IdealInsight: Are There Security Risks with SaaS Delivery of Core Banking Services?

Thursday, January 29, 2015

Are There Security Risks with SaaS Delivery of Core Banking Services?

By Sunay Mruthyunjay, Chief Technology Officer - IDEALINVENT

(Image credit - Cloudvolution)

Are worries about the security of your bank’s data stopping you from considering SaaS delivery of core banking services? Do you feel it’s not worth the ‘risk’ even though the benefits, especially in regards to reduced cost and improved business agility are well proven? As CTO in a company that hosts ‘Banking Software as a Service’, it’s my job to consider and respond to all the perceived negatives of our B-SaaS™ offering and would ask you to consider the following points.

It’s human nature to avoid risk. In our decision making process, many of us consider different scenarios, evaluate risk versus rewards or benefits and then make a judgment call as to how much of risk is appropriate for a certain reward. So in the end, it boils down to balancing the risk and reward and this applies to any rational decision - be it our personal lives or matters related to business.

With this as the background, let’s try to analyse the number 1 perceived risk of a SaaS offering - data security; This is of course the most significant risk that a bank gets exposed to with SaaS. Data flows through the internet, is stored in a location that is physically away from the bank and the bank cannot really control who gets access to its secure data.

To put this in perspective, let us take an example. Say you got some money; what would you normally do. Probably spend some and put the rest in your bank. It’s your money and you find it alright to leave it with a bank. The reason is, we know that it’s safe, probably also earns interest and most importantly, the bank knows how to safeguard my money better than I do (hopefully and in most cases!). The same money is available to you whenever you need it. You also trust the systems so much that you are fairly sure that your money cannot be withdrawn by someone else - thanks to the authentication mechanisms in place.

This ‘money’ security works - so what’s the big deal with data security?

Firstly, sensitive data of the clients, their personal identities and such others should be secured. Information related to products and pricing are equally sensitive. Last but not the least, the bank's strategic initiatives and goals, control measures and other operational procedures also need to be protected. If in the unfortunate case of a data breach, banks stand to lose a lot – most importantly credibility and that trust factor with their clients which in turn can lead to huge losses in business and revenues.

Thankfully, these fears need not deter a bank from ruling out SaaS. Technology today is well advanced to ensure mechanisms that secure data while being transferred. Complex authentication mechanisms and cryptographic techniques ensure data on the move is not easy to be hacked and deciphered. Data hosted on a public cloud is just as safe (if not safer) than that hosted on a private cloud or in-house on stack servers.

As far as data storage is concerned, a number of preventive measures can be implemented to avoid any data leakage. With a credible service provider, periodic security reviews or audits, third party assessment and certification, implementing ISO standards for managing information security are some of the easy means by which data can be secured in a SaaS scenario.

Having an information inventory with the appropriate risk measure associated with each item on the inventory list can help get a good grip on the information loss risk that a bank deals with from a SaaS point of view.

The other significant risk in a SaaS offering is that of integration. Typically systems that are on-premise have to exchange information between systems that are on SaaS. Apart from the usual complexities of integrating two systems, integration with a SaaS application poses additional challenges of dedicated bandwidth and security. Banks have to ensure that the SaaS application they choose has standardized ways of integrating that can co-exist with the other applications within the bank.

SaaS applications are getting smarter by the day. They allow a reasonable amount of customization to suit your needs without any intervention from the provider. The costs are extremely predictable and controllable. All the upgrades are automatically included and most importantly, the bank can focus on their core business with minimal diversion on IT systems.

Overall banks can reap significant benefits from a SaaS system without compromising on any security risks by acknowledging, assessing and effectively managing them, just as you do with any aspect of your life or business.

Sunay Mruthyunjay

Sunay brings over 17 years of experience developing IT products for the banking industry into IDEALINVENT. He cut his teeth as a product designer and developer before moving into product implementation and delivery management. Notable achievements include being a key member of the first ever Indian led complete system replacements in one of the largest corporate banks in Japan and has been instrumental in several project implementations of varying complexities in Western Europe including a Payments and Core implementation in a leading Swiss bank.