In this video, C. Warren Axelrod explains the security risk and potential benefits of outsourcing and cloud computing for financial services firms.
Watch Part two: Web application security for financial services firms.
About the speaker:
C. Warren Axelrod is a financial services IT and security veteran and author of Outsourcing Information Security.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
Outsourcing and cloud computing for financial services firms
Marcia Savage: Hi. I'm Marcia Savage with SearchFinancialSecurity.com.
We're here today with C. Warren Axelrod. He's a financial services, IT,
and security veteran, serving more than 25 years as a senior IT manager
on Wall Street. He's also written three books, including "Outsourcing
Information Security". We're going to discuss outsourcing security and
web application security. Thanks for joining us today, Warren!
C. Warren Axelrod: Happy to be here. Thank you.
Marcia Savage: Now, in surveys, our readers say that they're reluctant to
outsource information security. Does that reflect what you've seen in the
financial services industry, or are financial firms increasingly looking to
C. Warren Axelrod: I think in difficult times, as the industry has been
going through, there is a tendency to look for cheaper solutions. In
some cases, the information security function, or many of the components
of that function, can be outsourced effectively in order to save money, to get
additional expertise to cover shifts, such as night shifts and holidays and
weekends, that would not normally be covered within an organization.
So there are a lot of opportunities. I think that the outsourcing industry
is hurting. It's clearly indicative of the overall marketplace. To some
degree, financial firms may be trying to economize on security and
resiliency and areas like that, because they can take on more risk and
spend less money. But in the long run, they're probably better investing in
the security, and often outsourcing gives not only cheaper service but
expertise that they wouldn't be able to support in-house.
Marcia Savage: Which information security functions are the most
appropriate to outsource?
C. Warren Axelrod: I believe a lot of the operational functions, such as managing
firewalls and IDS and other types of network and system security functions,
can be readily outsourced. They've become a commodity. A lot of people know
how to do it these days. It doesn't require particular business knowledge,
and it doesn't require having to really oversee those functions as closely
as in the past.
However, there are certain functions that certainly should be outsourced.
Those include areas where you may not have the expertise. An area such as
application security, many firms are not up to the level they should be in
order to do that effectively. It pays to go out to experts who are doing it
all the time. So, I think it's a mixed bag. If you don't have the
expertise, particularly if you're a smaller organization, then you should
seek help from the outside. It's really on a case-by-case basis.
Marcia Savage: Are there some security functions that shouldn't be outsourced?
C. Warren Axelrod: There are certain critical functions that are better handled in
house, unless your outsourcing partner is very close to you. And there are
other aspects that require knowledge of the business. For example, with
intrusion prevention systems, in order to avoid false positives, you really
have to understand how the business is functioning. For example, if a
financial institution were to bring in a big new institutional client and
volume were to shoot up 50%, that's a good indication, not a bad one. Or if
you had some remote monitoring of IPS, they may say, hey, we're under
attack. Let's stop that business coming through, those transactions. So I
think that there are certain aspects where the internal business knowledge
is very important.
Marcia Savage: What should financial organizations do to manage
the risk, when outsourcing security?
C. Warren Axelrod: Well, the contract is a key. And there are certain
aspects of the contract that are often neglected. Particularly if we start
at the end, it's the termination of the contract and what happens then –
whether it was a voluntary or involuntary termination to business or say,
bankruptcy, or merger/acquisition. So that's a very important part of it.
The other aspects of the contract should be really dynamic and ongoing.
One of the problems that I find a lot of institutions get into is that they
look at the negotiation as a one-time negotiation. They put the contract
in a drawer, and three years later, they pull it out and say, OK, what
are we going to do now? The reality is, volume changes. One of the
biggest risks in outsourcing, particularly security outsourcing, is when
things change. You may not be aware of those changes, say, at the
The outsourcer may, for example, move to a different country, or
subcontract to somebody else. If you don't know about that, your risk has
gone up, and you're just going along as usual. So you have to try and
anticipate a lot of these issues before they actually happen. The other
thing is that -- I don't find it happening very much, but I'm actually an
advocate of the customer monitoring the service provider's environment.
