Cloud adoption has driven innovation to solve barriers to adoption, but not all are created equal and enterprises needs to be wary about claims of security over data which seem too good to be true. A fundamental question that needs to be asked is exactly how data is protected, on what basis are risk reduction claims made, and with what evidence to prove any claims of security.
The cost reduction benefit of cloud to be able to maximize profits is very attractive, but the regulatory and risk environment is complex to say the least. In the broader financial services market, investment banking is certainly in the forefront of adopting cloud, often in specific high value use cases.
Being able to provision cloud based services in an instant to secure business collaboration is seen as hugely beneficial to taking compliance issues off the table and enabling a mobile and cloud enabled workforce at the same time.
The security barrier
There are three issues which come up in every conversation that are the “big 3 barriers”:
1. Data risk in the cloud and control. How can data still be controlled under complex regulatory frameworks in a low trust environment?
2. How can my application still extract value from data if it is protected in the cloud without exposing live data in a low trust system?
3. How can I retain total control over data in respect to data residency and legal search requests to a cloud provider and give total control back to the data owner?
These barriers are very real. Industry regulators such as PCI SSC, FFIEC in the US, ICO in the UK in the UK have issued cloud guidance to enterprises relating to regulatory risks that stem from security concerns in the cloud. The advice is mostly pragmatic, but it signals the need for organizations to think carefully about how they are going to maximize the value from information in the cloud without increasing regulatory compliance costs at the same time.
The data residency issue
What is more, global financial institutions spanning different regulatory frameworks like the US and EU have to address complex data-residency issues. There are even challenges within the EU itself too. For example, a central bank based in Luxembourg with operations across Europe, was challenged by data residency issues in-country. A multi-million dollar core banking application update could not proceed to production deployment due to the complex regulatory requirements related to where live customer data was accessible under Luxembourg’s CSSF regulations. Traditional access control based approaches couldn’t protect the actual data – and thus meet the regulatory need. The problem was solved by securing data at a data field level as it moved in and out of the private cloud architecture in Luxembourg, enabling the core banking investment to be used across multiple geographies while staying CSSF compliant.
Outside Luxembourg, the applications function on de-identified versions of the data – and are thus compliant. Likewise, the same data-centric service framework for security is being applied by global banks to blend of SaaS, IaaS and PaaS as an extension of core financial services organizations processing environments, bridging mission critical Mainframe processing systems to least cost cloud services to create new, quick to market services and applications – again without exposing live data to low trust cloud environments.