The financial sector, while forging ahead in other areas of digital transformation, has been relatively slow to adopt the cloud and there has been good reason for it: banks have to deal with highly sensitive data and sharing data storage and compute resources with others could not even be envisaged, let alone adopted.
However, just under two years ago, the Financial Conduct Authority (FCA) published a new guidance for firms outsourcing to the ‘cloud’ and other third-party IT services which paved the way for banks, insurers and other financial services companies to take advantage of cloud computing services. In this new guidance, the regulator outlined that there was no fundamental reason why cloud services (including public cloud services) couldn’t be implemented, subject to compliance with specific guidance for financial firms outsourcing to the cloud and other third-party IT services.
According to Celent, financial services firms will progressively abandon private data centres and triple the amount of data they upload to the cloud in the next three years. Because of the huge and increasing amounts of data financial services firms need to manage, the scalability of cloud has become an attractive feature – especially considering the fact that the number of daily transactions can stretch into the millions. On top of that, the volume of transactional data is not always predictable, so financial institutions must be able to scale up quickly on demand.
While scalability is an attractive aspect of the cloud for financial firms, it’s important to evaluate scalability in conjunction with other key elements of cloud services including security, cost-effectiveness and transparency.
Combining scalability with security
Security is a key concern for banks as they deal with highly sensitive data and increasing regulations around data privacy, particularly with the EU General Data Protection Regulation (GDPR) coming into force in May, 2018. Even if they are fully responsible for clients’ data security, their cloud services provider (CSP) will maintain the security of the cloud infrastructure their apps and data are hosted on. Therefore, the scalability benefits of cloud must be combined with security features that measure up to on-premises levels of cloud security. The good news is that some cloud providers have significantly improved security offerings, the best of which have security features such as data encryption, vulnerability scanning, intrusion detection and more baked into the cloud platform and offer full reporting on security and compliance elements which financial services firms increasingly need for auditing purposes.
What used to discourage the financial sector from adopting the cloud is now what’s appealing to it. Banks who take advantage of cloud computing often actually benefit from stronger security safeguards than they are able to invest in for on-premises IT infrastructure. The cloud is certainly more secure than many legacy platforms, so if financial organisations choose the right cloud services provider, they can actually experience a higher level of security than they would via legacy solutions.
However, there’s no question that we’re seeing a rise of cloud-based malware and, according to Palo Alto Networks, 70% of cyber security professionals working in large organisations in the UK say the rush to the cloud is not taking full account of the security risks. Even more worrying, the survey reveals that only 15% of UK security professionals were able to maintain consistent, enterprise-class cyber security across their cloud networks and endpoints. Add to this the fact that financial services companies need to scale up quickly in an increasingly regulated environment and you’ll understand why financial firms need to pay careful attention to cloud security and compliance credentials. Choosing a cloud services provider with advanced security features is vital to financial institutions and can help them to report on the security of all of their workloads in the cloud to pass compliance audits.
Combining scalability with cost-effectiveness
Another essential factor for the financial sector when adopting cloud is of course cost. The annual IT spend for global capital markets keeps increasing and, while cloud computing promises many economic benefits, these can only be realised when there’s a good match between cloud workloads and cloud resource utilisation. Cloud computing has the potential to save the industry billions of pounds, as the volume of transactional data increases and the cost of information security escalates in an increasingly complex threat environment.
Some cloud providers, such as iland, enable customers to scale their reserved cloud resources to exactly the amount of GB required. The billing is then determined based on actual compute usage and so customers only pay for what they use. This ensures that customers always have the cloud capacity available, without having to pay for more than what they need. This is far more cost-efficient than provisioning on-premises equipment for maximum workloads and having it lie idle for much of the time.
Combining scalability with transparency
Financial services firms are also seeking transparency into the policies and processes as well as operations of their cloud provider. In recognition of the flexible and collaborative nature of cloud service providers, the new EBA guidance launched a few months ago sets out the terms and processes under which chain outsourcing – a cloud provider outsourcing an element of its provision to a third party – is acceptable. As with most aspects of the guidance, strong emphasis is placed on ongoing risk management and transparency between the CSP and financial organisation.
Throughout all aspects of the EBA guidelines, it is abundantly clear that the relationship between financial organisations and their CSPs needs to be extremely close and transparent, and conducted at a senior level. Verifiable trust through certification is the linchpin of the whole relationship and the partnership will be dysfunctional (and potentially inviable) without this cornerstone in place. Fortunately, this kind of transparency and commitment to open partnership has been built into the DNA of some cloud providers from the outset. iland, for example, has a dedicated compliance team that focuses on helping customers provide continuous monitoring and evidence of compliant cloud services to regulators.
Overall, financial services firms should not be tentative in taking a step to the cloud; the investment in time and budget in building and managing IT infrastructure can be dramatically reduced and the on-demand scalability benefits are particularly important in this sector. Cloud providers have significantly developed their security capabilities and can offer dedicated, sector-specific support through cloud migration and management. The publication of guidance from regulators at the FCA and EBA, plus the expertise that CSPs have developed for the financial services sector should give financial services firms more confidence in the cloud and encourage them to fully embrace its possibilities and benefits.
Find out more about cyber security and cloud best practices at Cyber Security & Cloud Expo, in Santa Clara on November 28-29 2018.
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.