This week on Breaking Banks Jason Henrichs hosts John Weinkowitz from our sponsor Finastra and Tom Feher from Microsoft to discuss Finastra’s pinnacle core, Fusion Phoenix. Tom and John explore how Microsoft’s Azure Cloud has enabled Finastra to lead the pack in utilizing the cloud to help banks innovate faster and more efficiently. Then, stay tuned as Jason Henrichs speaks to, Sherri Davidoff CEO of LMG Security, about security challenges faced by industries on the bleeding edge of technology. Sherri explains how financial institutions can elevate innovation efforts while also remaining secure.
Show Hosts:
Jason Henrichs
Show Guests:
Sherri Davidoff CEO of LMG Security
Tom Feher from Microsoft
John Weinkowitz from Finastra
Sponsored by Finastra
TOPICS DISCUSSED:
[3:20] How has Finastra embraced cloud technology and how have they leveraged it to make it easy for banks?
[3:50] Why did Finastra go all-in on cloud computing technology?
[6:17] Were the bigger banks the first to invest in cloud technology and is the playing field being leveled by fintechs?
[10:15] Are we seeing a large number of banks considering migrating to the cloud since the COVID19 crisis?
[13:02] Customers are increasingly demanding self-service features from their financial institutions.
[17:20] Banks are getting really smart about security as they open up to new opportunities and partnerships.
[20:00] Finastra customers are realizing the value of KYI, plug and play technologies, and the importance of actionable data.
[23:30] Leveraging data to lower risk and find new opportunities is of value for Finastra clients.
[29:43] Jason makes the point just because you can physically touch a server does not mean it’s more secure.
[31:20] Sherri explains that the cloud has both the ability to be secure and insecure. It’s important to vet your provider.
[36:00] Sherri discusses two-factor identification in detail.
[41:45] Would it make sense to have hardware tokens?
[42:20] Is regulation keeping up with how banks view cybersecurity and technology?
[48:02] Security assessments are valuable in today’s climate for organizations and consumers.
RESOURCES MENTIONED:
Microsoft
Azure
Finastra
Zelle
Lyft
Uber
LMG Security
Verizon
ATT TMobile
Breaking Banks is the #1 global fintech radio show and podcast. Tune in every week for a look at how technology and customer behavior will bring about more changes in banking in the next 10 years, than in the last 200 years. Subscribe at Provoke.fm or wherever you get your podcasts.
Announcer:
Financial technology or fintech is one of the fastest growing industries in the world today with New York, London, Tel Aviv, Edinburgh, Singapore, Moscow, and other major cities all buy in for a piece of the action. Welcome to Breaking Banks; the first dedicated radio show that focuses on how this new boom is changing everything from the way we bank to the very concept of money itself. Now, here’s your host, Jason Henrichs.
Jason Henrichs:
Today on the show, talking about cloud, specifically financial services in the cloud. Now, historically, when we bring up cloud within financial services, the debate can take on religious proportions. Tech evangelists sing the praises of the architecture, compliance departments scream it’s not secure, IT departments feel more scared when they can physically go hug that box that’s running code in the cage. Until recently, I think everyone felt more secure when remote access was locked down. Now, current circumstances can show that if everyone has to come into the bank in order to operate the system, well, there’s just some limitations attached to that. Today on the show, John Weinkowitz, GM of retail and head of product strategy for community markets at Finastra in Palm Bay or West region financial services industry director at Microsoft. Talk about banking in the cloud. Tom, do you have a special fold-out on your card to get that whole title on?
Tom:
Actually, since that I become the US banking industry director, so it would just keep making it easier for-
Jason Henrichs:
Man, yeah, just keep shortening that one. To beat the industry in broad strokes and say that we’re anti-cloud, I think does it a disservice. Research from Cornerstone Advisors last year showed that an overwhelming majority of banks are thinking about cloud and developing a cloud strategy. After the report came out, Ron Shevlin of Cornerstone and I discussed on the show, that same overwhelming majority had done relatively little to execute or mature that strategy. Now, Finastra’s pinnacle core, Fusion Phoenix is now on Microsoft’s Azure cloud, and as far as I know, you are the only incumbent core that isn’t just using public cloud. You’ve gone all in and are leading the way in how you’re using public cloud to actually open up the core, something that’s been literally locked down to the bane of the existence of many banks, especially the community banks for a long time.
Jason Henrichs:
I guess I’d ask, did I characterize that correctly? Tom, you look broadly across the industry. This isn’t meant to be just the Finastra show, but it really looks like of the incumbents, you’re the first that really said, no, we’re not just going to embrace, we’re going all in and charging ahead.
Tom:
Yeah. Well, so the first thing I would say when we look at what Finastra has done is not just embrace cloud, but everything from the key areas where clients are really needing the assistance in health. If you think about what they’ve done with in the payments platform and putting real time payments out there on our cloud, what they’ve done with mortgage bot and helping clients on the front end and leveraging our dynamics cloud to be able to do that. And now, what they’re doing with Phoenix and how they’re bringing that forward in the main core. I mean, they’re really making it easier for banks, then you wrap all that with what they’ve done with FusionFabric, and it’s really allowing banks to compete at a whole new level and really taking a lot of the heavy lifting out for them to make it easier. So yeah, I would definitely call that all in.
Jason Henrichs:
All in? John, what made Finastra decide to make that all in bet? Rarely do we see across the board, whether it’s on the tech side of it or the banks and fintechs themselves, do we see the let’s push all the chips to black, but clearly Finastra said, “No, strategically, this is really important to drive that forward.” What made you make that choice?
