University of Twente Student Theses


Secure cloud computing in the financial services market

Hendrixen, T.F.M. (2011) Secure cloud computing in the financial services market.

[img] PDF
Abstract:This document describes a research about security in cloud computing for the financial services market. This research is performed by Tom Hendrixen, a graduate student at the University of Twente (UT). The research took 6 months and was started on the 1st of November 2010. The research is conducted for the Financial Service (FS) Global Business Unit (GBU) of Capgemini NL which is orientating to put cloud technology into the market. The main subject of this research is security in public cloud computing. Public cloud computing is a new technology with characteristics such as resource pooling and elasticity to provide a base for IT services. Using cloud technology can deliver business benefits and cost reduction. Implementing this new technique does not only bring advantages, it also comes with some disadvantages such as security issues. In this thesis we concentrate on the data security disadvantages. Security issues in public cloud computing are seen as the most important issues when implementing or services in a public cloud. In this thesis we describe the most important and most referenced data security threats found in literature. Once identified, we describe how current public cloud providers deal with these threats. Some examples of these threats are: unauthorized inside users, data location, faulty infrastructure, and denial of service. To check if public cloud computing services can be used by companies in the FS market, we compared the data security threats in public cloud computing with the data requirements at FS companies. In chapter four of this thesis the FS requirements applicable to these services are described in more detail. Every service demands different security requirements. For example public web blogs assign a much lower priority to security as applications such as Internet banking and other services in the FS sector. The FS sector has high security standards and uses certificates and risk analysis to ensure this. Because this thesis concentrates on the Dutch FS market, practical research in the field is done to describe the current state of public cloud computing in this market. In this thesis the practical findings are related to the findings in literature. By taking this step interesting conclusions are exposed. Conclusions: By interviewing security experts, we found that the use of public cloud computing only covers a small, almost no, part of the services used at FS companies. The used public services are implemented because they are cheaper and more agile than on premise solutions. Another interesting property is that they do not contain data that might become incompliant to legislation or might create great losses when security breaches occur. Security is seen as a major issue when implementing public cloud solutions. With the information gathered during the research we state that moving to cloud computing is a trade-off process between costs savings, agility and security risks. The cheaper, more agile the solution the higher the security risks and the other way around. With this trade-off between the cloud benefits and the risks, we conclude that in situations where high levels of security are required public cloud computing cannot compete with the security of on-premise traditional services. This because the 'cheaper' public cloud solutions do not fully comply with the security standards required by companies. As the public cloud deployment model provides the cheapest computing and storage capacity, security risks are high. When taking these insights and looking at the FS market we see that the implementation of public cloud computing for core services in FS companies is not interesting. The benefits of moving to public cloud computing are not enough to accept the risks associated with the current technique. Loss of control, lack of security guarantees and trust in the provider are issues that expose risks which FS companies are not willing to take for their core services. In some cases FSs in public cloud computing cannot be implemented because of legislation. E.g. Dutch legislation prohibits companies to store or process data in countries that demand lower security requirements to personal data. Another act in Dutch legislation requires FS companies to provide access to auditors of their information systems. Services that are applicable to this law cannot be placed into the public cloud. Public cloud computing does become interesting in situations where risks can be accepted (partly). (E.g. non-core and supporting systems) During the research we found that the CIA framework was used by FS companies to classify the data used. With this framework, acceptance of risks per type of data is defined. By doing a risk management research at a public cloud provider a classification threshold can be set for data that may not be placed in the public cloud. With this classification organizations become able to select services that can or can't be implemented in the public cloud.
Item Type:Essay (Master)
Faculty:BMS: Behavioural, Management and Social Sciences
Subject:85 business administration, organizational science
Programme:Business Information Technology MSc (60025)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page