Cloud Adoption in Financial Services: Risks and Opportunities
The cloud can offer financial services firms a flexible and scalable option for storing data and workloads, but a holistic security strategy is critical to ensuring regulatory compliance.
Financial services firms have historically been hesitant to adopt the cloud for a substantial part of their workloads, preferring to be strategic in their choice of what they utilize the cloud for.
However, cloud adoption in financial services is likely to continue to grow in this year, according to a recent survey by McKinsey.
That study found more than half of the survey respondents (54%) said they expect to shift at least half of their workloads to the public cloud over the next five years.
“The increase in cloud adoption is a sign of growing trust in cloud security from both financial services and regulators, as use of the cloud expands to previously excluded material workloads,” explains Claude Mandy, chief evangelist for data security at Symmetry Systems.
He says the emergence of best practices and case studies offer a roadmap for more firms to follow suit when engaging with regulators.
Meanwhile, new tools for cloud security management provide firms with even more certainty and trust that data is protected and compliant in the cloud.
“The primary security advantage of the cloud is the detailed telemetry into what is happening with data and with identities -- something that is impossible to create at scale outside the cloud,” Mandy adds. “This provides organizations with visibility and control of data at a more detailed level than ever before.”
Elasticity of Cloud Suits Industry
Davis McCarthy, principal security researcher at Valtix, explains financial services are elastic and the ebb and flow of workloads pairs well with the concept of elastic resource consumption that many cloud technologies embrace.
“Consider a tax preparation service where user activity spikes before taxes are due, or a financing service that sees more applications when interest rates are low,” he says.
However, when compliance standards intersect with an emerging technology, there is a chance that innovation is stifled.
“Financial transactions often include PII [personally identifiable information] that is held to various data privacy and security standards, and financial institutions are accountable for the integrity of their quarterly earnings,” he explains.
Mandy explains most financial services firms are predominantly worried about cybercrime including phishing and ransomware, and the theft, loss or improper access to regulated data.
“The key security risks are no different for non-financial services firms, nor are they significantly different from using the cloud or not,” he says. “In each security risk, the business consequence to due to a loss of confidentiality, integrity or availability of the data.”
However, he admits the mechanisms for how these risks may occur do differ in the cloud, increasingly through misconfigurations or excessive privileges to data.
Competition Forcing Cloud Conversion
Ratan Tipirneni, president and CEO at Tigera, adds fintech start-ups are innovating at a dizzying pace and pose a “huge” threat to financial services firms -- this new competitive element is forcing a change in habits.
“Large incumbent financial firms must accelerate their pace of software innovations and services,” he says. “To do this they need to unshackle their developers and enable them to experiment rapidly.”
He points out the on-demand infrastructure the cloud can provide is considered “table stakes” to achieve this objective -- and a prerequisite to enable developer productivity.
Separately, regulators have implemented approval requirements to assess and avoid the impact of events that could impact the financial services industry as a whole.
“The required approval by regulators encourages firms to ensure the security of data,” Mandy says. “Concerns over the aggregated risk from outsourcing and vendor lock-in from the cloud must be well thought through and assessed.”
He points out the effort to request approval alone has dissuaded a lot of firms from cloud adoption.
Addressing Cloud Compliance Issues
Mandy notes regulations in the financial services industry have primarily focused on two areas of regulation: Ensuring firms adequately protect data, and further making sure the industry is resilient.
“Complying with the regulations has become challenging for financial services firms because of the multiple regulators and regulations,” he says.
Mandy points out various types of data may be subject to overlapping regulations, making it more complex for organizations to determine which mandates apply -- for example a company based in California with information on consumer under 18 years old who is also a European citizen.
“Data privacy, data sovereignty, data residency requires an in-depth knowledge of the type of data and where it is and who is accessing it,” he explains.
Tipirneni says the compliance issues for cloud in financial services are from the same list of compliance requirements that they faced on-prem.
“Moving to the cloud doesn’t change this equation, and the bar is set at the same level,” he says.
From his perspective, an effective cloud security strategy needs to center around the data they are trying to protect.
“More so than in any other industry, this data directly represents money -- the money of its customers, the revenue it has earned, the value the financial services firms are tasked with protecting,” he says.
Defense in Depth
Effective security strategies focus their attention on implementing a coordinated set of capabilities to identify, protect, detect, respond and recover from security incidents.
“This creates resilience and defense in depth,” Tipirneni says. “Cloud adoption can create a false sense of security since tenants are responsible for workload security.”
He advocates for a zero-trust model with least privileges to reduce attack surface and prevent attacks and the ability to detect known and unknown threats from both the system/containers and network.
McCarthy adds the consolidated attack surface of the cloud makes CSPs a lucrative target for threat actors.
“Threat actors also know that many organizations lose visibility in the cloud and strive to take advantage of this fact,” he cautions. “An effective cloud security strategy for financial services firms must rest upon the principles of confidentiality, integrity, and availability.”
What to Read Next:
About the Author
You May Also Like