John:
For us in many ways, it was a pretty straight forward, easy decision from this perspective, is more so for our company, not all hardware company, we’re a software company. And specifically, we’re a SAS software company. So, we are focused very heavily on delivering multitenant solutions, delivering things at scale, delivering software services that can be upgraded on a consistent basis. We don’t get into this and minus five world where customers are running all versions of software, the recognition that, hey, we’re a software company and we need to scale, our customers need the latest and greatest, and the market’s going in that direction from an innovation perspective, meaning that, as Tom said, if we look at FusionFabric.cloud and Azure, and we look at Phoenix and Azure, and we look at the open finance fintech market … Phoenix has always been open. We’ve always been really open. We’ve had 240 APIs and 62 end points in our platform, but what we’ve done is take it to the next level.
John:
And when you go to Azure, you get scalability, reliability, you get performance, but you get innovation enablement at a speed we couldn’t do before. Whether it’s us developing mortgage data insights solutions in 90 days, or allowing a fintech to develop an app in 90 days and deploy it to a customer.
Jason Henrichs:
With all of the benefits that you just described, you’d think that those were at a relative disadvantage in operating themselves, would find that scalability, reliability and ability to build on top of it, very attractive. Tom, I’m curious from your perspective, having followed the industry for so long … what? 17 years with Microsoft alone? Looking at this space, it looks to me, having pulled this space, that it was actually the big banks that were the first engages. Is that a fair characterization?
Tom:
Yeah, it is. Well, if you just think about Jason as we go back over that time, it was the big banks that had the back room where they could have the extra technology investments and invest head of the curve. I think the difference that we’ve seen happen as a result of the cloud is it’s really leveling the playing field, and it’s really allowing the mid tiers and regionals and community banks and credit unions to really step up and really be able to bring to market, capabilities in the past. They just didn’t have the budget to be able to deliver on, and nor the ability to make those investments. Now, we’re able to work with Finastra and be able to, in our platform, and really be able to leverage that technology to really enable their employees to be more productive, enable them to better serve clients and really bring new solutions to market and be innovative and compete at an innovative level with the larger players.
Jason Henrichs:
John, I’m curious, when you look at what change, community banks have long been reticent to adopt, they either have a naysayer internally, it might be the CSO, it might be compliance, what’s changed now that a community bank would be looking at and willing to adopt a public cloud as part of their solution?
John:
Yeah. It’s interesting because I think the change factors have been really accelerated in a post COVID-19 world. But generally, I look at three areas, one is the competitive landscape. Banks just aren’t in credit unions, just aren’t competing against each other, they’re competing against non-banks. And in many ways, they’re competing for relevance at a brand level, right? Customers have the same expectations of their bank as they do wayfair.com. There’s a need for those competitive and the consumer expectations. The behaviors changed with our customers, so how do we create engagement in ways that we haven’t before? And the third one, which I don’t think gets talked about a lot is the business model exchange. We have branch transformation, we’ve got distribution models changing, we have fintech lending that’s being part of the standard portfolio, and from a long growth perspective, we’re starting to see banks leverage fintechs and ways to originate even deposit accounts.
John:
Those demands require the right level of infrastructure and scale and innovation. That’s what I think our customers in the market in general are starting to see, is the value proposition to provide that right ROI and growth opportunity versus looking at it as a negative, it’s a compliance, it’s I don’t control it the way I used to perspective before. So, I think it’s that as changes, the ability for our customers to understand that … They’re just starting to understand the benefits more and realizing they need to go get them. Now, they’re looking at us to say, how are you helping us do that?
Jason Henrichs:
Well, and as we see the different parts of banking and commerce come closer and closer together, I’m glad you brought up the example of say a Wayfair, where you’d say, I don’t compete with Wayfair. Well, you do, because they’re setting a bar for the experience that you are now going to have to compete with. And no longer just on the consumer level, lo and behold, it turns out that people who work in businesses also use consumer applications and expect a certain level of ease, convenience data, and ability to get things done than they ever have before. The iPhone ruined us in terms of, I can do all sorts of things, and it’s easy. When I look at my three-year-old daughter and my 80 plus year old aunt, both can figure out FaceTime, the world of technology has changed. Tom, I’m curious from your perspective, how do you see the acceleration within digital and how does a community bank or a credit union monetize and leverage their data?
Tom:
Sure. I guess the first thing I would say is given the current times, the acceleration’s at an all time high. I mean, the first thing I would give you there, Jason is the number of banks that were even considering it given the time we’re going through now with COVID, and definitely are, and I think it’s really taken a lot of banks from the, we never will, or we’re going to someday soon, to we need to now. I think we’re seeing a real acceleration in [inaudible 00:10:24] we in two months, accelerated digital two years. It’s a very, very true statement when you think of it now. From that, the pieces that play into that as first and foremost in leveraging cloud in ways they never had, to be able to take care of remote scenarios. And these remote scenarios we’re going through now, won’t be short term, but long term, these scenarios, I think a lot of clients are going to adapt to more digital ways and digital usage and digital channels, and then from that, they’re going to expect that same level of experience across every channel.
