Financial Services in the Cloud: Challenges in Security and Resilience
This spring, the US Treasury released its comprehensive report on the financial services industry’s adoption of cloud services. The report details the current state of cloud adoption in the sector and identifies six core challenges that may complicate the migration to cloud service providers (CSPs).
Chief among these challenges is the difficulty of maintaining operational resilience, particularly in complex hybrid- or multi-cloud architectures. Other concerns include shifting operational and cyber risks to CSPs and the difficulty of auditing those CSPs to fully understand their data security strategies. But our key takeaway from the report is the growing importance of cyber resilience in an increasingly cloud-based sector.
The current state of cloud migration
The US Treasury report confirmed what other sources have suggested: that the adoption of public cloud services is ongoing and increasing rapidly in the financial sector. The report cited a 2021 survey in which 90% of banks stated that they maintain at least some data, applications, or operations in the cloud, with over 80% in the adoption or early adoption phases. The report also cited a separate survey in which over two-thirds of banks wanted at least 30% of their applications and data to be in the cloud by 2025, an increase of 300%.
Cloud spending has kept pace. Gartner notes that expenditures on public cloud services nearly doubled over five years, growing from $220 billion in 2016 to $411 billion in 2021, and is estimated to reach nearly $600 billion this year.
The US Treasury was quick to note that reasons for cloud adoption vary widely across the financial services sector. Some financial institutions are using the cloud to facilitate remote work or AI, while others are using it to reduce costs and rapidly develop or deploy new services. Still others are in the cloud because their third-party vendors (for instance, trading platforms or employee video conferencing software) have moved from on-premises to cloud computing.
The result is a combination of hybrid- and multi-cloud architectures. Most organizations (and particularly larger institutions) are pursuing a hybrid architecture, mixing public cloud deployment with on-premises or private cloud offerings. Others are following a multi-vendor approach, either using different vendors to support different applications or using different vendors to support the same workloads for multi-cloud redundancy.
Regulatory implications for the data security landscape
The US Treasury notes that regulations for financial institutions in the United States are generally neutral on the types of technology implemented. However, under regulations like the Gramm-Leach-Bliley Act (GLBA) and the SEC’s Reg SCI, those institutions are also responsible for taking appropriate steps to protect customer data privacy and implement cybersecurity safeguards. Reg SCI in particular requires certain entities to maintain business continuity with technology that supports resilient and geographically diverse operations.
International regulatory frameworks may impact the cloud policies of US financial institutions either directly or indirectly. For example, large organizations conducting global banking will be bound by cross-border data regulations like the GDPR/Schrems II if they process EU personal data.
Furthermore, legislation like the EU’s Digital Operational Resilience Act (DORA) is expected to impact critical third-party services, including public cloud providers. (In fact, the US Treasury report notes that DORA was informed by acute concerns over the market concentration risks presented by these providers.) Changes made by CSPs in response to these international regulations will in turn impact the US financial institutions using their services.
Although the report itself does not call to impose any new regulatory requirements on financial institutions, some observers are arguing for tighter government controls on CSPs. As a June article from Financial Times notes, regulators are becoming increasingly concerned about systemic financial risks emanating from the cloud. The article explains that banking organizations are sounding the alarm that “big tech interdependencies” have become “a key policy blind spot.”
Currently, the speed of change in cloud computing practices and the increasing issues with market concentration leave financial regulators ill-equipped to handle the explosive growth in this sector, and the US Treasury’s Cloud Committee is clearly seeing the warning signs.
What are the US Treasury’s top six cloud challenges for financial institutions?
- Lack of transparency. Specifically, CSPs do not always offer enough information for their financial customers to carry out strong risk management and due diligence. Third-party risk management for cloud services can be highly complex and resource-intensive, especially among small and medium-sized financial institutions. Additionally, the shared responsibility model can differ among different CSPs, making it difficult for financial institutions to understand their exact security responsibilities with each provider they use.
- Gaps in technological and human capital for secure cloud deployment. Because of the shared responsibility model, user misconfigurations often lead to security incidents. This can happen for two primary reasons. First, there may be a shortage of cybersecurity skills and cloud expertise among IT teams at financial institutions. Second, some cloud services can be highly complex for financial institutions to implement and manage, and the tools and guidance offered by CSPs may themselves be highly technical. The US Treasury report cautions that, although cloud services can offer a resilient and secure environment for financial institutions, “the resilience and security of any particular cloud service can and will vary depending on the vendor and service, as well as how each service is configured, provisioned, and managed.”
- Increased exposure to operational incidents. Although CSPs can offer benefits for resilience and security, they also bring the risk of operational incidents — particularly those that can affect multiple geographic regions of a cloud provider, as with identity and access management issues. Unfortunately, the solution of running core operations on multiple public clouds for redundancy is prohibitively expensive and complex for almost all financial institutions.
