The document discusses the interconnectedness of security, trust, and risk within the financial services industry, emphasizing the necessity of adapting to technological changes and the importance of secure cloud approaches. It highlights how big data and regulations are driving the sharing of resources among financial institutions, necessitating robust security to avoid systemic risks. The need for financial institutions to embrace a shared security framework is essential for competitive advantage and responding to customer expectations in a rapidly evolving technological landscape.

1. Dealing securely
with Clouds

2. Security and trust are both terms that are closely related, and they are also terms
that we associate with financial institutions and that financial institutions
associate with themselves. At the core of the financial services industry is the
concept of risk and the costs that are associated with those risks. In some cases,
risk hinders business and even stops business happening – for example, where
customers don’t trust new technology-based banking services.
In other cases, risk creates business opportunities: for example, financial markets
are based around risk, and without risk these markets would shrivel up. In a similar
way, security can be applied properly and appropriately in a way that helps to
create, enable and grow business, rather than acting as a hindrance to growth.
A key factor is that the market is changing rapidly, and standing still is not an
option: in nature things are either growing or dying, and nothing ever stands still.
Introduction
BT Whitepaper: Dealing securely with Clouds 1

3. In the 20th century, major changes in technology were often driven by military
needs and space exploration, and generally slid quite slowly into the business
world. In the 21st century the financial community is at the heart of high-
speed and ongoing technology change that is being driven by commercial
competition and customer needs across all industries, because underlying
almost every business transaction in every industry is a financial transaction.
The financial community’s customers represent every type and size of
organisation as well as hundreds of millions of individual retail customers. All
of those customers will use Cloud approaches as part of their financial life,
whether they know it or not, and irrespective of whether they are making a
retail purchase and paying with a mobile phone in Kenya or trading millions of
barrels of oil on-line in real-time from a dealing desk in Texas. And all of those
customers expect those Cloud approaches to be secure.
The Personal Computer was launched 30 years ago, empowering even
individuals to have their own computing capability. The public Internet went
commercial just 20 years ago, and it empowered users to own their own
access to shared networks. All of those computers and network access points
share a common infrastructure – the public Internet – and without that
sharing, much of the progress of recent years would not have been achieved.
These concepts of “sharing” and “communities” underpin the principles
behind what we mean by Cloud: a community of multiple service providers
and multiple service users sharing a common communications platform. A
Cloud can be infinitely extendable, like the public Internet, but equally a
Cloud can be restricted to support a “gated community” with a higher
degree of security.
Big Data is also driving this need to share resources securely. The days are
long gone when any single organisation could consider storing all of the
information that it needs to run its business within its own large central
computer. Storing the same Big Data in each and every individual financial
institution is just not economically viable. And Big Data isn’t all static – much
of it is alive and on the move. Financial institutions today are each
processing flows of millions of messages per second per institution, and the
data flows that they deal with as a matter of course are growing significantly
year on year. To be able to manage Big Data effectively, financial institutions
tap into and share the same sources and flows of information as well as the
same services and infrastructure, thereby avoiding duplication of systems
and networks and avoiding the multiplication of costs.
The financial services sector operates as a community of service providers
and service users, where some community members are both providers and
users of services, and where more and more infrastructure is shared. This
sharing of infrastructure and services makes security even more critical,
because a security breach can impact not only one institution but can spread
quickly to the whole financial community as well as to the wider community
of customers that are served by financial institutions. The potential systemic
risks are clear, and the speed at which damage can propagate has already
been seen: think back to 2008 and how the failure of one organisation
triggered a global economic crash from which the world is still recovering.
Financial regulators have also turned their attention to the systemic risks that
relate to the technology that is used by the financial community, and recent
regulations have started to include mention of this. For example, the current
EU Markets in Financial Instruments Directive (MiFID) states that investment
firms must have “effective control and safeguard arrangements for information
processing systems”. National regulators are insisting that business continuity
BT Whitepaper: Dealing securely with Clouds 2
Big Data is also driving
this need to share
resources securely. The
days are long gone
when any single
organisation could
consider storing all of
the information that it
needs to run its
business within its own
large central computer.