Tom:
So, banks are going to need to really be able to do a good job of serving up their information real time and having those real time customer insights. And your ability to be able to do that, you need the infrastructure in the backend to be able to do that. Not only from the standpoint of data capabilities like we do with Azure data arc, but also from the core capabilities. Now, when you think before looking at core, you look at payments and what happened with things like Zelle and you go, wow, I could send money, it’s that quick and easy. Well, that used to be a nice to have option, now it’s the bar for cores in general, whether it be payments or the main core and, or just transactions that we go forward. And we’re going to continue to see that drive to digital, we’re going to see more digital banks pop up, and we’re also going to see more of the movement of active channels as banks move to reduce costs, but increase the service levels they provide clients to the convenience of the way the client wants to bank with the bank.
Jason Henrichs:
John, how would you respond to that? Is that what you’re hearing when you’re out talking to the market? Is this something that banks are beginning to really get their head around, especially the smaller institutions where, for the longest time, a smaller bank hasn’t felt the pressure from either the larger banks that aren’t in their branch footprint or from the fintechs that are bringing that convenience and that scalability and those new factors to them? Is this something you feel like, this is a ground swell change within how the industry thinks about the business it’s in?
John:
Yeah, I really do. And you can see that even when you talk to that FI’s that are out in rural areas, how important digital is and how much focus there is from those FIs as a whole. And it makes sense. To Tom’s point, we’ve had this emphasis on digital banking, but the pressures on our customers regardless of size are equal in many ways. And so, understanding how we can drive efficiencies in different channels and from the front office, the back office is super critical. If we go back to the talking point here for us, architecture matters. That’s why we’re all in with Azure because for us, we’ve created the right architecture that enables that innovation, particularly around data, which Tom hit on. And rather well is, it’s one thing to have a lot of data, it’s another thing to be able to take that data, embed it into your products and services, whether it’s customer facing them back off or back office and then help our customers drive their business forward.
John:
So, customers of all sizes and all geographies are saying, “Hey, how do you help me in the sales and servicing channels and digitizing that as well and transforming?”
Jason Henrichs:
One thing that I think often gets overlooked when adopting new technology and looking for this ROI is the investment that has to go on after implementation is done. That we don’t magically flip a switch, we did the core conversion and adopted a new technology, did a new integration with a fintech partner and it magically … we built it and they will come. Only works for Kevin Costner. So, when a bank of any size starts to think about making this change to both a level of openness and towards public cloud, what investment do they need to make on their side in order to be successful?
John:
Yeah. [inaudible 00:14:19] that first, right? I think it’s a great question. It’s not asked enough to demand, and you’re dead on. What I don’t think people realize enough or we don’t give enough emphasis to your point is to change impact that it has to your business. If you’re going to open up channels in ways that you haven’t before, you have to address the operational impact, is there an investment there I need to make, do I need to streamline some of my back offices so that I’m just not adding cost on the back while I open up new channels on the front? What’s my risk appetite? Fraud migrates to the path of least resistance, so you have to make sure you understand what the risk profile looks like in certain channels. And then, you have to think about staff and training. So, if the branch is changing to more of an advisory role, well, how are you enabling technology to have that shoulder to shoulder tablet conversation? Because it’s not the world we live in, where everyone waits in line and you give your envelope to the teller and they transact if you leave.
John:
You gotta think about change management, everything in your organization. And my recommendation always is the creative transformation process. Don’t try to open up 20% of your accounts online in year one. It’s likely unrealistic because the change impact will be too great. And again, with Phoenix, what we have is we have a platform and of course, we have a business and community markets, which allows our customers to transform. So, whether they’re starting a direct digital bank, we can help them, and then we can supplement that with analytics to help them understand what we’re doing. [inaudible 00:16:02] they’re moving more into the commercial segment. Well, Phoenix allows you the flexibility of retail versus commercial. So, understand where your transformation passion look like, make the right investment in the end to end organizational components so that you can be successful.
Jason Henrichs:
Well, Tom, what would you add to that? You see a lot of this and you’ve probably seen some go good, some not so good. What would you recommend?
Tom:
Yeah. One thing I would say is as they open up and they go forward with leveraging the cloud and a core scenario, and they go to do more open scenarios and third party partnerships, is making sure they put the right security measures and compliance measures in check. Because once you start doing businesses with third parties like that through to your clients, it opens up a whole new area that they need to factor in. I think that’s one area. And banks are getting really smart about what they need to be doing there. We try to, as a leader in security and compliance, put as much of that as we can into the platform for them, I think that’s an area that you’ll continue to see as they open up new partnerships and grow opportunities. The other area I would tell you is this area of the opportunity deep. You see more business liaison roles and more analyst roles being more productive to leverage those capabilities, the core and the data by doing these low code, no code scenarios, and we really see banks being able to innovate.
Tom:
I think that when I look at the cost factor and the focus, some of the stuff that you streamlined in the past for higher maintenance cost of your legacy systems, you’re now able to redeploy those sources and those budgets to the actual ability to be able to do these new low code scenarios and really generate new revenue streams for the bank and bring your services to market. I think that’s the opportunity here that really, as they go forward becomes the greatest part for them.
Jason Henrichs:
That’s a great jumping off to talk about what’s coming up in the future. What excites you both? Tom, why don’t you keep talking first, when you think about what’s coming down the line next that this opens up for a bank of all sizes, it’s the level playing field aspect that I think is most exciting, but what new advances technologically, does this idea of being in cloud and future-proofing your infrastructure by being on a provider that the N minus five has gone away. You’re always going to be on the current version, you’re always going to have APIs being implemented and opening up new systems and integrations. What excites you most about what that future could hold?
