Thomas De Souza, chief technology officer, financial services at Hitachi Vantara, and Charles Chow, director of sales engineering at CommVault, shared how institutions need to rethink their technology capabilities and data framework.
The financial services industry is undergoing a rapid digital and technology transformation that has gathered pace during the pandemic. Financial institutions seek to optimise their access to vast data volumes with emerging technologies and advanced analytics to drive business value and customer experience. Meanwhile, most banks continue to grapple with a huge amount of structured and unstructured data across silos, fragmented applications and a complex legacy technology environment.
Institutions require an integrated, secure and agile data framework to enable timely intelligence-based business decisions and stronger risk analytics. Data security challenges have escalated during the pandemic with the surge in cyber and ransomware attacks. Ransomware attacks have become more sophisticated, innovative and organised. These accentuate the need for more robust ransomware preparedness and a resilient data foundation.
Financial institutions require stronger data governance, protection and business continuity measures, along with analytics-enabled, multi-layered defence to mitigate ransomware and other cyber threats.
Thomas De Souza and Charles Chow shared how the security requirements have changed during the pandemic along with increased implementation of cloud and increased ransomware attacks. These are forcing banks to rethink their data security strategy, processes and framework as well increasingly adopt AI and ML-based advanced analytics to address evolving threats.
Hitachi Vantara is a wholly-owned subsidiary of Hitachi Ltd. It focuses on solving digital challenges for customers by applying industrial and digital capabilities to their data and applications to benefit both business and society.
CommVault is a US-based data protection and data management software company that focuses on intelligent data services to help organisations get value from their data and making their data ready for business growth.
The following is the edited transcript of the interview:
Neeti Aggarwal (NA): Firstly, I would like to get your perspectives on what are some of the key emerging technology trends and focus areas among your customers in the financial services industry, especially in the last 12 to 18 months during the pandemic?
Thomas, perhaps we can have your thoughts first.
Banks face challenges in redesigning data security strategies to meet evolving security needs
Thomas De Souza (TD): I think probably the biggest thing that we're seeing is definitely the move or the rush to adopt cloud technology. Most financial institutions have migrated certain workloads to the cloud. But I think we've seen a bit of a maturity here. in the past, it may have been driven by cost or flexibility or reducing or increasing the agility of their organisation as they move forward. Also we have seen a number of new technologies emerge. This really revolves around the runtimes, which some people might refer to as containers or Kubernetes. But this has become the new dial tone for the cloud for computation.
I think probably one of the most material things that we're seeing is the rise of new data technologies. And as you mentioned, I think one of the largest things is the rise in terms of data becoming the strategic asset and it's been used within different products and services in the financial services organisations.
Also, with the rise of the cloud and what we would call cloud native technologies or architecture, we've seen a very high performance platforms emerging, which are allowing new kind of advanced analytics and AI algorithms to emerge. And I think this actually will have a material impact, as with the cloud, it has matured across a number of financial issues, especially like the lines of business functional areas such as risk, security, and others. But I would also say at the same time of this kind of adoption of the cloud, we're seeing COVID-19, amplifying the security risks we're seeing. Like with people working remotely, the threat of ransomware. And this is not going away. And I think that it does revolve around data, both from security perspective, but also the data being used to mitigate some of the risks.
NA: Charles, I'd like to get your inputs around cybersecurity. During the pandemic, there has been a surge in cyber attacks, the ransomware attacks have increased. The reports about ransomware attacks more than doubling, about 150% increase. And cyber criminals have been a step ahead of banks, despite various efforts. What are some of the key challenges that banks face in preventing these attacks despite various efforts?
Charles Chow (CC): You're absolutely right. The new wave of attacks that the banks are getting, or other government agencies are getting as well, are becoming bolder and more elaborate by the day. Threat actors have had such success infiltrating other enterprises that they are now openly declaring how they're going to do it, when they're going to do it, and where are they going to do it next. In more recent time, some of these threat actors have also declared publicly that they are not specifically just going for your data, they are very, targeted, they're also going specifically just for your backup data. Because many organisations often rely on these backup copies to get their systems back online in the event of an attack. So the attackers know that, I don't actually want you to have a temporary data loss, or an annoyance, so to speak, but I want you to have the effect of a potential permanent data loss. So that's exactly what they're getting at. And the attackers also know that many enterprises have generally or historically channel a lot of resources to building production systems or protecting production workloads. But at the same time, the backup workloads or workloads that you sit in a corner, hoping for a rainy day are generally have a lesser infrastructure, or less protected, so to speak. So it is really a challenge that the attackers are putting out there to all the organisations to say that, hey, you know, can you get to fix your backups or protected data before they get to it?
