Security Experts:

Financial Firms Searching for Cloud Strategy: CSA Survey

While a growing number of financial services organizations are moving their data and applications to the cloud, most of them do not have a concerted cloud strategy with appropriate controls and security, according to a new report from the Cloud Security Alliance.

More than half, or 61 percent, of respondents said cloud strategy at their respective organizations was "in the formative stages," the CSA said in a report released Thursday. Most of them do not have a formal cloud migration policy in place and cloud adoption remains very ad hoc in this sector, the report found.

Financial services organizations are interested in the cloud for the same reason other industry sectors are: flexibility. About 68 percent cited flexible infrastructure capacity as the top reason driving cloud adoption, and 63 percent said they needed to reduce the time necessary to provision systems and users. The respondents were more interested in front-facing cloud applications such as CRM, application development, and email, rather than backend services or virtual desks, the survey found.

Cloud StrategyHowever, none of them planned to use only public clouds, and most of them planned to have a hybrid environment. It could be due to regulatory concerns or the fact they are working with highly sensitive information. Between 39 to 47 percent of the respondents planned to use a mix of in-house IT, private, and public clouds, the survey found. Just 18 percent planned to use private clouds. Among organizations with a strict private-cloud-only policy, 86 percent cited security and compliance concerns as the top reasons, and 79 percent cited concerns over privacy and data retention.

Rather than worrying about a concerted cloud strategy, these respondents from financial services firms were more focused on accountability. About 80 percent said they wanted to see increased transparency and better auditing controls from their cloud providers. A little more than half, or 57 percent, wanted better data encryption tools and 51 percent wanted to receive logs in real-time. Other top features included remote auditing and forensics/e-discovery tools.

"The service itself and, more importantly, how the cloud provider accommodates these top features will determine how readily a particular cloud service is embraced," the survey said.

Since the financial services sector is highly regulated, so it's no surprise that compliance is very much at the top of mind. Three-quarters of survey respondents focused on regulatory requirements surrounding data protection, and 68 percent named corporate governance as a concern. Just over half, of 54 percent, listed PCI-DSS, which covers payment card security, as a concern, followed by 47 percent who were concerned about national regulations.

Small companies with 500 or less employees and large enterprises with more than 5,000 employees were more likely to have adopted cloud strategies, the survey found.

The extent the firm's client base was "digitalized," or likely to carry out at least half of their interactions via electronic means such as online banking, mobile, and ATMs, influenced the institution's cloud plans, the survey suggested. Firms with highly digitalized clients were less likely to have a strict cloud policy. The survey found that 19 percent of companies with less than 25 percent of digitalized customers had a strict no-cloud policy. The report showed a very active market for cloud services in the financial services sector, said Dr. Chenxi Wang, vice-president of cloud security and strategy at CipherCloud, which commissioned the report.

The report, prepared by the CSA Financial Services Working Group, is based on survey responses from more than 100 banking, insurance, and investment firm executives in North and South America, Europe/Middle East, and Asia/Pacific regions. The “How Cloud is Being Used in the Financial Sector” survey ran from September to October last year.

The survey was designed to identify the financial industry's main concerns regarding delivery and management of cloud services. The CSA Financial Services Working Group will use the insights gleaned from the survey to work on related projects to accelerate the adoption of secure cloud services among financial organizations.

The financial services industry is increasingly adopting cloud services, and the report highlights areas cloud providers should focus on to meet industry needs. “We hope that cloud providers and financial institutions can use this as guidance to help accelerate the adoption of secure cloud services in the financial industry,” said Jim Reavis, CEO of the CSA.

The full report from the CSA is available online.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.