Tom:
I think the part that really excites me the most, I think is the element of really putting the focus back on the customer and really helping the customer achieve the journey that they’re looking to achieve, that proactively being there for the customer and this whole notion of the invisible bank, the bank that’s always there, always on, always with the client, helping them achieve their journey and goals, but really it’s truly invisible. You’re just a part of their daily life and how they act and integrate and go forward to achieve the goals they have. I think that that’s where we’re going. We’re going to that notion of an invisible bank down the road, and the technology powers that capability for the bank to just seamlessly be a part of an individual’s life and achieve their goals. It’s exciting [inaudible 00:19:10].
Jason Henrichs:
Well, it’s exciting again, but that also requires … I don’t know many banks that recognize the most powerful thing they can be is invisible. It’s an overused analogy, but I can’t think of a better one. But back in the day, when I used to travel every week, going to the airport and what’s the best part about paying the Lyft or Uber drivers, the fact that you don’t pay the Lyft or Uber driver, you get out. You’re not fumbling for a card with the bags, the payment has become invisible and that’s why it’s powerful. John, I’m curious, from your perspective, what’s coming down the path, that’s got you excited?
John:
Yeah. I think to add on to Tom’s point, who brought customer perspective, I think about our clients and financial institutions, is the ability to create a business strategy, I most call it plug and play. In this open world, we’re going to provide options. I mean, our customers are going to want to do [inaudible 00:20:13] different. And different providers are starting to pop up, and so our customers can start to tailor and customize in a very low friction way, how they build this invisible bank that we often speak of. I think the other side of it is that again, like I just said, we start to remove the friction, we create a really true best in breed platform and we can start plugging in different endpoints, but I just go back to data, the amount of data that we’ll be able to bring to light that’s actionable and insightful for our customers, to deliver that experience that Tom just mentioned about being relevant.
John:
I’m super excited about that because I think that that drives growth, that drives retention, that drives bottom line value for our customers in a very, very challenging environment. So I’m excited about what the future holds.
Jason Henrichs:
Well, and I’m glad you brought up the data piece because that’s thrown around almost a little too casually to say, data is the new oil and data’s the most valuable piece, and we’re going to turn around and make it actionable. But it does seem like that is one of the most important aspects of what cloud enables from both an access perspective and the ability to actually manipulate it and analyze it and mine it. Because it being in cloud, you’re going to be able to partner with AI providers and things like that. And then the last mile problem, which is, so now that I have it, what do I do with it? The kinds of partnerships that you’re able to build and plug into, that if you’re an on prem software solution, unless you have 300 engineers standing by, it really isn’t going to happen all that quickly. I am curious from your perspective, John, is that something that is actually becoming more mainstream and understood that with cloud, the ability to not just compete with a fintech startup, but maybe even do something cooler and better since you have the data, that’s actually an edge.
John:
Yeah. It is. And I think we moved from this conversation where we talked about data as actionable and insightful and engaging, and we’ll shake our head yes at the conferences, but we walk away saying, well, how do we actually do that? What does that actually mean. I describe it this way, Finastra builds online account opening software. We’re not in the marketing and acquisition and hunting business. But we’ve got a bunch of data, our partners have new ways that they’re looking at and identifying the right deposit opportunities for our customers, whether it is AI and ML based models to do digital buys or AI and ML based models that will help identify what the right influencer sites to be on. So, we can actually start to leverage data in a way to help our customers lower their acquisition costs. It’s a very real thing. Similarly, we have the ability to take new risk models that are much more advanced than what we would typically look at from a FICO perspective, start to ingest them in a collections module and really start to turbo charge revenue recovery in ways we couldn’t before.
John:
What I mean by that, it’s … in the collections businesses, it’s all about, where can I put my focus, what’s the best opportunity to recover revenue and how do I actually reach John, and what’s the best channel to do that? I’m not giving other second looks on credit cards, there’s a way of plugging in third parties there and use data. So, it’s becoming very tangible and real from a banking language perspective, and I think that’s where we’re at in the process. We no longer walk away confused.
Jason Henrichs:
Well, it’s time to take a short break, and after we come back from the break, we are going to have Sherry Davidoff, who teaches with me at Pacific Coast Banking school and is one of my favorite cybersecurity experts, talking about the cyber aspects of cloud. But before we go, John, if people want to read about your partnership with Microsoft around Azure or some of the things you’ve talked about, where should they go? What information is available to get smart on a move to cloud?
John:
Yeah. The best place to go is go to finastra.com/communitymarkets.
Jason Henrichs:
All right, that sounds good. That will also be appearing in our social, if you miss that, follow us at breakingbanks1, and you’ll see that in the show notes. Thank you both for taking time out of the day to share your thoughts on cloud and how it is transforming so much of the level playing field within financial services and banking.
Jason Henrichs:
What are you doing with your abundance of free time during the quarantine? If you’re like the team over at Breaking Banks and provoked.fm, I bet you thought you were going to get a whole lot accomplished only to jump into a task and find out you don’t have all the expertise you need. All kinds of hunting around, looking at YouTube videos, finding how tos and it still can take longer than you expect. Well, guess what? We turn to Fiverr repeatedly. We are big users of their platform, which helps you find on demand talent at a fraction of the cost and a fraction of the time that it can take you to do some of this yourself. Find that deep expertise you’re looking for. We use them, heck, even for our audio engineering, they help us with infographics. When I’m having trouble actually trying to sketch something out or develop a PowerPoint presentation, I use Fiverr expertise, hiring a freelancer that can do it, make it look so much more professional in a fraction of the time of what I can.
