Timing-sharing supercomputers is a nearly seventy-year-old idea so why is cloud computing, which is arguable nothing more than renting computer time, such an important concept in today’s modern business environment?
What makes this moment different is that universal access to a feature-rich and fully commodified computing infrastructure has moved attention away from technologic limitations—we can consume virtually unlimited computing power and storage from practically anywhere.
With economics at the forefront, cloud computing made a major leap forward in 2006 with the launch of Amazon Web Services (AWS), followed by other modern cloud services like Microsoft Azure and the Google and IBM clouds. These services recognized that general industry was moving away from fixed costs related to capacity demands and lengthy lead times.
Not long after, BITS worked with its members and collaborated with large and small cloud providers on a risk framework for cloud-based solutions as financial services firms satiated the desire for high availability “pay-as-you-go” services capable of growing and shrinking based demand (rapid elasticity).
But even as cloud adoption has continued to grow and be used to rapidly deploy applications, meet service demands, and enable DevSecOps, financial services remain carefully measured in its approach to cloud. Cloud computing is a third party which demands appropriate risk management practices, considering data sensitivity, business continuity planning, and audit rights amongst other regulatory requirements.
Because of the risk management challenges, financial services (and other industries) have been exploring emerging fourth party services, known as Cloud Access Security Brokers (CASBs) which exist to help firms secure, manage, and monitor cloud deployments. Initially designed to provide visibility into Shadow IT, CASBs impose enterprise policy into off-premise cloud environments.
A recent BITS Security Program initiative identified five major components of CASBs—Visibility, Compliance, Data Security, Threat Detection, Interoperability, and one lesser component, Proactive Configuration—42 use-cases in total. The first four major components are considered the pillars of the modern CASB and the fifth, added by BITS project team members, is for assessing the ability to integrate into your existing systems (e.g., DLP, anti-malware). Lastly, the Proactive Configuration looks at the ability to automatically detect and correct misconfigurations of Cloud services such as open containers.
The culmination of this member-led project is the BITS CASB Use Case Matrix, a tool designed for banks and other firms to assess CASB tools through the prism of a financial service organization. The tool uses a series of diagnostic questions to help firms identify requirements that are pre-mapped to the standard cloud service models: software as a service, infrastructure as a service and platform as a service. This empowers users to quickly and easily construct firm-specific customized evaluation of CASBs across all relevant components and use cases.
We are pleased to offer the BITS CASB Use Case Matrix to BPI / BITS members, CASB vendors and the public. We hope the use of this tool will help firms expedite the implementation of technical and policy controls into cloud services and help CASB vendors better understand the requirements of financial service firms.
One final thought on CASB and cloud; many firms have been evaluating and using CASBs over the last year or two. Through that experience firms understand what works and what does not, which in some cases means they may take this as an opportunity to explore scalable and bespoke solutions. CASB solutions not only add value by plugging gaps in cloud solutions, but also in elegantly and rapidly scaling to cover a diverse application base. The future may call for significant, sometimes ongoing, configuration time and attention for applications – the next generation of CASB solutions may address this more comprehensively.
Disclaimer: The views expressed in this post are those of the author(s) and do not necessarily reflect the position of the Bank Policy Institute or its membership, and are not intended to be, and should not be construed as, legal advice of any kind.