I think it's really a thought process thing because the large amount of banks always have this mentality, so to speak. It's not like, I'll never get hit, it's a question of when do they get hit? Historically, it's always been, whatever I built, the security products that I put in place, it's all there and it's not been broken for the longest time. So I think we live in a consensus that just because it's not broken, you should be relatively good enough. But if we are very fair to the banks, I think, in general, banks specifically have done a tremendous job in protecting against cyber attack comparatively to all the other verticals. But having said that it's still not bulletproof. There's still a lot to be done.
NA: As you mentioned, the banks are exploring multi-pronged perimeter security initiatives already. What more do they need to do from where they are right now? How do they build a stronger ransomware resilience to be able to detect and prevent these attacks more effectively and timely?
AI and machine learning improve prediction and real-time detection
CC: I think banks and financial institutions should really re-evaluate their data protection strategies again. Just because the strategy hasn't been compromised doesn't mean that it will not be compromised. The challenge here with a lot of organisations is that data protection strategies have generally historically been very sticky, and it's very ingrained and steeped in legacy. So to move out and to redesign it often pose a massive challenge to a large enterprise. The first thing that comes to mind that is well, ”Is there something we can do just on top of it, rather than re-architecting it entirely?” So, some of the questions that the financial institutions should be considering for example, is your data protection adapted for SAAS based workloads? Has it got the cross dependency between on-premise workloads and those that you have in the cloud? Because today, no data lives in isolation. There is consistency and also correlation between your data sets are sitting on-premise and in the cloud. Should it be protected with similar tools to ensure consistency if that's the case?
And today, the landscape of where information lives. Are there sensitive information on the endpoints where your end users are working off today, with everybody working from home? This landscape is completely changed and turn the tables around. Historically you come into the office, and you're protected by the firewalls within your organisation. Now, a lot of the end users work from home, is that being protected? How is that being protected? So these are all the questions that need to be taken into consideration.
As we add more workloads and data points as well, the discussion also comes to where could AI and ML be deployed on a day to day operation. It's impossible to scale resources to monitor the ever growing landscape and growing data points and new challenges, the pandemic will bring us. So having the ability to be adaptive and make informed decisions in an evolving enterprise space could become the key to success in the future.
NA: Thomas, could you also tell us about what banks need to do with regards to data safety and immutability, business continuity and how they need to build a stronger risk analysis capability to mitigate these attacks?
TD: I agree with Charles. It's an evolution of the existing security architecture. And I think it's a set of interlocking countermeasures you need to deploy. So things at a base level, like immutability of your data, and a hardware level, which secures the data, that means it can't be changed for a specific amount of time are useful countermeasures. I would also say, we've seen more sophistication in these countermeasures such as air gap, so data being moved off site not being accessible from a network perspective. I think we're seeing and I think Charles alluded to this as well, advanced backup strategies and technologies and capabilities that run both on-premise and hybrid in the cloud. Most importantly we've seen this with financial institutions that have been here. The disaster recovery plans are not necessarily able to deal with this type of catastrophic failure because they really plan for maybe natural disasters or emergencies. They don't necessarily take into account that the data is not recoverable. We're seeing that both. As Charles said, they need to revisit this. This is an evolving threat environment.
I would also say that the countermeasures that they have, and the way that they go to market is ‘after the fact’, they only realise that they've been compromised after the fact. And this really talks to more advanced capabilities, such as using AI, or machine learning to provide predictions or to do real-time detection using advanced models. And I would also say that, although this is kind of an emerging area, it really is predicated on data. Charles alluded to it, but it is the large amounts of data that are being generated by operational systems that need to be monitored, that you're applying these advanced threat analysis models against. I think this will be customer or organisation by organisation as well. Because most financial institutions have very complex and tailored environments to what they're doing. I don't think it's one size fits all. But I do see there's a definite trend moving forward.
