When it comes to the Cloud, the financial sector is dragging its heels. Data protection, breach notification and regulatory change are seeing adoption lag, and these security issues, together with legacy backend infrastructure, is stymying innovation among the incumbents. But look a little closer and you’ll notice new entrants are using the Cloud to steal a march on the established players. From financial trading to mobile payments, the Cloud is providing the means for to quickly develop and scale new services, shaking up of a previously static market.
There are real benefits to be had from migrating financial operations to the Cloud. Cost, speed of delivery and agility can all allow the provider to effectively ‘outsource’ key operations. By leveraging Software as a Service (SaaS) for example, you harness the ability to deliver solutions and capability to the business quickly and cost effectively. The Cloud also allows financial services to stand up solutions via an OPEX model which looks very attractive to those that hold the purse strings.
But communicating those benefits can be problematic. Where banks differ from other organisations in moving to the cloud is in their ability to buy themselves out of risk. Of course, this is somewhat a sweeping statement but in the norm, banks can afford to not carry additional risk. If this means building their own Cloud computing capability, that’s what they will do provided the gains and benefits of doing so are clearly demonstrable; if it’s profitable or efficient and outweighs the negatives, then yes, cloud computing gets the green light. But something like portfolio management where numbers are large and the impact is huge, would be less likely to be delivered via cloud computing, as the perceived risks outweigh the benefits.
Banks have been conducting risk training around cloud security for some time now but this won’t necessarily assist in securing or persuading banks to leverage cloud based infrastructure. The need to educate users on the differences is certainly a requirement but this isn’t necessary unless the trend really gathers pace. For example, some data may not be able to be stored in the cloud from a regulatory point of view, but all users will see is a resource on the desktop. They must be notified that by selecting that storage or processing method, that data is now in the cloud and possibly under a different jurisdiction.
Indeed, it’s these wider aspects of security that are the main sticking points. In a survey examining ‘How cloud is being used in the Financial Sector’ conducted by the Cloud Security Alliance in March it was revealed that data protection and compliance and legislative requirements were “top of mind”. Many financial providers are mindful of the fact they could find themselves contravening sector specific regulation, especially when dealing with checks and balances/governance, for example Sarbanes Oxley (SoX), if they don’t cover themselves with regards to the processes they are looking to ‘externalise’. Cloud computing built around specific financial regulatory requirements and markets would give the business more confidence that their data and services will remain to be compliant and secure. But as the ‘Cloud Reality Check’ survey conducted by NTT Communications revealed, that’s still some way off, with 45 percent of finance sector respondents reporting they found cloud vendors “confusing and challenging” to manage.
Fortunately, financial services in general have some of the most talented security resources on the planet. The issue now is to look at how we apply that resource and assess, report and manage risk in a way that supports cloud migration. The problem here is that I don’t think risk is properly explained to the board. If cloud computing is procured properly it can be as secure as your own infrastructure. But if this cannot be demonstrated, the concept of allowing another organisation to manage their data is just too alien to them.
Financial services outside of the banking sector are beginning to explore cloud based computing, particularly from a SaaS perspective. The risk for financial services organisations like clearing houses is beginning to be masked by the obvious benefits to the cost of delivery. But before this can even be an option, the security consultants and experts must have the ability to translate techno babble and risk into business benefits and impact.