Over 90% of enterprises use cloud services, with industries like retail and e-commerce, finance and banking, and software technology being the biggest and most proactive users. By 2028, the International Data Corporation (IDC) also predicts that “the banking, software development and telecommunications industries will be the three biggest spenders on public cloud services.”
What do these numbers mean for cloud adoption in the finance industry (FID)?
They all point in a direction: Financial institutions (FIs) are not only modernizing their technology infrastructure but also gaining the agility and scalability needed to meet customer demands, drive innovation, and remain competitive. And this is great, because by leveraging the potential in cloud, a McKinsey analysis found that FIs can generate at least $60 billion in earnings before interest, taxes, depreciation, and amortization (EBITDA) by 2030.
However, with cloud adoption comes several security concerns. In fact, nearly all organizations report being moderately to extremely concerned about cloud security, per findings from Fortinet. Financial services, in particular, have to be extra vigilant due to the highly sensitive nature of the data they handle. If not addressed properly, cyber risks can lead to severe financial losses, regulatory penalties, and reputational damage.
These risks increase every passing year, according to the International Monetary Fund (IMF). And that’s why it’s critical for FIs to put strong security measures in place to protect sensitive data and meet regulatory requirements.
This article will explore cloud adoption best practices for securing financial data in the cloud and ensuring safe, compliant cloud adoption.
Finance in the cloud: Private vs public vs hybrid
When it comes to cloud computing, there are three model choices for the financial sector.
1. Public cloud
When a third-party provider offers cloud computing resources over the internet, it is called a public cloud. In this case, the provider owns and manages the entire infrastructure and makes portions of it available to users as purchased or required. Some of the largest public cloud providers are Amazon Web Services (AWS), Microsoft Azure, IBM Cloud, Oracle Cloud, Google Cloud, etc. With defining features like high scalability, cost-efficiency, on-demand service, and high elasticity, it is a very appealing option for organizations across industries. Especially for the FID.
Findings from a recent report from the U.S. Department of Treasury (U.S. Treasury) reveal that adoption of public cloud services has increased across the financial sector in the past decade, contributing to a projected $805 billion in global spending on public cloud services by 2024, with the banking sector being one of the three industries accounting for $190 billion.
Capital One, one of the largest banks in the U.S., is an early adopter of the public cloud, having fully migrated its infrastructure to AWS’s public cloud services. Similarly, TD Ameritrade, a brokerage firm, leverages the public cloud for non-core applications, optimizing operational efficiency. On a community scale, People’s Credit Union transitioned its servers entirely to AWS after facing challenges with on-premises server management, such as resource allocation, aging infrastructure, maintenance demands, and time-consuming staff oversight.
2. Private cloud
While public clouds are for multi-tenants, private clouds are built for one tenant. Private cloud environments can only be accessed by a single end user typically through a private network. It can run either on-premises or in an off-site location by a contract service provider.
Defining features like greater customization and control, tighter security, flexibility, faster service delivery, and greater visibility into data governance and regulatory compliance makes it particularly interesting for FIs.
The same report by the U.S. Treasury, in fact, found that most FIs generally moved workloads to the private cloud before considering the public cloud. Wells Fargo is a prime example, starting out first with a set of third-party-owned data centers and a longer-term aspiration to rely predominantly on public cloud. Boutique banks like Seattle Bank also moved their core banking systems to a private cloud.
3. Hybrid cloud
Hybrid clouds give users the best of both worlds, combining the elements of both public and private clouds. With this option, there’s a greater flexibility in choosing which environments suit specific workloads. Specifically, FIs can balance handling sensitive data on private clouds while leveraging public cloud’s scalability for less critical workloads.
This approach enables FIs to achieve the cost-efficiency of the public cloud without sacrificing the control and security offered by a private cloud. The hybrid cloud is the popular choice for many larger financial institutions, and across the board, financial services organizations agree that having a solid hybrid cloud strategy in place is a surefire way to unlock the full potential of a digital transformation.
The U.S. Treasury itself, which manages the U.S. government’s finances and economic policy, adopts a hybrid cloud infrastructure for department-wide use cases.
Risks associated with cloud adoption of financial data
While cloud adoption offers flexibility, cost savings, and scalability, it also introduces several risks for FIs. Below are some of those risks:
1. Cybersecurity threats
Financial data houses the crown data jewels of most organizations, making it a very attractive target for cybercriminals. Public cloud environments are particularly susceptible to these threats because of their shared infrastructure and multi-tenant environment.