There are some who do it. It used to be called co-sourcing or shared
sourcing, where, for example, the management of the security of a network
is shared by both in-house and out-of-house parties. Maybe, it's handed
over for second and third shift. Or if there's a particular incident that
the internal personnel are not sure how to handle, they may say, OK, you
guys. You look at it. Tell us what we should do.
I think that kind of relationship is extremely helpful. That has to be a
strong oversight. A lot of companies feel that if they outsource, then they
don't have responsibility anymore. They just leave it to the experts. But
that's quite dangerous because a lot of people have been bitten by that.
Marcia Savage: Do service providers sometimes push back on
ongoing monitoring or on-site auditing?
C. Warren Axelrod: This is partially a function of the relative power
and strength and size of the two organizations. If you're a large
financial institution, you have a lot of influence, even over large
outsourcers. If you're a small guy, you may have very little influence
and vice versa. If it's a small outsourcer, you may be able to get a
lot of benefits from that relationship. In one situation, for example,
a very large outsourcer was not willing to allow us to do a site visit and
kick the tires and see how they were doing. They said, ``Well, we
won't even tell you where our data center is. You don't have a need to
What they were able to do is provide third-party reviews, audit reviews and
security reviews of their data center. They were willing to give us those
documents. So it can work either way, but as often the case, if you don't
ask, you don't get. This is particularly true of the cloud services that
we're seeing, that what happens if people assume that the big vendors, the
Googles and the Amazons and the IBMs and HPs, are nonnegotiable. Here's
your deal, it's take it or leave it. But that's actually not true. I was
just at a presentation by one of the senior technology managers of Amazon
Web Services. He was basically saying, tell us what you want us to do, and
we'll do it. So there's a disconnect sometimes between what the customer
thinks they can get, and what they can actually get. If they don't have the
dialogue, there's no way they're going to get it, anyway.
Marcia Savage: Can you talk a little bit more about cloud-based security --
security services such as email. Let's start with that first.
C. Warren Axelrod: It works several ways. In some ways, the cloud provider,
particularly in the email services, is way ahead of what many, if not all,
of their customers can be. They're seeing what's going on on the Web, and
within companies. They have a much broader perspective. They can attract
the top people, because they have so much volume that it keeps them
occupied. So in some of these cases, I think you can get a much superior
service by going out to a third party, whether you call it a cloud service
or web service.
Certainly some of these services, like email security and monitoring, can
be much superior by a third party. Others, depends how you do it. There
isn't a lot, as far as I can see, in security services being offered
specifically over the cloud. Much more of the issue is the securing of the
cloud computing services that you use. And in a lot of cases, such as
Amazon, if you read the documentation, is essentially, we have a
smorgasbord of security services. It's up to you how you use them. We're
not going to force them on you, nor are we really going to help you that
much to do them. But they're available to you. You can use them. And they
describe them, and so forth.
What basically happens is that particularly for sensitive types of
applications, you only migrate part of the application onto the cloud, and
you keep some internally. In some cases, there's concern about putting data
out in the cloud. I've heard of cases where the security officers have
discovered that some of the business users are actually using the cloud for
proprietary data, and they've pulled it back real fast. But if you go into
it in an orderly manner and maybe can segregate some of the functions and
some of the data, then you can really get the best of both worlds and not
take unnecessary risks.
I think over time, these services are going to mature. I'd say the
critical, secure types of services, such a large part of daily business
volume, they're not going to avoid that market. They're not going to ignore
it. It's something that they'll want to get into. There may be some
compromises. It may not be real cheap, which is the way people look at
general cloud services. But it may be a lot cheaper than doing it in-house.
There will be a trade-off between some additional costs, and some
additional level of security added.
Marcia Savage: Are financial institutions -- do they tend to use cloud services
only for mission critical applications?
C. Warren Axelrod: It depends. A lot of the major financials are not putting the
critical applications out onto the cloud. Just as, many cases, they won't
outsource them. Smaller institutions are under a lot of pressure. They
don't have the internal resources, so they're much more prone to doing
that. The reality is that you can come up with measures that are reasonably
secure and meet the requirement. But from what I've read and what I've
seen, the concerns about security are hampering the movement of
applications into the cloud. The reality is, there may be some additional
risks. There may be greater risks in some areas. But if you understand them
and you manage them, then you can get the benefits.