NA: To your point about using more of advanced analytics, and using more of artificial intelligence and machine learning, perhaps you could share with us some of your use cases and recent implementations across financial institutions. How were they able to strengthen their data analytics capability through use of these advanced analytics, and therefore develop a stronger risk and analytics and ransomware resilience?
TD: Historically, when we talk about analytics, these are very basic kind of models or types of algorithms that are being applied to the data. So when we look at the landscape of how to apply this, it's looking at algorithms that may be able to detect threats in real-time, where you don't have prior knowledge, or you have a time window where certain events have happened. Most of the systems that we see today are very much rules--based and they act as effectively as controls. So once they're set, they're fairly inflexible. They may not detect more advanced threats. With a machine learning algorithm you should be able to look at new data pass through the model that will allow you to protect that threat or identify. Sometimes you need to train that on what we would consider to be back data. But a lot of times now, you can actually do that with algorithms that will detect based on events that happen within the infrastructure, whether they be security or otherwise.
For instance, if you had a ransomware attack, you may have the CPU running very high because obviously, performing encryption on the systems that may be in conjunction with other events, something that you wouldn't pick up using an existing environment. We have a number of clients that we're working with to look at this. As I said, it's not something that is a one size fits all. But I would say that the underlying technology is, as I alluded to in the beginning of the discussion, next generation, this step change in terms of data analytics that is driving it. So not only are we seeing that for security, we're also seeing that for risk and compliance activities. For instance, if you took 10 hours to calculate a risk model, and you could do that in 10 minutes, or even in 10 milliseconds, what does that mean for your organisation? With these advanced data analytics technologies, not only for security, but for other areas of risk and fraud detection and things like that, organisations have a new set of capabilities to actually defend themselves against these threats.
NA: Charles, perhaps you want to share some of your use cases, or any recent implementations across FIs, and how you have implemented a stronger ransomware resilience using advanced technologies.
CC: Thomas mentioned this briefly, about air gapping. So I think to a lot of people air gapping is not necessarily something new. I mean, in its purest form, it’s a form of replication that we obviously have for a longest time. Some of our customers in the region have revisited that. Of course, they have always had replicated copies in a remote site, but to what Thomas alluded to, today's form of disaster is no longer a flash flood or fire. Today, your threat is actually somebody who is connected and cyber attackers who are out there maliciously trying to attack this data set. So coming back to the point where replicated copies historically have always been, ‘always on’ so to speak. Because it's a tunnel that gets replicated data all the time. And it's susceptible to brute force attacks all the time. So air gap copies have allowed us, with a lot of our customers, to cut the network connection to those copies. We only bring up links or bring up services as and when we want to protect data sets. And as we don't use it, we tear it down. That is obviously, just one of the many examples that we have done with a lot of customers. It may seem very trivial in many cases, but data protection against ransomware do not necessarily need to be complex, it just needs another fresh pair of eyes to actually look at it.
NA: Everyone is moving towards building agile data capabilities. What are some of the challenges that banks face in building such data capabilities? And how do they need to build their data architecture for advanced analytics?
TD: I think a baseline level the banks do spend a lot of money understanding what data they have. I think it's really important because as you start to drive, new product innovation or capabilities, you need to really understand your data. But associated to that is privacy. Obviously, we're seeing a number of regulations at a national level or even at a global level starting to emerge around privacy, a bit of a backlash as well. Then there's the whole security discussion that we just had around ransomware. So I think the organisations really need to understand their data and put platforms in place to be able to support that. Once you have that, I think that's the kind of demarcation point around developing a kind of data-centric strategy.
I think financial products have always been bits and bytes. They've been deemed materialised, they are data. I think, as we see these new technologies, whether they're applied from a security website, or within say, some of the products that we're seeing. I know that in Singapore, wealth is a very big business. So, you have automated advisory systems, ways to manage risk, these are all computationally intensive and using advanced data algorithms. This trend will only continue in terms of having that agility in your data, having that agility in your infrastructure. This is a very big trend within financial services. For instance, most financial services will have what we call a front to back, different systems within a set of processing activities or transactional activities, that actually take to clearing and settlement. Although they are highly automated, there are significant amount of human interaction. With these types of algorithms, these types of data-driven environments, you will start to see very high levels of automation, cost reduction, automated controls and security capabilities built into the system. So, I do see this move to agile data being very important to financial organisations.