McKinsey reports that with cloud migration, there’s an increased risk of exposure to threat actors and of nation-states gaining access to networks, all of which could lead to cyber risks like data loss, data privacy breaches, and misconfigurations.
A notable example is the March 2019 breach of Capital One’s data stored on an AWS server, where a misconfigured firewall on a web application led to the theft of 100 million credit card applications and one million Canadian social insurance (or social security) numbers. This incident remains one of the FID’s most devastating data breaches.
Screenshots from the tip email and the hacker’s comments concerning the breach. Source: CNBC
2. Compliance and regulation risks
As one of the world’s most heavily regulated economic sectors, FIs face stringent regulations specifically related to data privacy and security, international laws and mandates, as well as other industry-specific standards. Some of those regulations include General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), the Sarbanes-Oxley Act (SOX), the Federal Financial Institutions Examination Council (FFIEC), among others.
Moving to the cloud can make compliance even more challenging, due to reasons like unclear regulatory requirements in the cloud, limited regulatory knowledge about cloud technology and regulator-reluctance to fully endorse cloud adoption in the FID. Regardless, non-compliance to existing regulations (especially those involved in data protection) can result in severe penalties, including hefty fines, legal actions, and loss of consumer trust.
For example, Morgan Stanley, an American multinational investment bank and financial services company, was fined $60 million in 2020 for a GDPR breach. The fine was in response to the bank’s failure to properly oversee the decommissioning of several data centers which exposed customers’ data to harmful actors.
Following a 2021 investigation by the U.S. Securities and Exchange Commission (SEC) into the data protection and management practices of several banks, financial institutions such as Bank of America, Barclays, Citigroup, Goldman Sachs, Morgan Stanley, Jefferies LLC, Nomura Securities International, and Cantor Fitzgerald & Co. were collectively fined over $1 billion.
3. Human error and insider threats
A Stanford University study found that human error is the cause of 88% of data breaches, making it the weakest link in cybersecurity. In cloud management of financial services, human error can occur at various stages, from initial migration to ongoing data management.
During migration, errors like incorrect configuration of cloud access controls, failure to properly encrypt data in transit, or accidental exposure of sensitive data can significantly increase security vulnerabilities. And once the data is in the cloud, ongoing management and updates that are either poorly handled or insufficient will open the door to (intentional and unintentional) mistakes and compromise.
Capital One, for example, has been on the receiving end of breaches facilitated by its current and former employees, notably in 2014 and 2019.
4. Vendor risks
Relying on third-party cloud providers means entrusting critical data to external vendors. Although Statista’s projection that global cloud security spending will reach nearly $7 billion in 2024 is indicative of a robust investment in cloud security, there’s always a risk of misalignment in security policies, breaches, or disruptions.
In this case, a multi-vendor strategy may be more effective, as many organizations admit that dependence on a single cloud provider isn’t ideal.
6 cloud adoption best practices in financial services
Considering the risks and many moving parts of successful cloud adoption in financial services, maintaining high standards of security and compliance is non-negotiable. The following six cloud adoption best practices serve as key strategies for FIs aiming to succeed in the cloud.
1. Data encryption across data states
McKinsey reports that more than 70% of data breaches could be avoided with encryption and secure access management. These encryption protocols need to be implemented at all data states—when the data is at rest, being used, or in transit. By implementing across all states, you can ensure that even if the data is accessed or intercepted, it remains unreadable without the proper decryption keys.
Also, it’s important to note that as a financial service, your data encryption is your responsibility. Yes, most cloud providers are spending billions on cloud security, but they still emphasize that customers encrypt sensitive data before and even after storing it in the cloud.
The diagram below from AWS says as much.
Customers, not cloud providers, are responsible for the security of their data in the cloud. Source: AWS
2. Multi-factor authentication (MFA)
Adding extra layers of authentication before accessing the cloud could safeguard financial data from unauthorized access. Combining all three layers of a standard MFA, from what the user knows (a password), to what they have (a hardware token or mobile phone), and what they are (biometrics) can greatly enhance the security of financial data.
This approach is relevant across all user identities, from employees to vendors, contractors, or any other stakeholders who need access to sensitive systems. The 2017 breach of Deloitte’s systems, for example, occurred due to an administrator account being protected by only a single password, which hackers were able to bypass.
3. Vendor risk management
In choosing a vendor, the U.S. Treasury recommends that FIs consider that “the resilience and security of any particular cloud service can and will vary depending on the vendor and service, as well as how each service is configured, provisioned, and managed.”
