It seems like everything has the word “cloud” in it nowadays. Looking at my daily emails and newsfeeds, Cloud has taken the place of “Lite” and “Free” as one of the essential marketing buzzwords (if I had to guess the go-to catchphrase for next year: “Now with 20% More Bitcoin!”) This got me thinking, “With all the recent data breaches and emphasis on security, where are financial institutions safer: in house or in the Cloud?”
Not long ago, there was this “fear” of the Cloud as a void to which a financial institution’s data could go and potentially never return. For many financial institutions, the idea of using the Cloud in any major capacity was not even a potential risk; it was simply unthinkable.
Whether because of technological prescience or less aversion to risk, some non-financial businesses were able to reinvent themselves, create an entirely new business approach, and even extend the Cloud to other businesses, including household names like Netflix, Salesforce, and Amazon. Consumers were also gradually introduced to the simplicity and seamlessness of the Cloud, with offerings like iCloud, Google Drive, and Dropbox offered as part of their phone and email ecosystems (with the potential for upselling more storage of course).
This is all well and good for tech companies and everyday consumers, but what about financial services organizations of all stripes? Has the Cloud, which now permeates almost every aspect of our lives, matured enough for financial institutions to look beyond on-site hardware and truly trust it as a legitimate, operationally-sound, and most of all secure technology platform?
As much as I would love to say “Yes” and ignore any opposing views, I think the risk environment is much too complex for that. I would, however, challenge the position that cloud services are inherently less secure because they are on the Cloud. Quite the opposite.
Not only can cloud services be sufficient for financial institutions to take advantage of but, in some instances, the Cloud provides even greater protection. For you “cloud-skeptics” out there, here are five that come to mind:
- Hardware is not always ‘aware’: From the Target breach we’ve all learned that hardware can be easily manipulated and have come to the realization that physical points of contact within the payment ecosystem can often be the least secure (think magnetic stripe, USB drives, ATM skimmers, etc.) As one can see in other areas of fraud and security, criminals often gravitate toward legacy technologies as these are the slowest to adapt to new threats and techniques. The flexibility and nimbleness of the Cloud allows institutions to more easily provide capacity, coverage, and continuity amid the ever shifting financial crime landscape.
- Cloud is more mature than you think: Much as the multi-retailer breach this year is leading to heightened security around credit card technology and consumer data storage, cloud providers have already had to prove themselves to skeptical clients. Who would pick a cloud vendor that wasn’t SSAE 16, PCI, ISO/IEC 27002, and Safe Harbor certified/ compliant?
- Cloud providers prove it first, because they face it first: The alphabet soup of credentials above would be considered impressive, if not overkill, for most businesses but is fairly standard for cloud services providers. Financial institutions worried about security have more transparency into these services as the standards and certifications are right out in the open, showing that security is as much a priority to cloud providers as it is to your bank or brokerage. Having learned from past security issues, cloud providers can offer financial institutions their seasoned best practices and real-world experience so as to not repeat the same mistakes.
- Data security is about ‘how’, not just ‘where’: Again, using the example of the Target breach, it was not only the fact that criminals breached the system, but that a third-party vendor’s credentials allowed criminals to get at data that was stored incorrectly. (One survey did show evidence that cloud providers had fewer incidents of attacks than other data centers, which may be a sign of increased security or that physical access points are just lower hanging fruit). Financial institutions must adapt current security standards to emerging threats whether in the Cloud or on site. Partnering with cloud providers can provide an extra check on whether security is indeed sufficient and help keep pace with new attack methods.
- Everybody’s doing it: While this form of logic was overturned begrudgingly in our youths, there is something to say about the scale of the investment and potential in the Cloud. With the belt-tightening that financial institution’s IT and security budgets continue to experience, the ability to essentially “split” costs across a cloud service can provide greater security than each party could individually at a lower cost. This change from capital expenditure to operational expenditure creates a more focused team, providing more opportunities to concentrate on growing your business and satisfying your customers.
Security is ultimately the responsibility of the financial institution, both in the eyes of the consumer and regulators. Whether on site or in the Cloud, banks, brokerages, hedge funds, and other financial services organizations owe it to themselves and their customers to protect proprietary and customer information and financial assets. But in a world of changing threats and evolving attacks, having a dedicated partner who has dealt with and continues to deal with security issues may not be such a bad idea. Who has their head in the Cloud now?
*Content originally published by Ciaran Doyle.