4. Market concentration problems. The current cloud services market is concentrated around a small number of providers. Although this concentration brings strong economies of scale, greater interoperability, and fast responses to zero-day exploits, it can also threaten critical services by exposing financial services clients to a set of risks, e.g., from region-wide outages.
- Difficult contract negotiations. Negotiating contracts with CSPs can be challenging for financial institutions of all sizes, particularly when firms seek custom provisions for audit rights, encryption key management, and other data protection measures. This can in turn limit the ability of financial institutions to mitigate cloud risks.
- A complex and fragmented regulatory landscape. There are myriad consequences of the many data privacy laws arising around the world. One is that foreign regulatory scrutiny of CSPs may prevent US global financial institutions from deploying cloud services across their foreign operations. Another is that financial institutions may be put at risk of noncompliance due to a lack of control over their own data.
The strategic vision for supporting resilience in the financial sector
The US Treasury plans to keep monitoring these cloud challenges to promote the continued resilience of the financial sector. It also plans to facilitate continued cooperation between the financial sector and CSPs.
As the report outlines, the US Treasury’s long-term objective is to strengthen the financial sector’s operational resilience in the cloud. It plans to establish an interagency Cloud Services Steering Group and continue collaborating with US financial regulators, financial institutions, cloud service providers, and international partners to address the key issues it raised. However, to achieve its objectives, more than just monitoring and risk assessment from government agencies will be required.
Comprehensive risk management programs
First, financial institutions will need to implement more comprehensive risk management and oversight programs for its cloud services. These programs should generally include ongoing monitoring of each CSP’s security, risk controls, and disaster recovery plans.
However, as the US Treasury report notes, transparency can be a major obstacle in risk management. Financial institutions require ongoing information from CSPs to understand their security posture, and not all stakeholders believe that CSPs are forthcoming enough to fully satisfy risk management needs. Some institutions encountered inconsistent documentation, unclear internal dependencies within the cloud environment, and even a lack of transparency into how many data centers they were relying on.
SOC 2 compliance
Third-party reviews and vulnerability assessments can help financial institutions understand the risks they face in the public cloud. One of the most common types is the SOC 2 audit, which is currently required by many financial institutions for third-party cloud vendors. Conducted by the American Institute of Certified Public Accountants (AICPA) and designed to evaluate fundamental data privacy and security controls, SOC 2 audits can offer institutions a much clearer idea of CSP strengths and vulnerabilities.
Data resilience technologies
While financial institutions can strengthen their resilience by operating in multiple regions of the same CSP, most experts believe that seamless failover from one CSP environment to another is unrealistic. The ideal solution would be complete portability among different cloud providers, but it is not technically practical for most organizations — largely because of high costs and a lack of interoperability.
A more realistic solution is for financial institutions to implement strong data resilience solutions across their cloud infrastructure. These solutions must offer high availability, simple integration with various cloud services, and a low management burden for IT teams.
The ShardSecure platform can offer significant value to the financial services sector with its robust data resilience technology for cloud, on-premises, and hybrid- or multi-cloud architectures. Our platform provides multi-cloud resilience for data at rest without the need for full data backups. It also supports data integrity and availability, with the ability to transparently reconstruct compromised data.
Additionally, ShardSecure offers strong data privacy and sovereignty to support the confidentiality and compliance of financial services data. Our technology has been validated to meet Use Case 5 of Schrems II under the GDPR, and it supports a stronger cybersecurity posture in support of other cross-border regulations.
Finally, by leveraging interfaces like S3-compatible API for object storage and iSCSI for block storage, the ShardSecure platform is able to reduce complexity in multi-cloud architectures.
Conclusion: The ongoing challenge of resilience for US financial institutions
The US Treasury report notes that the cloud may be more resilient and secure than on-premises environments, but only if configured with that intention. And the burden is squarely on the financial institutions. “To be effective,” the report explains, “the shared responsibility model relies on clients having the expertise, tools, and information necessary to execute their responsibilities and to ensure the contracted cloud service reflects their desired risk tolerance.”
Unfortunately, the challenges to resilience in the cloud are significant. The financial services sector faces ongoing difficulties in recruiting and retaining talent to manage cloud migration, with most institutions either retraining or hiring team members to manage their cloud environments. It also faces cloud environments that evolve rapidly, vary widely from provider to provider, and are not always built with user design or clarity in mind.
ShardSecure is committed to helping organizations strengthen their data resilience while retaining control of their data in multi- and hybrid-cloud environments. With self-healing data capabilities, high availability, simple integration, and agentless file-level protection, our platform supports financial services companies in maintaining the accuracy, privacy, and availability of their critical cloud data.