It’s not enough to go for the most advertised or popular cloud service providers. Due diligence is necessary, and what due diligence looks like includes conducting thorough assessments of cloud service providers, evaluating their security policies, regulatory compliance, and incident response capabilities.
What’s more? You can expect this process to take time, experts, and lots of monitoring—which is why many would prefer to outsource the entire vendor management process. But remember, if you‘re going to give a third-party access to confidential customer, employee and company information, then you have to be able to trust them without a shadow of doubt.
4. Identity and access management (IAM)
Managing identities and access to cloud resources makes sure that only the people who should access the system get that access, and once they get there, they do only what they are allowed to do. In developing this architecture, robust access control measures should be implemented where access to the cloud is only on a need-to-know basis.
Findings from the Data Breach Incident Report by Verizon revealed that 20% of data breaches happen because of ‘privilege creep’ which is tech jargon for employees having access to more resources than is necessary for their work. IAM goes hand in hand with a zero trust strategy that continuously verifies users and devices at each access point, regardless of their location or prior access history, reducing the risk of unauthorized access and data breaches.
5. Data backup and recovery plans
Develop and test data backup and recovery plans regularly to ensure quick restoration of critical information in case of data loss or cyber incidents. According to latest reports, 62% of FIs restored encrypted data using their backups after a ransomware attack.
Also, note that backup and recovery plans are crucial not only for protecting data once it is in the cloud, but also during the cloud migration process itself. There’s always a risk of data loss or corruption when migrating sensitive financial data, and this could happen because of technical failures, human error, or cyberattacks.
6. Compliance and regulatory adherence
FIs face a complex web of regulations when adopting the cloud, and many have expressed concerns about the challenges of maintaining compliance, identifying it as a major barrier to further cloud adoption. However, with the right strategies and tools in place, FIs can navigate these regulatory challenges and ensure that their cloud environments remain compliant.
Conducting a risk assessment is a critical step in this process. A risk assessment helps identify gaps and weaknesses across the organization’s security controls, enabling leadership to make informed decisions on whether to mitigate, transfer, or accept identified risks. Partnering with compliance experts like NuHarbor Security can ensure that cloud adoption remains aligned with industry standards, reducing the risk of the costly consequences of non-compliance.
Making the decision to go to the cloud
Whether you’re planning to move your organization to the cloud or you’re already there, here are some things you should know.
1. Security isn’t automatic
Moving to the cloud does not automatically equate security. Cloud security is a shared responsibility. It’s your job to protect the data, applications, and access controls for your business, while the cloud provider manages the infrastructure.
2. Do not underestimate human error
While automating operations in the cloud may seem straightforward, there’s no substitute for security awareness raising and training. Most of the world’s data breaches across all sectors still happen because of human error. So, it’s important to keep emphasizing regular training on safe data practice, access management, understanding cyber risks, and other best practices.
3. Multi-cloud strategies will mitigate risks
McKinsey reports that 63% of FIs reported greater resilience and flexibility through multi-cloud strategies, which helped them maintain operations and meet regional regulatory requirements. This approach will not only improve system reliability but will also allow firms to select specialized services from different providers to best meet their needs.
4. Ensure strategic alignment
When considering cloud adoption, it’s important to evaluate which assets and services should be migrated in a way that aligns with your organization’s overall business goals. This involves assessing the potential benefits of the cloud in the context of your long-term strategy. Additionally, ensuring leadership buy-in is crucial, as it guarantees the initiative receives the necessary resources, is prioritized in line with business objectives, and has ongoing executive support for successful implementation.
5. Go with an A-team
To succeed in the cloud, it’s essential to have a specialized team of colleagues, vendors, and contractors with knowledge in cloud security, data management, and regulatory compliance. This team oversees cloud risk management, enforces security best practices, and ensures a seamless migration process.
FIs with highly skilled cloud teams are more likely to achieve security and performance goals than organizations without that expertise.
Next steps?
If current trends continue, we can expect that cloud adoption in the financial industry will only increase. The financial institutions who will stay ahead in this terrain are those who prioritize comprehensive risk management frameworks, establish robust data governance policies, invest in cloud talent, and continue to adapt to evolving regulations and emerging technologies.
Ready for your financial institution to maximize the cloud? Come explore solutions with NuHarbor Security and see how we can help protect your financial business.
Don't miss another article. Subscribe to our blog today.
