Banks have always been targets for attack. The year 2011 appears to have been a critical tipping point for bank related cybercrime. Attacks grew at a rate of nearly 300 to 400% that year, and innovative attacks cost banks and customers a lot of money.

1. CloudMask thinks differently in the secure cloud landscape.
The banking industry can enjoy total confidence and peace-of-mind
through CloudMask’s data protection services.
The economic value proposition of Software as a Service (SaaS) is undeniable. SaaS is disrupting industry after industry,
making accessible to sole proprietors and small businesses software functionality that historically required significant
investment in hardware, software, and annual maintenance fees. This, in turn, is making smaller players even more agile
and efficient than they used to be, allowing them to run competitive circles around larger or laggard players.
The good news is that rich software functionality is often available for less than $100 per month, enabling high levels of
business management and administrative efficiencies.
The bad news is that the tempting sky of cloud and SaaS computing is filled with thunderclouds of cybersecurity concerns.
Despite the best efforts of traditional cybersecurity experts, the adoption of cloud computing has been accompanied by an
ever-growing number of egregious data breaches. These breaches damage brands and drive up significant costs for
investigations, notification, and identity-theft protection for clients whose personal information has drifted into malicious
hands.
So, what’s going on? Why do even the largest enterprises struggle with securing their data? Wouldn’t the National
Security Agency be one of the most rigorous security practitioners in the world? What leaks have we not yet detected?
One thought leader at a major global cybersecurity consultancy explained it like this: “We’re trying to examine every packet
that flows across the perimeter of the network and notice IP addresses that don’t make sense. This is incredibly hard.
There’s a ridiculous amount of data, and we’ve entered an age where the network no longer has clear boundaries. We
really haven’t solved that problem.”
What is the problem?
The problem lies in the way traditional security thinkers have defined the problem. They’re working with a castle-and-moat
metaphor, where the internal network is protected with a set of security rings. Each ring, however, has costly hardware and
software searching for malevolent inbound and outbound data. But it’s like looking for needles in a haystack. And even if
security experts are successful at protecting the perimeter, there is little protection against insiders (employees or others
with access to the internal network).
Cashing in on the public
cloud with total confidence

2. CloudMask thinks differently.
We see the problem in simpler terms: protecting sensitive data and ensuring that only authorized users, using known
devices, can see data in the clear. We’re happy to let the traditional security experts work on their perimeters, knowing that
when they fail, our customers’ data remains secure. And, in contrast with products designed for big enterprises, we’ve
created a solution that can be installed, configured, and afforded by small businesses without IT staff.
The SaaS Security Problem – Simplified
SaaS applications use best-practice security protocols and rely on their cloud provider to secure the infrastructure on which
the application runs.
One vendor explains it this way: “We ensure that your communications are secure, using bank-grade 256-bit SSL
encryption. All of (our) infrastructure is hosted using physically secure, managed data centers that meet the rigid SSAE 16
specifications. Geo-redundant backups are performed multiple times per day, and site security and privacy are routinely
audited by respected third parties.”
By means of 256-bit SSL encryption, the connection between your browser or app and database servers is secured. When
you submit a query or update, the data is encrypted as it transits the internet. Once the data reaches the data center, it is
decrypted for insertion into the app’s database.
The data center itself (e.g., Amazon Web Services) has a rigorous set of security controls and protocols, so that only
employees with the proper identification and access passwords can physically or virtually access the servers holding the
application’s data. SSAE 16 is a standard according to which data centers are audited for their degree of compliance with
policy.
CloudMask provides the banking industry peace-of-mind in keeping their data
protected in the cloud.
Banks have always been targets for attack. The year 2011 appears to have been a critical tipping point for bank related
cybercrime. Attacks grew at a rate of nearly 300 to 400% that year, and innovative attacks cost banks and customers a lot
of money. This page from the Cloud Security Alliance explains what is going on.
Even as banks fight hard to retain control, two major trends are shaping the banking industry:
 New technology companies are competing aggressively. Digital banks, e.g., Atom, Mondo, Monese and Starling,
challenge banks to revamp their infrastructure and offerings to better provide effective, secure and fast mobile
banking as part of a seamless, multi-channel service design. Banks are fast becoming virtual rather than high-street
entities, though many customers still seek the peace-of-mind of interacting directly with experienced staff.
 Banks are consolidating. The American Banks Association forecasts more consolidation in 2016, a long-term trend
in the United States, with 4,810 fewer banks than in 1994. This is driven by (a) higher regulatory costs, (b) low-
growth, low-interest-rate environment, and (c) innovation, all of which mean lower profitability versus pre-crisis levels.
A few large deals in 2015 include Key Corp’s acquisition of First Niagara, New York Community Bank’s acquisition
of Astoria Financial, and M&T’s acquisition of Hudson City.
In such an arena of competition and consolidation, traditional banks that have underinvested in technology stand to lose
regardless of their size; a McKinsey study shows that digital latecomers could see up to 35% of net profit eroded, while the
early adopters of technology may realize a profit of 40% or more.
Pressure from the press and regulators puts the banks at a crossroads to either adapt and invest now or cling to outdated
systems that could force the banks to fade away. The challenge for virtual banks is to humanize the digital banking
experience, e.g., providing physical comforts and agility. Digital convenience must include engaging customers in the
process.