4. plans must be in place and that the senior management of financial institutions
should be personally liable for failures in those systems.
For financial institutions, increased regulation has typically added to
operational costs. Some of these regulations have been specifically aimed at
increasing the level of competition between financial institutions, and this
together with normal competitive pressures has forced financial institutions
to reduce their business margins. At the same time, transaction volumes
have been increasing while the size of individual transactions has on average
been reducing, resulting in an increased load on technology systems without
necessarily resulting in increased revenue. These combined pressures have
made it even more important for financial institutions to examine what they
believe to be their core business activities, the non-core business activities
that can be outsourced, and which services they need to have dedicated or
that can be shared. The availability of Cloud approaches has been critical to
enabling financial institutions to make the necessary technology changes to
support their business decisions.
The IT world had already moved from centralised mainframe processing
through "distributed processing" to client/server architectures. Gradually
networks were being used more and more like the hardware "bus" that
interconnects the components of a computer, as those networks became
faster and less costly to use. The concept of the Cloud has been a logical
progression in terms of both hardware architecture and software architecture.
Providers of application software have gradually recognised the increased
business opportunity presented by being part of a Cloud, rather than having
to build out private networks themselves, enabling them to become
application service providers and address a broader sector of potential users
across a wider geography. The "pull" from financial institutions and a
simultaneous "push" from application service providers, market
infrastructures and industry utilities have enabled the financial community -
service users and service providers alike - to become more cost-efficient in a
business world that is less and less able or willing to accept inefficiency.
Financial institutions have traditionally been used to having dedicated
technology. The increasing network capacity that has become available at
ever-decreasing cost, in line with Butter’s Law, has helped to bring into
question the reasons why financial institutions would continue to use
dedicated infrastructure. Internet service providers link up the average retail
customer with tens of megabits of capacity per second at a cost of only a few
pounds per month, while banks have paid many times this amount for
dedicated connectivity with a fraction of the capacity. Traditional private
networks tend to lock in the financial institution and its old business model,
and tend to lock out new customers. The retention of the status quo has
often been due to concerns about security.
Security is of course made up of many elements. Security can be the certainty
that systems will continue to work, even during times of external disruption.
Security can be the certainty that the wrong people cannot access data that
they shouldn’t. A goal is to achieve that certainty without locking out the right
customers and to reach out to more potential customers than ever before.
Building silos is probably not the best or most likely way of achieving that
overall goal. Silos lock out potential customers and lock out opportunity.
Sharing works in two directions: sharing what you’ve got but also sharing in
what other people have got. Breaking down financial silos and sharing in the
business model of customers has been a dream of financial institutions for
BT Whitepaper: Dealing securely with Clouds 3
Security is of course
made up of many
elements. Security
can be the certainty
that systems will
continue to work,
even during times of
external disruption.

5. many years. Recognising the difficulty of the financial sector to break this
log-jam on its own, governments and regulators have recently started to
step into the arena of security to facilitate and even force change to happen.
Two recent examples of this are the UK Government’s Identity Assurance
Programme and the G-20 governments’ Global LEI System initiative. Both of
these initiatives are around Identity Management as a fundamental building
block of effective security.
The UK Government’s Identity Assurance Programme (IAP) aims to create a
shared, federated environment for government and for businesses of all
types – including financial institutions. As in a Cloud model, financial
institutions have a dual role as both users and providers of services, in this
case these services being around identity-related information. There is
already a degree of information-sharing between financial institutions, e.g.
as part of fraud prevention operations, but the IAP will take this information-
sharing to a higher level with information not just to be used by financial
institutions but by every type of business of all sizes. Being an “identity
provider” will be a new business function, and identity information
management will not just be a painful-but-necessary function that financial
institutions have to perform in their own interest and to comply with KYC-
and AML-type regulations. This new business opportunity results from the
world’s overall need for greater security and certainty, particularly in a
networked environment.
The G-20 governments’ Global Legal Entity Identifier (LEI) System initiative
has now progressed in just a handful of years from being an idea to being a
reality. Security and certainty at a global level was recognised as requiring a
simpler, shared and federated approach to identity management. The term
“simpler” may seem strange when one considers that this is a global project.
However, when one considers that individual banks have each been running
thousands of separate identity management systems, the Global LEI System
appears to be a model of comparative simplicity. The concept that a single
legal entity should have a single and unique identity that can be used with
certainty by every organisation or individual in the world seems to be so
obviously needed, and yet neither the financial sector nor industries in
general were able to achieve this goal.
The rationalisation and clarity that can result from these initiatives at
government and regulatory level demonstrate how security can be a
business enabler, breaking down barriers that hinder business, reducing
unnecessary risks and accelerating the speed at which business can be
transacted reliably. One word that is common to both of these initiatives is
“federated”, where resources and information are shared across the user
community. A federated approach for identity management clearly melds
with the shared, community environment of Clouds and the public Internet.
Security services can be a competitive differentiator in the eyes of clients and
potential clients. Customers can change financial service provider more
easily than ever before, whether due to the common access to all providers
that the public Internet and the Internet Protocol provide or due to recent
new account-switching regulations. However, the customer’s view of the
security services that a financial institution provides as part of its overall
service can be what stops the customer switching. A challenge that financial
firms face is how they can attract new customers and how they can use
security services to support that. This is particularly critical because security
is not just part of their core business – it’s because security is a fundamental
reason for their existence. The same is not true of other organisations
BT Whitepaper: Dealing securely with Clouds 4
As in a Cloud model,
financial institutions
have a dual role as
both users and
providers of services, in
this case these services
being around identity-
related information.

