For John Meakin, chief information security officer (CISO) at Standard Chartered Bank, the appeal of cloud computing is simple and compelling. “There are certain things that need to be done to deliver day-to-day parts of the information security armoury that are best done in the cloud. It is more cost-effective for the business and higher in security quality terms,” he says.
But Meakin is acutely aware there is a degree of scepticism about cloud computing that pervades many business circles. Much of this is born from a mistaken assumption that cloud computing is synonymous with low-quality commodity services – and that simply is not true, he says.
“Things that we need to do where we cannot add value by doing them ourselves are effectively commoditised,” says Meakin. “But that does not diminish their worth. In the strictest sense of the word gold and platinum are commodities, but they are extremely valuable.”
For a business-critical activity such as security, such distinctions matter. “You can’t say you will compromise the quality of security protection for the sake of lower cost,” he says.
And there are significant security functions that are being commoditised. “This does not mean they are not important, but simply that there is no value in organisations like mine doing it themselves when they can get it off the web,” he says.
One example where cloud-based security has proved effective has been providing secure internet access. Standard Chartered has been using web filtering software, deployed at the network boundary, from anti-virus software from ScanSafe.
“The traditional approach has a number of flaws. There is little granularity with the filtering of web access and it has become increasingly difficult to keep anti-virus protection up to date as malware attacks via the web are growing. With only one layer of scanning for every HTTP connect, we only have one chance to scan for a malicious threat,” says Meakin.
In the past this lack of granularity meant Standard Chartered tended to restrict access to legitimate web-based activities that its staff had good reason to engage in.
“Webmail and public instant messaging are blocked, but there are cases where they allow ways of doing business. Businesses in the financial markets are finding more and more good uses of web channels – security has to change to reflect that,” says Meakin. “Security shouldn’t be a straitjacket, but a comfortably fitting one.”
The pressing need for a more effective but less restrictive method of guarding against web-based malware convinced Standard Chartered to look at the option of a cloud-based system.
“In the face of the growing threat and sophistication of web attacks, our method of protecting the web channel was not meeting our business and security needs. With our global reach and 76,000 users we want our web gateways run reliably and robustly day in, day out in a cost-effective way without consuming excessive manpower. It was time to move on,” says Meakin.
Standard Chartered began a trial of the ScanSafe technology in May 2008. It quickly established that the software was business-ready, and moved on to trialling the system.
“The beauty of it is that the implementation step is one of the simplest, with a rapid rollout once we know the procedures for ScanSafe to turn on the service and for us to turn off the existing boundary security technology,” he says.
Standard Chartered is also putting in place the final pieces of a new internal support structure. The use of ScanSafe’s service will allow the bank to reduce the number of staff engaged in monitoring web channel security from five to one. But it is still necessary to have one person dedicated to managing the web filtering process, says Meakin.
The new system is opening up further opportunities for Standard Chartered to engage with groundbreaking technologies. The old security systems were inherently opposed to Web 2.0 technologies, following established ideas that “user-initiated content is principally about leaking information,” says Meakin. “The knee-jerk reaction is to prohibit access. However, there are good business uses of Web 2.0 technologies and the focus should be on keeping information under your control, which is at the heart of the matter. ScanSafe plays a role in this with its granular access,” he says.