Jason Henrichs:
We highly recommend what Fiverr delivers. Searched by service, by deadline, price reviews. You’ll know exactly what you’re paying for upfront, no negotiation needed, and they serve for 24/7 customer service and help you ask for that, so you know that you’re going to have a great experience. Check out fiverr.com and receive 10% off your first order by using the code BREAKING. That’s Fiverr, F-I-V-E-R-R.com, code BREAKING. We’re big users, big believers. They will make your life so much better and so much easier. Fiverr.com, code BREAKING.
Announcer:
VoiceAmerica programs are now available on your favorite connected device, including Amazon, Alexa and Google home. To do streams with Apple podcasts tune in at iHeart radio. Listening to your favorite show is as easy as saying the show name followed by the word podcasts.
Announcer:
Hey, Alexa, play Finding Your Frequency Podcast.
Announcer:
If that doesn’t work, try adding on TuneIn or iHeart radio or on Apple podcasts.
Announcer:
When it comes to business, you’ll find the experts here, VoiceAmerica Business Network.
Announcer:
You’re listening to Breaking Banks, featuring your host, Jason Henrichs. To reach the show today, please call 1 866-472-5790. That’s 1 866-472-5790. Or join the conversation on Twitter by using the hashtag #BreakingBanks. Now, back to the program.
Jason Henrichs:
We’re with Sherry Davidoff, CEO of LMG Security, and we’re also on faculty together at Pacific Coast Banking School. Although, I guess I’m not going to get to see you this year, knock on wood, maybe we’ll see each other, at least be a zoom. [crosstalk 00:28:05]. Virtually, teaches cybersecurity to a bunch of bankers, and so happy whatever day it is in COVID world. Let’s just spice things up. Cloud is not secure, change my mind.
Sherry Davidoff:
That is, as we talked about, horse. Sorry. I said it, I mean, cloud security is a spectrum. It’s just like saying something is healthy or not healthy. There is no perfect security. And cloud providers, banks are naturally reticent to move to the cloud. They are late adopters. And that makes sense, because when you are on the bleeding edge of something, you’re dealing with issues with features, production issues, also security issues. So, it’s understandable that financial institutions do not want to be and should not be on the bleeding edge of technology. But that said, we are at the point where many cloud providers have mature and sophisticated programs that financial institutions can take advantage of and need to in order to stay current with the times and to provide their community with the features that they need, including very advanced security features. For example, cloud providers have the opportunity to spend all day every day 24/7, focusing on the security and performance of their one piece of cloud software. That is a possibility for many cloud providers.
Sherry Davidoff:
And if you were trying to run that in-house, that’s just one of many different things that your financial institution is trying to do.
Jason Henrichs:
And that’s the part that has always blown me away, is this idea that just because you could go touch the server if you wanted to, because it’s on prem and you can rattle the cage and test that is locked, doesn’t make it more secure than this person who is also responsible for most likely making sure the printer is also working, helping someone who locked themselves out of their computer, the VPNs down, or this host of things you said, let alone the complexity of cyber security, which is only getting more complex.
Sherry Davidoff:
Yeah. I don’t want to be able to touch my servers. I want my servers to be someplace super fancy, very high security with lots of redundancy and multiple power inputs and ethernet and internet inputs and all kinds of stuff. It’s totally fine for your data to be somewhere off site. If you’re going to put all your eggs in one basket, you’ve got to watch that basket. And if you’re going to put all your eggs in somebody else’s basket, you need to make sure that they’re watching that basket and probably get some reports on it, so you can provide proper oversight of the eggs in the basket watching, if that makes sense.
Jason Henrichs:
Well, then what you’re saying is hey, this is actually a fallacy and it’s a leftover to say the cloud is not secure, and in fact, the cloud is secure and we shouldn’t have to worry about it.
Sherry Davidoff:
No, that’s also horse. The cloud has the potential to be a secure option and the potential to be a very insecure option. So, if you are moving to the cloud, number one, you got to vet your cloud provider. There is a vast difference between cloud providers, and some of them are much more mature than others. You look at an organization like Microsoft that has some of the most advanced compliance capabilities in the entire world, and you compare them with some of our smaller or niche, more specialized startups that can’t even compare because they may not have even close to the amount of resources. So, it’s not necessarily the case that bigger is better, of course, but we have at LMG Security, my company, we have a checklist of things to look for when you’re vetting a cloud provider, everything from what country is your data located in? Don’t let that surprise you, to who has access to your data legally? Have you read those terms of service and is the data encrypted? How do you know? And if it’s encrypted, who has access to the encryption keys, things like that.
Sherry Davidoff:
So it is entirely possible to create technology, to use technology so that your data is secure in the cloud, but you have to verify that that is actually being done.
Jason Henrichs:
Yeah. The location is a much more subtle issue than I think people sometimes give it credit once you actually scratch the surface of that. Because while you might be working for, or working with a cloud provider that is based in one country, knowing where they’re mirroring data to, suddenly can open up your data to residing in other places because of the nature of how they run their co-location and the other parts of their business and jurisdictions and things like that.
Sherry Davidoff:
Absolutely. And there’s no guarantees. You might just assume, of course my data’s in the United States because the person I’m talking to is based in the United States, but don’t make those assumptions. And for example, researchers were evaluating Zoom’s cybersecurity recently. Some of you may have seen this in the news, and one of the things they discovered was a Zoom key server was located in Beijing, China. And so, that sent up a lot of red flags, especially for those of us in the security community, because they have very different laws and regulations with respect to privacy and monitoring than we do here in the United States. So, make sure you get it in writing, you understand where your data is going to be stored and don’t make assumptions.
