The Cloud Security Alliance has completed a global survey of financial companies looking at their adoption of cloud. The results are different to many other surveys that have suggested that financial firms are rushing to take advantage of cloud for big data analytics, disaster recovery and to offer new mobile-based solutions. While the report shows that there is a focus on cloud, it also demonstrated that there is still an underlying core of companies who have a strict no-cloud policy due to security and other concerns.
Some of the speeds and feeds from the report show:
Unsurprisingly, for those companies planning private only cloud, security (86 per cent), compliance (86 per cent) and privacy (79 per cent) were major concerns. Interestingly, there were also major concerns over data retention and destruction (79 per cent) and data residency (57 per cent). The first three issues here are not unique to financial firms and are often cited as reasons not to adopt public cloud, and a challenge for hybrid cloud.
The same is true of data residency with governments such as Germany and the UK making their concerns over offshore data very clear. This is sending not only a message to cloud adopters but also to companies planning to build data centres and cloud operations. As a result, there has been a lot of activity, especially in Germany with the acquisition of smaller data centre players, as large companies seek a foothold in the German market. In the UK, offshoring is an issue for parliamentarians and one that needs to be addressed.
Data retention and destruction
Unusually, the issue of data retention and destruction has been raised and this is of interest. Depending on the type of service and the where the data is held, data backups are often across entire storage systems. This means that when a company leaves a cloud provider they cannot be certain that all backup copies of their data will be deleted.
This is because to do so would require the cloud vendor to go through all backup media and remove data. However, there are well established processes for data destruction that have been around for a number of years, especially in hosting, and it is difficult to understand why this should suddenly be an issue for companies.
With compliance and security concerns so high, the survey sought to understand what was necessary to help allay concerns. The responses were clear:
Behind these top four came forensic and e-discovery tools (47 per cent) and better incident reporting mechanisms (41 per cent). None of these top six responses should come as a surprise, they are all about better governance and compliance. One of the challenges for cloud provider however, is that while they are busy meeting various security and control standards, it all comes at a cost that companies are not always willing to pay, especially smaller companies.
Confidentiality of data (60 per cent) loss of control of data (56 per cent ) and data breach (55 per cent) were the top three concerns over adopting cloud. However it is worth noting that the majority of apparent cloud breaches have not been as a failure of the cloud provider but as a result of users losing their credentials or from third parties who have access to corporate data.
Why are companies moving to cloud?
The rationale for moving to cloud is no different for financial institutions as it is any other company. Flexible infrastructure, faster provision and time to market, reduce TCO and shortcomings in their own IT department. These have become almost the de-facto cloud reasons for any business but two responses stand out. Better security (19 per cent) is a real surprise and suggests that the respondents are over confident when it comes to their own IT department capabilities.
Mobility (26 per cent) is the other surprise. This is not about a more mobile workforce but about a customer/consumer base that wants to access services from any device at any time. For banks, mobility has created a significant increase in the order of several times more transactions per day than their systems are designed for. To see it so low, is a real surprise and suggests that the respondents are not drawn from companies that have a large consumer customers base.
The use of cloud for application development/testing, CRM, email, collaboration, storage, disaster recovery and data analytics/business intelligence again shows that finance is very similar to other businesses looking to move into this space. Bottom of the list was virtual desks (14 per cent) which is again a surprise as this is an industry where user environments are locked down and which has been quick in the past to adopt technologies that enable greater control of user desktops.
As more and more sensitive data is stored in the cloud, it is not unreasonable for companies to question security. After all, the bigger the target, the more attractive it is to hackers. Many of the large security companies are already pointing to hackers using cloud and analytics to focus their attacks on companies. It is not a big jump for them to focus those attacks on cloud providers where the returns will be higher. However, in the short term, they are more likely to look at third parties where security is weak and target them.
This is where cloud has a distinct benefit for smaller financial institutions. They can take advantage of the skills and better security that the cloud providers offer rather than try and invest in their own staff, software and hardware. The money saved can then be used for better education with staff and to ensure that security is regularly tested and fit for purpose.
Compliance and data protection
Another major issue is compliance and data protection (75 per cent) tops the list. There is no real surprise here and it will be interesting to see how many other governments follow the German position and demand data stays in country. This is already causing a conflict with some of the larger cloud providers and brings the issue of audits into focus. As companies work with third parties and partners, data may end up being transferred. Without an effective audit process to show where data has gone, it is impossible to stay on top of compliance.
A last surprise in the report is around encryption. According to the respondents, only 42 per cent have actively implemented data encryption solutions for the cloud. This is not a good number and with the vast majority of cloud providers making encryption readily available, it suggests that there is much more to be done.
Another major concern is who owns and controls the encryption keys (61 per cent). With governments actively trying to access corporate data, companies are not happy with the keys being held solely by the cloud provider. As cloud services mature, there is a real opportunity for cloud providers who offer to give the keys to their customers to steal market share. However, this will mean a lot of investment into their current solutions in order to make this happen.
Overall, this report is positive for financial institutions but shows that like any other industry they are still struggling to decide just how best to utilise cloud.