The global perception of “moving to the cloud” has undergone multiple shifts since its inception. What began as a leap of faith into the unknown has become a core enabler for businesses that want to experiment, innovate and grow. So much so that organisations stalling their move to the cloud are finding themselves being left behind.
The heavily regulated financial services industry was slower than many on the uptake. However, initial trepidation has given way to enthusiasm as cloud computing’s security, flexibility, and resilience credentials have been proven time and time again. In fact, high profile financial business such as Capital One, Starling Bank and Stripe are just some of the leading players using and advocating cloud computing.
With cloud becoming commonplace in the financial services sector, regulators are beginning to extend their remit to cover cloud environments. Multiple approaches being trialed; some have issued new rules and guidance tailored to the cloud while others are simply updating existing guidelines to make them more applicable for emerging technologies. Regardless of the chosen approach by regulators, a global focus on privacy and cybersecurity has led to increased scrutiny on the ways that financial institutions manage data in the cloud.
For these organisations, at AWS believe there are three common themes that frequently emerge in the regulatory landscape; data management, cybersecurity, and risk management. These must be top of the agenda for technology stakeholders looking to ensure compliance.
Companies that offer financial services harbour immense amounts of data, whether that be consumer, market or internal personnel information. The management of this data has become increasingly important with the introduction of regulations such as GDPR. To demonstrate compliance, financial institutions must implement controls and safety measures to protect the security and confidentiality of data stored in the cloud.
The first stage of managing an ever-growing pool of data is getting to grips with encryption. As a starting point, businesses must ensure that data can be overseen from a central control point. Historically, siloes have been the enemy of progress, slowing internal processes down to a snail's pace. The cloud has always posed the solution to this problem, providing a clear, unified view of where data resides and a single point for managing this data. Now, it is vital for stakeholders to manage encryption keys and define policies consistently through this single control point in order to effectively encrypt all sensitive data.
Ultimately, data management in the cloud must be treated with a “content agnostic” approach. This involves businesses and cloud providers treating all customer data and associated assets as highly confidential by implementing sophisticated technical and physical measures against unauthorised access. This, in turn, limits loopholes and backdoors, delivering a secure environment for all assets within the infrastructure.
Financial institutions live and die through their approach to cybersecurity. Not only do financial regulators expect these businesses to maintain a strong cybersecurity posture, a breach could also cause irreparable damage to a brand’s reputation, making cybersecurity a key concern at a board level.
According to the 2018 half year fraud update compiled by researchers at UK Finance, financial services organisations experienced an increased rate of cyber attacks over the past year. Worryingly, attacks are becoming increasingly sophisticated and proving more successful, making cybersecurity a daunting prospect for these businesses.
This is where cloud providers can support financial services organisations with a shared responsibility approach to security. The cloud provider is responsible for the security of the cloud itself, providing world-class levels of protection designed for the most security-sensitive organisations. However, financial institutions must remember that they are responsible for managing security when in the cloud. From penetration testing to automated security functions, it is vital that companies are fully literate and up to date in the latest procedures, processes and tools to mitigate risk.
Penetration testing, a key requirement from financial regulators, provides a good example of how the shared responsibility model works. Cloud providers deliver the tools to perform vulnerability scans and penetration testing on their digital infrastructure, however, it is the responsibility of individual institutions to ensure these are carried out regularly in order to stay compliant.
In any area of IT, if you can’t measure, you can’t manage. If CIOs have insufficient visibility over their IT estate it becomes almost impossible to ensure compliance. This is especially important in financial services where regulators expect robust risk management processes to be in place for any business using cloud infrastructure.
Continuous monitoring is key to ensuring that users are managing the risk of their cloud environment, ensuring they have sufficient tools in place to support governance and traceability. This is why businesses must have end-to-end monitoring in their toolkit, enabling them to monitor, analyse, and audit events that occur in their cloud environment. Once in place, executives can not only improve their own piece of mind, but provide a necessary, transparent viewpoint for industry regulators.
Ultimately, to ensure cloud adoption in this highly regulated field is successful, it is up to both cloud providers and end users to work collaboratively. Open lines of communication and a single point of truth for issues around compliance and security are critical for cloud organisations wanting to help financial institutions on their digital journey. By carefully considering the way that data is managed and secured across their environment, at AWS, we are working with businesses to ensure they can embrace the full host of benefits the cloud has to offer while remaining compliant and mitigating risk.