Jason Henrichs:
What are the other things that are maybe more subtle on your checklist or non-obvious that people don’t think of immediately, especially as it relates to banks and fintechs, who probably worry most about some of the encryption standards, but they might miss some of the other more obvious things?
Sherry Davidoff:
Yeah. One of the big issues that comes up is terms of service. We see a lot of times people will upload things to Dropbox or stuff like that, and not realize that their default terms of service allow them to access your data. Google’s default terms of service for most of their free products actually allow them to publicly display and publicly perform your data. So, they could publicly perform your emails. I don’t know that they would want to, but they could make a ballet out of your emails apparently. So, you really have to make sure you understand the terms of service. Probably the biggest thing when it comes to cloud security though, is two factor authentication. Some of your users probably have heard that term, some of you may even use it, but we need to make sure that it is very easy for people to use it. We see organizations get hacked all the time because of the lack of two factor authentication. Jason, have you heard of the Florentine banker issue that came out recently?
Jason Henrichs:
I’ve heard of the Florentine banker. At first, it made me angry, thinking it was a new entree, but it was not. But I think that’s a great example to share for us.
Sherry Davidoff:
Yeah. The Florentine banker is an investigation that was published a few weeks ago by Check Point, and they found that there were private equity firms that had been targeted by organized crime groups. The groups broke into their email, it was Office365. Show of hands, how many of you use Office365? That’s a lot of us. It is the number one most popular-
Jason Henrichs:
Especially in banking.
Sherry Davidoff:
Yeah, number one most popular email system in the world, and they have very advanced security capabilities. But the Florentine banker, they were setting things up to intercept people’s emails and ultimately transfer over $1 million. They were able to get some of that money back when this was busted, but not all of it. They lost about half of it. The thing is that this is not an isolated incident. For those of us who are in cybersecurity, we see cases like this every single day. I mean, to be honest, I was shocked that it made the news, because 99.9% of these cases, nobody’s calling the news saying, by the way, I lost a bunch of money. It doesn’t happen. But this hits banks all the time, this hits financial institutions all the time. And we need to make sure that we are guarding our email. It is in the cloud. And guys, all you need to do is turn on two factor authentication, click that little button, two factor authentication, use your phone and hit yes, I’ve logged in, or hey, actually no, that wasn’t me. Two factor authentication will save you a lot of money.
Jason Henrichs:
Do you recommend the phone based two factor authentication, or what else for … especially for banks and fintechs?
Sherry Davidoff:
I do. And to back up, to authenticate someone of course, means to verify their identity. And in cybersecurity, we say that there’s three ways to verify someone’s identity with something you know like a password, something you have, like your phone, or like one of those little tokens, and something you are, like a fingerprint or a facial recognition thing. So something you know, something you have, something you are. When we talk about two factor authentication, we mean combining two of these different factors. So, if something you know with, a token or an app on your mobile phone. If you’re combining something you know like a password with something else you know, like your mother’s maiden name, in my mind, that is not super secure. And if you’re not using two factor authentication, you’re just using a password, passwords are dead to me. They get stolen so often, they’re just out the door right away, so you want to make sure that you’re using a second factor in addition. I’ll pause here, and then I promise to answer your question.
Jason Henrichs:
Well, I mean the two factor, this is, I think the nature of security in general. When I was a venture capitalist, I remember learning this when I was investing in the security space, was especially within financial institutions, we tend to buy the highest security we can, but then we implement the lowest security we can because of the inconvenience factor, as it relates to it. I think of the two factor training people to have to do two factors. Getting them not to keep their passwords on a sticky under their keyboard is challenging enough, now you’re inserting a second factor.
Sherry Davidoff:
Well, we use two factor authentication all the time in banking. I mean, when’s the last time you used your ATM card and you took money out of the ATM without a pin?
Jason Henrichs:
Yeah, that’s true.
Sherry Davidoff:
That would be crazy. But when ATM first came out, a lot of them did not have pins. This was back in the late ’60s, early ’70s. Until 1977, a lot of ATMs did not have pins. And nowadays, if your bank was like, well, we don’t want to inconvenience you, we’re not going to put a pin on your ATM card. You think, that’s not a good idea. So humans-
Jason Henrichs:
We’re not going to inconvenience you by locking the bank fault either.
Sherry Davidoff:
Yeah, exactly. In another five years, we’re going to look back and be like, wow, it was crazy that we didn’t have two factor authentication that we were worried about customers accepting it. Because you have to, the fraud is rampant. It’s for customer protection and it’s for the bank’s protection. But anyway, back to email, so much money is stolen because people have access to email. And a lot of people don’t even realize how valuable your email can be. When you set up two factor authentication, you absolutely want to use something like an app on your phone, and the thing to avoid is text messages. Do not rely on text messages. Have you heard of SIM jacking?
Jason Henrichs:
Oh yes. Oh yes. Well, I mean, there was just a couple of reported cases over the last few weeks that it seems like the criminals who are stuck in quarantine are using their time well, as they’re getting bored or doing it at an increasing scale.
