Allied Irish Bank (AIB) is deploying cloud products from Skyhigh Networks, a Cloud Access Security Broker, for the bank to monitor and secure cloud adoption across its IT estate. In the wake of high profile data breaches in banking, AIB also wanted to reassure customers by implementing new security policies to protect customer data in light of upcoming industry regulations such as the EU General Data Protection Regulation.
AIB is a retail, SME and corporate bank in Ireland, and cloud services are essential to its plans for growth due to ease of use, speed and flexibility. More than 630,000 customers use AIB’s mobile banking app every month, with cloud services also used for collecting biometric log in and contextual data of customers, as well as a multitude of internal business operations. AIB approached Skyhigh to identify its cloud services and their risks. In its initial assessment, Skyhigh identified a total of 2500 cloud services in use and ranked each service by its data, legal, business and compliance risk profile as a means of assessing and mitigating potential threats.
David Cahill, Security Strategy and Architecture Manager at AIB, said: “Protecting customer data is paramount to AIB. Times have changed, however, and cyber-security no longer ends at the network perimeter. Employees are using a multitude of cloud services in order to do their job more effectively, something that we need to embrace if we’re to stay competitive in an increasing agile and digital world. Our initial step into cloud adoption security was therefore driven by needing to improve visibility into exactly which services were being used and how.”
AIB already has a well-defined process to review and validate external IT services and partnerships. Its Remote Access Forum (RAF) meets monthly to review requests and authorise requests for external connections and data flows. It has a checklist of requirements, multiple steps for provisioning, and a team that reviews and validates all external connections and approves them for use. By identifying and analysing cloud services, Skyhigh’s platform is now used to inform the RAF steering committee, helping AIB streamline the decision process for adding cloud services to the approved list.
Cahill added: “We sanction services like Box because they offer extremely high levels of usability, service and security. However, it’s not enough to simply buy a licence, we need to ensure they are being used and being used responsibly. Skyhigh’s granular analysis of sanctioned IT means the right cloud services are being used for the right reasons. Something that’s easier said than done.”
AIB’s work with Skyhigh will continue, the firms say. For example, if an AIB employee attempts to use an unauthorised cloud service, it is not just blocked; it will inform the user saying why it’s unsafe and which app to use instead. Skyhigh’s granular analysis of AIB’s cloud network is also helping AIB refine its legacy IT infrastructure and experiment with advanced functionality such as cloud bursting.
Charlie Howe, VP EMEA at Skyhigh said: “The financial sector is incredibly highly regulated but I guarantee that every leading bank in the world is using thousands of cloud services. Whether or not they know it is another matter. AIB is a great example of how banks can embrace cloud services and take proactive steps to adopt them securely, rather than just saying no to everything. Employees will just find another service if you ban them from one they want to use, which could well be a greater risk.”