3. Through targeted cloud migration, banks can centralize transactions, thus cutting costs and meeting high customer
expectations. The ability to add new business functionality quickly is a big plus. However, the solution must be highly resilient.
Cap Gemini & Microsoft forecast that 40% of banks will adopt cloud-based business applications like CRM, ERP, despite
concerns about data confidentiality, regulatory compliance and quality of services.
Complexity of laws and regulations characterizes banking in the United States, as can be seen by a long history of enacted
acts and standards: National Banking Act (1933), Riegle-Neal Interstate Banking and Branching Efficiency Act (1997),
Gramm-Leach-Biley Act (1999), Federal Deposit Insurance Corporation Act (1991), Housing and Economic Recovery Act
(2008), Data Security Standards and state specific privacy laws. Apart from state agencies, the main banking regulators are
the Federal Reserve System, OCC, OTS, CFTC, FDIC and NCUA.
An ENISA report states the following major risks in the adoption of cloud technology:
 LOCK-IN: There are few tools, procedures, standard data formats and service interfaces that guarantee data,
application and service portability, making it tougher for a cloud customer to migrate from a cloud provider.
 ISOLATION FAILURE: Mechanisms separating storage, memory, routing and reputation between different tenants
(e.g., so-called guest-hopping attacks) are weak. This is a big fear with most banks as well as with their customers.
 REGULATORY RISKS: Achieving certification is difficult because the cloud provider will need to provide proof of
compliance.
 INSIDER THREATS: There will always be fear of insider attacks. There have been several cases where bank
employees have abused their privileges and defrauded banks.
 DATA PROTECTION: Banks cannot effectively check data-handling practices of cloud providers, especially when
multiple transfers of data occur between federated clouds. True and timely wiping of data also can be prevented by
extra copies of data stored but not available.
While data at rest can be secured by encryption, most applications cannot handle the encrypted data. The risk of data
exposure is highest when data is decrypted prior to processing. At this stage, criminal access to the data by a hacker can
lead to serious ramifications – financial losses, legal consequences and loss of reputation.
The solution is a protection mechanism that understands various components of data and protects the elements specifically
so that processing does not require all the data to be decrypted at the same time.
If you think the solution is not to use cloud, think again.
The concerns outlined above have caused many organizations to have misgivings about adopting cloud-based solutions,
presuming that an on-premise solution (a server running in your office) is safer. Unfortunately, that is not the case. Your
office or server room isn’t nearly as secure as an access-controlled data center.
CloudMask: a silver lining for SaaS
CloudMask addresses these vulnerabilities in a way that enables executives to immunize their firms against data-
breaches, differentiate by offering highly secure data management and communications, and use economical cloud
services with confidence.
CloudMask can provide SaaS users with an easy-to-install browser extension that automatically masks sensitive data
before it enters the 256-bit encryption channel to the data center. When that data arrives at the data center where the 256-
bit protection ends, CloudMask data stays masked.
This process also works in reverse, as in the case when the user requests sensitive data. Here the masked data is double-
encrypted as it moves through the secured communications channel. When it arrives in the browser, the 256-bit encryption
is removed, and CloudMask seamlessly unmasks to present the data in the clear.

4. Alongside controlling users and their access rights, practice management account owners/administrators have the capacity
to select specific fields to be masked. Not all data needs to be masked and protected, but data categorized as sensitive
personal data, personally identifying, or otherwise confidential, can be selected for automated, seamless masking and
unmasking.
From a functional perspective, CloudMask resolves the concerns that executives
might have with respect to using SaaS applications.
1. Each user authorized to access the SaaS account installs a CloudMask browser extension that is activated through a
simple process generating the personal, private and public keys required for the encryption process. What’s more, the
extension can be installed on multiple personal devices, each of which is personalized with a private key. Thus, even if a
username and password are somehow compromised, which under normal circumstances would allow anyone anywhere in
the world to log into the account and see data in the clear, the unauthorized user cannot do so without access to the
specific devices configured with the personalized browser extension.
2. The data stored under care of the data center remains masked while at rest or in motion. Neither the practice
management SaaS vendor nor CloudMask administrators nor data center administrators have keys that can be used to
unmask the data. If the data center suffers a breach (e.g., an unauthorized insider penetrates the database, or a
government agency serves a National Security Letter), data the user has designated as sensitive remains protected.
3. The data stored under care of the data center is masked in such a way (“tokenization”) that anonymizes what was
previously sensitive data. Thus, even if that data is stolen, it is no longer considered sensitive personal information or
personally identifying information, so it is excluded under data protection regulations or requirements. In other words,
breaches of systems holding tokenized data do not trigger the costly response and remediation efforts associated with
breaches of systems holding sensitive personal information.
The Technical Story
A separate e-book explains the technical details behind this process and the software that automates it, as well as
describing the benefits of encrypting and tokenizing data, which we collectively refer to as “masking.” The e-book also
provides a brief explanation of the well-established public/private key methods used by the encryption process.
Grounded Confidence
CloudMask is unique in having its “CloudMask engine” certified through a Common Criteria for Information Technology
Security Evaluation (Common Criteria) process, which is used by twenty-six federal governments to evaluate security
products for their own use.
The process of independent evaluation assesses whether a product’s functional claims live up to the way it is coded and
performs. Many products claim to be “bank-grade” or “military-grade,” both of which are subjective assessments.
CloudMask is the only data-masking product capable of working with SaaS offers to achieve Common Criteria certification.
More expensive competitors like Cipher Cloud and Ionic have not achieved such objective criteria. Technical advisors can
access CloudMask’s Common Criteria Assessment here.
GET CLOUDMASK
It’s easy to get started with CloudMask. Visit www.cloudmask.com