6. against which they compete today and will compete against tomorrow, such
as on-line retailers, mobile network operators, etc.
Security is also not a static environment, where traditional solutions can
continue to be used successfully forever. A recognised characteristic of the
development of new software functionality is that it is first implemented in
specialised hardware and then converted to software that can run in
computers. One example of this is Software Defined Networks (SDN), where
functionality was originally built into specialised hardware - routers - and
now is being provided as software that can run inside general-purpose
computers. Another example of this is Host-based Card Emulation (HCE)
that is now being used in the world of Payments, where hardware-based
security devices are replaced by software-based functionality within
smartphones and tablets. Once functionality is converted to software, the
next logical step is for that software to be used in a Cloud environment
because this helps to reduce the cost and increase the speed of roll-out of
new functionality. It also reduces the dependency on and cost of physical
hardware at retail point-of-sale. Being able to deliver and take advantage of
new approaches to security is a key competitive business differentiator.
Pressure is on not only from customers but also from governments to
increase the efficiency and speed of on-net transactions. An example of this
is the recent change required by UK Government to ISA re-registration
processes, shrinking a process that might have taken a month down to same-
day: secure message exchange across the ISA community was critical to this
requirement. Another example was the introduction of the UK Faster
Payments scheme. Staying at the forefront of security technology is vital for
financial institutions as these pressures continue and as the number of
customers wanting to use off-net services continues to reduce. At the same
time, the increase in the use of network services by more and more
customers is increasing the size of the potential community that financial
institutions can address.
Much is written about security threats and the potential damage to
customers, to revenues and to long-term business reputations. At times this
can seem to mirror the introduction of the motor car, emphasising the
dangers and not looking at the incredible changes to industry, work and
lifestyle that motor cars offered and the opportunities that they created.
Security is not just about threats – it’s also about opportunities. The public
Internet has shown us the importance to networked business of two key
factors: sharing and communities. In the future, more security solutions will
be delivered in a shared, federated manner to reach and serve larger
communities. Security is a core characteristic of a financial institution, but
being at the forefront of technology is no longer something that each
financial institution has to achieve on its own and independently. Sharing in
security solutions and sharing in community-wide security approaches is
more likely to be critical to business success than ever before.
BT Whitepaper: Dealing securely with Clouds 5

7. Author: Chris Pickles
Chris Pickles is an independent consultant and has worked in the financial
technology sector for 40 years on behalf of organisations including BT, Reuters,
Deutsche Boerse and UK Government. He specialises in interpreting the impact
that financial regulations, industry initiatives and standards will have on
business operations and IT within financial institutions around the world.
Offices worldwide
The services described in this publication are subject to availability
and may be modified from time to time. Services and equipment
are provided subject to British Telecommunications plc’s
respective standard conditions of contract. Nothing in this
publication forms any part of any contract.
British Telecommunications plc 2014.
Registered office: 81 Newgate Street, London EC1A 7AJ
Registered in England No: 1800000
8 September 2014