Sherry Davidoff:
Yeah, absolutely. They’re calling up Verizon or AT&T or T-Mobile, and they’re pretending that you’ve got a new phone and they’re redirecting all of your text messages to their phones, and then poof, they can log into your bank account. And there’s other ways that cell phones can get hacked. Your text messages are not encrypted. These days, 77% of Americans have smartphones, and if you are one of those 77%, by golly, use that smartphone, install an app, those messages are encrypted, they’re authenticated. It is just a much more secure method of doing two factor authentication. And if you’re one of the 95% of Americans that has a cell phone, but it’s not a smartphone, that’s okay. Text messages are better than nothing. But if you can, use that two factor authentication with an app.
Jason Henrichs:
Most of this is related cyber … does the problem intensify when we talk about cloud? We’re talking to computing broadly and cyber broadly, and emails being hacked. But if someone within a bank or if a fintech company is using the cloud, are they at more risk of some of this when it comes to they’re on Azure or AWS or Google cloud? What does cloud insert that makes this better or worse?
Sherry Davidoff:
Well, sure. I mean, the thing with cloud is that your data, it can be accessible from anywhere. That’s really convenient for us, especially right now when so many people are working from home, thank goodness we can access our data in Azure or in whatever other form we want. The problem is if you are capable of accessing it from anywhere. So can the criminals potentially, and so that convenience comes at a price. Because it’s not locked behind many different sets of walls, there’s that additional exposure, you have to be extra careful. And so you can, in addition to checking on the authentication, see if there’s any other types of security features available. Azure is a great example where they have really advanced security features. But to your point from earlier, many banks are not taking advantage of them yet.
Jason Henrichs:
Well, it’s back to that inconvenience factor, right? You don’t want to spike calls to call center, I’m locked out of my account and that increases complexity as well. Some people just aren’t used to doing things. Now, do we need to get to the point that people are using either a biometric or a physical form for two factor authentication?
Sherry Davidoff:
I mean, I think that mobile phones are the next appropriate step. I mean, you might consider it a physical form. It’s at least out of band. Would it be better if we all just had hardware tokens that we kept on our key chains? Sure. That’s more secure, but then you end up with some people who have a zillion different accounts and they have a whole key ring of physical hardware tokens. So, you always have to balance convenience with security, just like with your health; am I going to eat that donut? I might die 10 minutes sooner. You should make those choices.
Jason Henrichs:
Well, as we’re all getting the COVID-19 pounds coming in, at least we don’t have donuts sitting in the break room and in conference rooms anymore that we can just pick up and snack. I want to switch gears a little bit. Right now, all of this level of security that banks have to provide or should provide is really left up to the bank to be thinking about. And so, why don’t we start with, when we think about regulation and what’s placed on the institution in terms of requirements for the type of the security they provide, is regulation keeping up with really setting standards for how banks should be approaching cyber security?
Sherry Davidoff:
No, regulation, it’s actually absolutely not keeping up. And it’s not specific to banks, regulation is not keeping up with the cloud. I’ll give you an example where that comes up all the time in my work. Again, we respond to cyber security incidents all the time. Cloud providers have no incentive for making sure that you can detect if there’s an intruder in your account. They don’t care if you know that someone has broken in. In fact, that probably just causes problems for them. So, if hackers from Russia or China are breaking into your account and they’re just quietly stealing data and you don’t know about it, it’s like if a tree falls in the woods, does it make noise? And so, the problem we find is that people get hacked all the time, people have their email broken into, the hackers are lurking for weeks or months and you don’t find out until money gets stolen, right?
Sherry Davidoff:
The cybersecurity industry has struggled with cloud providers who really don’t want to make these features available and have no incentive to ramp them up. And even in cases where we know intruders have been in, and we know that a large amount of money has been stolen, often the cloud providers just say, no, we’re not going to give you the data, we’re not required to do all that work and give you information about when they logged in and who they logged in and what they might have read and what they might’ve accessed.
Jason Henrichs:
Yeah. I mean, the money is one thing, but who knows what else they took while they were in there, and when it’s going to come up? And especially if you trickle it out over time, instead of one giant fraud, who knows how much could be stolen and what they’re going to do with it?
Sherry Davidoff:
Absolutely. And you may not find out until big database of your customers data hits the dark web. And then all of a sudden you’re like, “Holy cow, this got stolen. Where did it get stolen from? We don’t know.” And that was a year ago or two years ago, and then it looks awful because you didn’t even catch it. In my mind, it’s a lot like apartments and smoke detectors. Imagine if there was no law requiring landlords to have smoke detectors in big apartment buildings, you would see a lot more fires. Our government had to step in at that point and say, hey, there’s a minimum fire safety standard that we have. And right now, there’s no requirement telling cloud providers hey, you have to have detection systems in place that people can take advantage of, and you have to give them the tools that they need in order to be able to respond. That’s where we are in with cloud cybersecurity right now.
Jason Henrichs:
What else should companies be doing to protect data when they’re moving to work a cloud provider?
Sherry Davidoff:
Sure. Well, step one is to understand what types of data you’re going to store in the cloud; are you going to store sensitive, regulated information, social security numbers? Often, that will pop up in your employee’s email, whether you like it or not, or is it just going to be for marketing stuff or for other purposes? So understand that, and you can choose a cloud provider that will meet your compliance needs. And then, you have to vet your cloud providers. Ask them things like who, on their team, has access to your data in the cloud, and do they share access with any “trusted third parties”, you should be aware of that. Do they do background checks on their employees? Things like that. Authentication is the second issue, so how do you verify the identity of users who access your cloud portal? Do you support two factor authentication? Do you have the ability to do single sign on so that people don’t have to remember a zillion different passwords for zillion different cloud accounts? That’s another key issue. Because if it’s not easy to use, it’s not secure. Otherwise, users will find a way around it.
