Well, as a residentof the Netherlands I'll be switching banks if I find out my bank is using this clearance to put it's data in a place where the NSA will be reading along for granted...
Dutch regulators have cleared Amazon's cloud for consumption by financial institutions within the country, validating the Amazon Web Services infrastructure for use even in tightly regulated industries. Though many technologists are skeptical of the use of cloud computing within industries such as the finance sector, …
DNB are idiots
Even if the data center in question is located in Ireland, the US PATRIOT act (or whatever silly law it was) still applies: US company Amazon (or a subsidiary) operates the data center =>US gov can inspect data at any time.
Apart from that: yes, NSA snooping seems quite likely, too.
Goodbye, client confidentiality and adherence to Dutch/EU privacy regulations.
I wonder though what DNB really said.
Mostly they're very wishy washy and love general business speak platitudes - they might have said something like "well, Big Bank, if you want to outsource stuff to Amazon, it's your problem and your responsibility to (have Amazon) comply with legal requirements. We can't really be bothered to look into what those Amazon guys are doing so we're content with just not saying no in advance and going after your sorry ass once problems have occurred... ehm of course that should be when problems have been reported on loudly in the press"
Oh good, more fun
Financial data in the cloud, network infrastructure supplied by Chinese companies, security provided by Russian companies (Kaspersky etc). Sounds good to me. Or not.
Re: Oh good, more fun
You missed out 'spied on and exploited financially by the US'
I'll just hand all my money over to the hackers now, shall I?
Is it criminal incompetence?
Or they have something big to gain and are convinced they can get away with anything*? Is the Dutch also in this 'Screwing Citizens Privacy Wholesale for Fun and Profit' game?
Or is it the case that nobody explained to them that they can't protect their data in the cloud from the same people that runs the cloud service?
Difficult to believe, ain't it?
* Which is quite probably true :^(
Bring on the tin-foil hatters...
Actually, given the way the "Dutch" banks are playing in the global market, and the way the dutch do business that way, it's simply a logical extension of "technology available".
As long as Amazon can prove that it complies to the very strict banking rules and laws ( which includes privacy regulations) I can see why banks want to use (preferably properly partitioned portions of) the Cloud in place of expensive and just-as-vulnerable-in-other-ways dedicated "scecure" lines and datacentresfor their <very international</em> business.
As with anything Cloud-related, you have got to make a choice in partitioning what you want to put "Out There" and what you want to keep in-house. Any storage/communication protocal has risks, and the "NSA issue" (along with any other nations' intelligence service) is a given. If you want to be "safe" , go cash-only and stay off the internet. ( which in and of itself makes you a target of Attention, but hey...)
Personally, with 16+ million dutch nationals + the odd millions in companies/foreigners using our banking system, my personal finances would not even register other than as a statistic. The sheer scale of the data involved renders you effectively anonymous when it comes to Snooping, and even then ther's always Cash. As long as I can get at my hard-earned euros I do not particularly care how the banks set up their system, as long as it's relatively idiot-proof ( for the bankers) and relatively hard to disrupt ( for The Rest of the Lulzers). If using a dedicated portion of the Cloud does the job, good luck to them.
Re: Bring on the tin-foil hatters...
You really don't need a tin foil hat to think this stuff up.
You don't even have to study history to see what happens, you can go ask folks who lived in the DDR how such information can (and will) be abused.
"The sheer scale of the data involved renders you effectively anonymous when it comes to Snooping"
That concept fails for two reasons :
1) "They" have the raw horsepower to process this stuff any way they want now.
2) If "They" wish identify folks using a coarse filter (eg: everyone who has directly or indirectly dealt with a kiddy fiddler) anonymity isn't really much help.
At the end of the day it will be you who picks up the cost in terms of your liberty, time, money, reputation, taxes etc...
Another point to mention here is that while I am willing to concede the shady snooping organisations operate with the best of intention and may well endeavour to safeguard our lives and freedom, they are staffed by people. People make mistakes, and some people are plain naughty, and inevitably some innocent bystanders will get burnt by staff of these organisations doing bad things with their data.
Essentially the NSA, GCHQ et al have created a golden source of information that can (and will) be used for identity theft, blackmail, insider trading, and of course the odd prank. The really shit part of it is that your day in court will be tarnished by various restrictions and accountability dodges that these agencies and their staff enjoy. Good luck proving that someone used data sourced from GCHQ or NSA to spoof/attack/frame/blackmail/exploit you.
Quite frankly if this info is never abused/leaked/stolen/lost I would probably start wearing a tin-foil hat and start looking for Lizard-men because clearly the folks running the system could not be human.
"It's not what you've got, its what you do with it"
The usual suspects have just trashed their keyboards in shock. "What? Cloud? Financial institutions?"
The rules haven't been changed. The banks are still required to meet all the existing regulations, and will therefore be required to suitably encrypt and secure the data in exactly the same way as they do today.
Amazon provide infrastructure. Kit. Tin. Hardware. Or at least the virtual equivalent. Exactly the same thing you can run in your own data centre. So the kit is in another data centre that someone else has the contract to physically secure. But most of the banks I've worked at outsourced their security to a third party anyway, so what's the difference in who the landlord is for the building.
Claims "the NSA can read the data" - bollocks. If you secure your data with a recognised secure product following good security practise in your own building then it will be equally secure if you do the same on someone else's kit.
Re: "It's not what you've got, its what you do with it"
" The banks are still required to meet all the existing regulations, and will therefore be required to suitably encrypt and secure the data in exactly the same way as they do today."
If the data processing is performed 'in the cloud', then the data has to be decrypted, and can be snooped. No promise from the cloud service provider, no software audit and no certificate given by the American authorities (tee hee hee) will protect your data from this. If they were going to use "the cloud" only as a backup system, and heavily encrypt the data before storing it there, you would probably be right, but that is not the case.
Ramp is a dutch word for disaster. It at least sounds appropriate...
I still have some money in a Dutch bank
I expect to have a large hole where that was when the hackers get in.
Horses for courses
While I can see a bank putting it's web-site or mobile payments/banking front end in the cloud, I'd be very surprised to see them putting retail banking or credit/fraud risk applications and I'd be shocked if they put the core banking systems in the cloud.
The complexity of the systems and sensitivity of the data for a lot of the banks applications would seem to a big barrier to migrating.
this is "news" from one year ago, and the conclusion of this article is total nonsense.
the link to the documents is in dutch, unfortunately.
However, I can help, because I can read it.
It says simply that cloud services are yet another form of outsourcing.
The rules still apply. In no way there is any suggestion in that document that the rules are relaxed or changed to make outsourcing to a cloud provider possible.
On the contrary, the document seems to be written to make sure everyone understands that moving applications in to the cloud makes no difference to the rules and regulations in effect.
Which I think makes it pretty much obvious that you cannot move a core banking application into the cloud:
simply because the cloud providers at this moment cannot and are not interested in delivering such a service, that would comply with EU regulations. Mostly because they couldnt make money with it.....