NA: What's your outlook for technology trends in 2022? What technologies will continue to see a growth in adoption across banks in Asia? And where do you think they will continue to focus more, especially in their data framework and building their data security?
TD: It is a new data architecture and this is in part driven by the cloud. I think most organisations especially in Asia are seeing wealth products being very big because obviously we've seen a very large growth in middle class within Southeast and Northeast Asia. We're seeing in a lot of cases, a lot of Asian banks and nonbanks, leap frogging, want to see more mature Western markets. So if you look at what's happening with embedded payments, or the adoption of blockchain-based currencies and things like that by nation states or employed for like clearing and settlement, I would say that we've seen a whole new architecture around data are emerging that is driving these capabilities. We're going to see an acceleration. I don't think this is going to, so I don't think the innovation will stop in Asia. And I do see a lot more entrepreneurialism, innovation in fintech or financial services in Asia. And if you've been in the industry long enough, you recognise that this is data-driven. This is the application of new algorithms, the models are applied. And because the economics and the populations are growing, there's a huge amount of opportunity for innovation moving forward. In terms of the trends we're going to continue to see uncertainty. I don't think in the things that we've seen in the past, we've been fairly stable, I think there will be a lot of uncertainty. But again, I think this creates a huge amount of opportunity in financial services to build these new data driven products.
NA: Charles, perhaps some comments from you or your thoughts?
Data protection as a service model is gaining adoption
CC: In my view, it will be a new era of data privacy coming to Asia Pacific. It's not necessarily a new topic, so to speak but having said that, Asia Pacific is still very much in its infancy when we talk about data privacy. Of course, financial institutions in the Americas and EMEA have been driving this heart for the past 18 to 24 months, with GDPR regulations. In Asia, it's starting to gain traction in mature markets like Singapore. And we all know in Singapore there's the Personal Data Protection Act (PDPA) equivalent guidelines where enterprises need to comply to. And I truly expect 2022 to be a year where many will start evaluating these strategies, specifically in this area.
The other part that I foresee being a trend in 2022 is all this talk about data protection, protection against ransomware. I believe that data protection as a service will be a big consideration. So data protection is one of the latest technologies to go down this path. And in general, it makes a lot of sense. If you look at it, the ‘as a service’ model has relatively been successful in many areas within the data centre. And enterprises are also constantly looking at new services ‘as a service’ that they can adopt. And their protection seems to be the next one on the line naturally, for few reasons. Data protection generally is often known to be extremely complex and resource heavy. And as workloads evolve from traditional on-prem workloads to cloud-based workloads, like SaaS, you know, all have been on hybrid, you have some on AWS, on Azure, and some on premise, it's increasingly difficult for the enterprise to keep up retooling the existing environments to accommodate these next generation workloads.
Second, the future of the workplace is likely from your living room, which may sound fantastic for the employees, but it introduces a massive nightmare or challenge the enterprise admins who are trying to protect data. Now they have to look at ways to secure these endpoints that were historically like I say, within the boundaries of your enterprise, how do you look at it differently? How do you reach out to these people that are sitting at home and protect them, like how you've always done? So data protection as a service helps eliminate all these challenges. By providing enterprises a utility-based model with zero upfront costs, zero upfront investment, and pretty much the ability to protect all these ever changing workloads. And not to mention the 10s and 1000s of endpoints and end users globally can be protected in a matter of hours. I mean, I'll give you a scenario. So we have a defence contractor that has employees, about 20,000 employees sitting globally. And they have exactly the same problem when the pandemic hit. How do I get these people to come in the office? That's not possible but then how do I get protection to them? Because of SAAS-based endpoint protection, we managed to get everybody protected in less than a day, because we're just pushing out data protection agents, and they were all backing up to their local instance of cloud. I think that's definitely going to change the landscape in 2022.
NA: I think so that gives us a very good perspective around how the data protection is shifting towards ‘as a service’ model. There is shift towards SAAS and cloud implementation with multiple providers and also expansion of endpoints for an institution and as a result, the expanded protection that they need today. So that's another challenge. We heard about the AI and ML application, and how these can facilitate better protection for institutions. We also heard about air gap as a technology. How financial institutions really need to rethink their security, data framework and data architecture in light of the various developments that are happening across the industry.
Thank you so much, Charles and Thomas for your insights.
This is a sponsored article and does not necessarily reflect the opinion of the publisher.