Big Bank Public Cloud Adoption Accelerates Need for Security Controls
Researchers at Deutsche Bank predict that big banks’ use of cloud will ramp up “materially” in 2017. The cause? Pressure to cut costs and increase flexibility of IT environments.
Reticent to Adopt
While financial institutions have been slow to adopt public cloud usage due to perceived security and regulatory risks, that’s all set to change. Up until now, Deutsche Bank suggests that use of public cloud by big global banks is “very small,” however that it’s expected to grow. DB researchers Karl Keristead and Ross Sandler said:
“Some bank IT executives are telling us that they could go from zero use of the cloud compute or IaaS model today to 20%-30% (mostly for dev/test workloads) within 3 years. That would be extraordinary growth trajectory.”
However, “it has only been in the last six to nine months that [these banks] have moved beyond talking about [public cloud] to actually drawing up internal plans to ramp up usage.”
Big Banks See the Money
Adopting public cloud could save these financial institutions significant money. Consider that in the US, a MeriTalk survey of federal IT managers revealed that they believe the government can save more than $10 billion annually from datacenter consolidation and cloud adoption. Could finance see the same sort of savings? The evidence clearly says yes as the pressure to cut costs point to the public cloud.
Bank Centric Cloud Providers
The Deutsche Bank research also suggests that the drive to public cloud is also as a result of public cloud vendors like Amazon Web Services (AWS) and Microsoft Azure becoming more compliance centric in order to cater to the financial services industry.
Research from the Cloud Security Alliance analyzing the adoption of cloud solutions and requirements from financial institutions shows that:
- As cloud computing becomes more prevalent throughout the financial sector, a mixed strategy of leveraging both private and public clouds emerge as the norm for most businesses.
- Data protection is a preeminent security concern for the financial sector moving to the cloud. In particular, data protection standards and relevant laws are “top of mind.”
- Industry regulation drives compliance requiring financial institutions to implement specific security measures to consider migrating to cloud services.
Banks Driving Adoption and Security Solutions for Public Cloud
As reported by the Wall Street Journal:
- Steven Randich, CIO of the Financial Industry Regulatory Authority, told CIO Journal earlier this year that banks have grown more receptive to the cloud as they develop a better understanding of its potential benefits and become more comfortable with security features such as end-to-end encryption. FINRA processes 90% of its data – including all of its market surveillance capabilities – on AWS.
- J.P. Morgan Chase & Co. is exploring some uses of Amazon’s public cloud to cut expenses and achieve more flexible storage. People familiar with the matter said at the time that the bank thinks it could save hundreds of millions of dollars if it moves toward the cloud.
- Synchrony Financial CIO Carol Juel said that the public cloud “is well tested in performance,” but security capabilities are not as well proven. We have to make sure controls are there so banks and financial institutions can feel comfortable.”
Deutsche Bank suggested that still, banks will proceed with caution moving lower-risk computing workloads for development and testing, or applications that aren’t mission critical.
Public Cloud Security is a Shared Responsibility
As outlined by AWS, public cloud security is a shared responsibility. AWS takes responsibility for security ‘of’ the cloud, but puts the onus on the customer for security ‘in’ the cloud. For big banks adopting cloud, this needs to be a consideration as they balance tightly controlled access by providers like AWS with wide open access that could increase the risk of a security and compliance breaches.
A new network security paradigm championed by the Cloud Security Alliance which wraps network permissions around each unique user is essential for any bank wanting to adopt public cloud. Called a Software-Defined-Perimeter, it offers:
- An individualized perimeter for each user
- Fine-grained authorization for on-premises and cloud
- Contextual awareness that drives access and authentication
- Simplified firewall and security group rules
- Dynamic adjustment to new cloud server instances
- Consistent access policies across heterogeneous environments
When adopting public cloud, organizations should be mindful that individuals should only ever have access to the resources they need to do their job, and this should only ever be granted in reasonable contexts. Otherwise, there’s nothing stopping them from spending their downtime trawling entire network segments for sensitive information – and in the financial services industry there is a lot of sensitive and regulated information!
Learn more about how Cryptzone simplifies AWS security with our network access software that provides user control, operational agility and compliance.