Jason Henrichs:
Yeah, exactly.
Sherry Davidoff:
Yeah. Ask about encryption, make sure that you have a qualified IT or security professional evaluate their response to that, so if they’re using strong encryption. Then some bigger issues like who owns the data when it’s uploaded, is it legally authorized to use it, to display it and publicly perform it, and things like that, where is the data physically located as we talked about. I would ask about backups because even if you decide one day, you’re going to delete all your information from that cloud provider, they absolutely have backup somewhere. So understand that, and then understand if you have access to those backups. I have seen so many cases where businesses suffer some loss. For example, criminals hold you for ransom. It is totally possible for criminals to encrypt data in the cloud, the same way they do on people’s desktops. And if that happens, can that be restored, and how quickly do you have to notify the cloud provider? You’d be surprised at how fast they will overwrite some of those backups or make it inaccessible to you, even when there’s a lot on the line.
Jason Henrichs:
So, they’re going to be overwriting my good data that they could have saved me from the ransomware with the encrypted data, that if I hit it fast enough, I can basically break the chain, work it back and restore-
Sherry Davidoff:
Yeah, that’s possible. It depends on your cloud provider. If you are not paying for a backup service, then often, that restoration is not available, even if you think it might be. So, definitely double check before you sign up and think, okay, if my account got wiped out, who’s going to restore that? Am I going to restore it from my own data? Is the cloud provider going to restore that? Do they know that? How much do they charge for that? Is it even possible? And then monitoring and logging, we talked about that, but … and it sounds like a dry topic, but it’s so important. Are you going to receive alerts if somebody logs in from a weird place? Are you even going to have access to that information about who logged in and where they logged in from? And does that integrate with your organization’s other monitoring and logging programs? And then, if you decide to leave and terminate service, how do you get your data out? Can you export it? Is it going to be a pain in the neck? How does that work?
Sherry Davidoff:
The last few are security assessments. At LMG, we do assessments of cloud providers on a regular basis, and we’ll give them a letter of attestation that they can provide to their customers. I know from firsthand experience that cloud providers, all the time, give customers these letters of attestation, but usually only if you ask for it. So, make sure you’re asking about their security assessments, and if they’re not willing to answer you or tell you what they do for cybersecurity assessments, that would be a red flag. Check on their compliance capabilities, do you need to be compliant with HIPAA, with GDPR or with any other regulations, the California Act? If so, make sure that your cloud provider can facilitate that or can at least support you in that effort. And finally, data breaches do happen. If your cloud provider gets hacked, are they going to let you know about it?
Sherry Davidoff:
We’ve seen lots of cases where third party providers like billing providers or CRM providers, they get hacked and they might do an investigation. It might take them five or six months to confirm exactly what was stolen and then they’ll notify you. And then it’s going to be your name in the headlines, if it was your customer data stolen. That’s it, those are the 11 points to watch out for.
Jason Henrichs:
Well, it’s a long list and it can seem overwhelming for institutions, whether you’re a tech savvy fintech, it seems tempting to cut some corners here, or if I’m a bank, I might say I’m just going to stick with what I’m doing, business as usual, that sounds like a lot of work. I realized this is asking you to paint with broad strokes, but is it still worth it to go to the cloud, even with all of the challenges and the risks that you outlined, the work that needs to be done upfront to make a good decision? Do you vote cloud or no cloud?
Sherry Davidoff:
I mean, that’s a personal decision and it’s a decision for every financial institution to make. And you’re not going to make it about every single piece of data that you hold. You’re going to say, am I going to move to the cloud for this particular purpose, for my email, for my document sharing, whatever it is? And in some cases you might say, yes, and in some cases you might say no. And either of those approaches is totally fine. But by and large, we are seeing companies lean towards the cloud as opposed to away, more and more these days, because they have that ability to scale so much more easily in the cloud, and there are a lot of security benefits. You have teams of specialists, some of the best trained folks in the world that are just focusing on cloud security and working on that one application. That can be really helpful in a point in favor of the cloud.
Jason Henrichs:
Well, thank you for taking the time. I was going to make some joke about what’s the likelihood, if you’re in Missoula, Montana, that you’re going to be able to find some security expert that can help you secure your on-prem data? And then I realized you’re in the middle of Montana, I believe, so that probably isn’t as funny for you. But thank you for taking the time sharing to talk about security in the cloud, and look forward to seeing you at least virtually sometime in the near term too.
Sherry Davidoff:
Yeah. I’m excited about our new virtual world. Stay safe.
Jason Henrichs:
That’s it for this week, thanks to our guests and to our sponsors who help make the show possible. You may have a little more time on your hands right now, so you can listen to all of our more than 300 shows plus episodes from all of our other shows, including Breaking Bank syrup, Tech On Reg, the Finovate podcast and more all on provoke.fm. I hope you like them, and if so, that you’ll give all the shows five stars and share them with others. Stay home if you can, take care of your loved ones and let’s all work together to move this industry forward and to make it stronger than ever. That’s it for this week. We’ll see you again next week with more Breaking Banks.
Announcer:
You’ve been listening to Breaking Banks with host Jason Henrichs. Please be sure to join us again next Thursday at noon, Pacific time, 3:00 PM Eastern time, for more of the latest in fintech news.