? I think it can, and here are a few examples. They hinge on the cloud essential characteristics of self-service provisioning and rapid elasticity, which enable security automation.

Know your network. A good IaaS provider allows you to fully and automatically take stock of what you have provisioned. A very small proof of concept is on my github project ‘state of cloud’, which just lists all running EC2 instances in your AWS account across all regions. You can then do all kinds of reporting and analysis on your infrastructure, and in particular check for vulnerabilities like rogue machines and open ports.

Code exploits. Why should you use zero day exploits, if organizations are months or even years behind on patching? Why are they behind? Because it is labor intensive. So automate it. Whenever an instance boots up, it should be patched automatically and then tested. All without manual intervention. This requires cloud automation.

Lateral moves. A typical organization has a hard shell, and a soft inside, so to say. Once passed the firewall, the attacker is like the fox in the henhouse. To counter this you need hyper segregation, in particular of security groups and user credentials. You can have a security group per machine, and individual credentials per task. Only cloud automation enables you to do this at scale.

Summary

Hacking is an arms race. Automate and scale up your response or lose. Cloud computing might help.
Want to know more about cloud security? See the course calendar

Assuring your customer of your service quality

Do you deliver your software product as a service? Or do you offer another IT service online? Then you probably have found that your customers really need assurance that your service is good enough for their purposes. It has to be usable of course, but it also has to fit in their risk appetite and compliance obligations.

During the service, or even in the process of procurement, your customer needs assurance. If not, they won’t remain your customer for very long.

Here is a sketch of a process that helps you demonstrate your quality to your customers.

Step 1. Figure out how the customer typically does assurance. Ask them. What are they scared of? Are they looking for specific certifications, audit reports or such? Think ISO27001, Cloud Controls Matrix, or staff certifications. You also want to figure out through what process they do this, if they have a process. Who is involved on the customer side? The IT security department? Internal audit? Corporate Risk Management? Your objective is to make their work in assessing your service as simple as possible. For example, a lot of companies are using the CAIQ format from the Cloud Security Alliance.

Step 2. What proof of your quality do you already have? There is knowledge about your service, processes and assets, but also skills in handling these. How can you show that? You should also be honest about your attitude in service delivery. Is your company doing stuff because it is “the right thing” or because you are forced to do it? In particular you are looking for the things that you do well in a repeatable, documented way.

Step 3. Gap analysis. Based on the output of step 1 and 2 you can get going on a gap analysis.

  • What are your big security holes? I.e. do you allow your customers to do rotation of all login and API keys?
  • What are the evidence holes? For example: Is there logging missing, or not exposed well enough to the customer?
  • What process holes are there in your system? I.e. you may not have a repeatable process for tracking new security bugs or new compliance obligations.

Step 4. Talk to your customer. The ideal situation is where you can bring the results of the previous steps back to your customers and have an open dialogue about their requirements, desires and priorities. You want to figure out what the value is that the service is bringing them that offsets any residual risk that your service still poses to them.

Step 5. Improve, rinse and repeat. Feed the output of the previous step into your software development, your system and support organization, legal and sales. Make sure that whatever improvement they realize, they also build in the evidence that shows how it is an improvement. Status pages, dashboards, and self assessments (e.g. published under non-disclosure agreements) are good examples of that.

It does not stop here. Ideally you are in constant conversation with your customers about their new opportunities and new risks. As your service become more important to your customers, their risk appetite will change. You will need to address that.

If you want to know more about this, download the cloud security 101 one-pager, and drop me a line with your specific question.

How the internet is changing our thinking

The internet changes the way we think, Nicholas Carr writes in “The Shallows”.

Simple examples can be found in what we decide to lookup instead of memorize, such as phone numbers. At the same time it still makes sense to study and memorize traffic signs and history.

But old truths don’t all hold anymore.

The internet changes our decisions on what to share to whom and what to keep secret. A lot of people are comfortable about sharing most of their feelings to the world, but it may be wise to be a bit more restrictive on sharing teenage party pictures, when you leave your house for a holiday, or your mother’s maiden name.

Not all old truths still hold.

Cloud computing changes the way we run professional IT. It changes our decisions on what we do ourselves and what we let others do for us.

Who owns the servers, who keeps the software safe? We can’t afford to run all of our interesting IT ourselves, but we don’t want to hand over everything. There are still things that we can do better than anybody else. So: less server hugging, and more useful applications that help our organizations stand out.

Old truths may need updating.

Want to know more? Have a look at my calendar for a free webinar where I will talk about this in more detail.

Cloud Security 101

Cloud_security_101Cloud Security 101 is a one page overview of the basic things you need to know about cloud security.

On the right you see the thumbnail version.
Just register below, watch out for the confirmation e-mail, and accept through the link for the full page. It has clickable links into additional resources.

We hate spam as much as you do, so we will only send you relevant messages.

dit veld niet invullen s.v.p.

Thanks!