Financial Services and Cloud Storage — Security, Myths and Driving Factors
Companies in the financial sector, whether retail and investment banking, asset management, hedge funds or insurance, are part of the industry that can benefit most from cloud innovations. This now seems to be accepted as a fact. Especially start-ups and small companies providing banking and financial services knew how to profit from the potential of the cloud for themselves early on. But big banks and insurers are also following suit and are drawing more and more services and processes into the cloud.
We want to clarify why the cloud is relevant for the finance industry. Not only because of its ability to flexibly expand server capacities, but also as an external storage solution for company data. In addition, we look at how well the financial sector is doing in terms of cloud security.
Reasons for Cloud Adoption in the Financial Sector
The three most common use cases of the cloud are to flexibly lease server capacity to reduce time to market, faster and improved risk analysis, and data storage outsourcing. Below are some prominent examples that point out reasons financial institutions are moving to the cloud and how they are benefiting.
Reason 1: Cost Savings | UBS and Credit Suisse
One reason banks are turning to cloud computing is their ever-increasing need for computing capacity. The cloud provider Microsoft was able to convince both Credit Suisse and UBS of its merits. The issue of costs was relevant to both banks, although it was not the decisive reason for migrating to the cloud. If resources are required that are difficult to build or expensive to maintain in the company's own infrastructure, switching to a cloud provider is an attractive alternative. According to its own statements, UBS is apparently able to save a three-digit million euro amount thanks to the Microsoft solution.
Reason 2: Storing Sensitive Company Data Securely in the Cloud | SNP Title Co.
Financial institutions outsource their corporate data from their own servers to cloud services, to hand over the responsibility for maintenance and security to an external service. This goes hand in hand with reason 1, as outsourcing data storage can save costs depending on the size of the company.
Every financial company stores large amounts of data, some of which must be available for day-to-day business and some of which do not. When you use cloud storage, you no longer need to worry about updating and maintaining your own servers or data centers. In addition, when using a further encryption solution, cloud security can exceed the security of your own servers. The cloud provider takes care of contingency plans and protects your data from fire, burglary or natural disasters. The encryption solution protects your data in case of data leaks and hacker attacks. So instead of worrying about the IT infrastructure, your employees can focus their creativity and potential on moving your business forward.
For example, the American insurance company SNP Title Co. uses our Boxcryptor encryption solution to work securely in the cloud. You can read about the advantages of their cloud setup in our success story.
Reason 3: More Performance On Demand through a Flexible Infrastructure | Deutsche Börse
In spring 2019, it was announced that the Deutsche Börse has intensified its use of cloud solutions and will work with the cloud provider Microsoft in the future. This was followed in fall by the information that a cooperation with Google is also being considered. Deutsche Börse is thus pursuing a multi-cloud strategy, in order to benefit from the respective strengths of the cloud providers, while at the same time spreading possible risks.
As a first step, Deutsche Börse has migrated work processes to the Microsoft cloud, including services, such as the development and testing of business applications. The outsourcing of core services for the distribution of data will follow in the next step. The Google Cloud will be used primarily in the area of machine learning, in order to analyze large amounts of data and to be able to make predictions on the basis of that data.
If previously it took the institution months to deploy and set up servers in the company, with the use of a cloud solution they receive the required computing and storage capacity in about one hour.
Reason 4: Easy and Fast Access to New Technologies | JP Morgan Chase
Others opt for the cloud to be more flexible in responding to requirements and to shortening time-to-market. The use of a public cloud service also supports the further development of new technologies. This usually goes far beyond what a financial company itself could provide. Access to the resources of a cloud company offers improved access to new technologies, such as artificial intelligence, automation and machine learning, big data and analytics, as well as DLT or blockchain.
For example, the largest bank in the US, JPMorgan Chase, uses not one but __ four global cloud platforms__: the three largest public clouds, Amazon Web Services (AWS), Google Cloud and Azure, as well as its own private cloud. The bank expects to deliver world-leading technologies and drive innovation with new features such as Blockchain, AI, and Big Data.
Privacy Concerns and the Myth of the Insecure Public Cloud
The topic of data storage in the cloud comes along with many misconceptions and prejudices. For example, everyone agrees that data should not be stored in the cloud unprotected. For many, this feared insecurity of data is the main reason they shy away from the cloud.
However, the security of your data depends heavily on how you store your data in the cloud. Data on your own servers is only as safe as your security measures are good. You probably would not, for example, leave your office door unlocked when you leave at the end of the workday, while your PCs are still running without password protection.
Cloud providers implement various measures to protect your data in the cloud. Physically, your data is secured at a high level because the data centers are protected with security personnel, video surveillance, motion sensors, various authentication factors, and with some providers even armed personnel. Furthermore, precautionary measures are in place to prevent service interruption. Probably, most banking and insurance companies are not able to take such precautions themselves.
Nevertheless, you should take additional security measures to protect your data from misuse, data theft by hackers, and access by third parties. Cybercrime, negligent employees, and authorities who demand access to data, or a violation of privacy by the provider are __ serious threats that can have serious consequences__. Therefore, you should not use the cloud unsecured. With a good encryption solution, the data itself is perfectly protected under the strict European data protection laws.
High Compliance Requirements for Companies with “Critical Infrastructures” (KRITIS)
The German-language surveyPwC survey “Cloud Computing in the Banking Sector” asked about the state of knowledge regarding compliance requirements in cloud computing. Only 37% of all respondents stated that an up-to-date overview of the requirements was available. On the other hand, 40% reported that there is no overview of the relevant compliance regulations for cloud use in their company. It is precisely this uncertainty, and the unclearly formulated requirements and criteria that are slowing down the deployment of cloud use in financial companies.
This is because banks that want to outsource part of their IT processes still have responsibility for the data and financial processes. Before IT and data services are outsourced, security issues must be clarified, for example, with regard to data management and data protection.
The same principle applies to outsourcing to cloud providers: The responsibility of the managers of a company must not be transferred to the cloud service provider when data is outsourced.
Source: BaFin information sheet on outsourcing to cloud providers
The criteria catalog Cloud Computing C5:2020 of the German Federal Office for Information Security, which was updated in 2020, offers companies an important orientation guide for the selection of a suitable cloud provider. The guideline specifies minimum requirements for secure cloud computing and provides support in implementing cloud user risk management.
Specifically for the banking sector, the European Banking Authority (EBA) has prepared the “Recommendations on Outsourcing to Cloud Providers” in 2018, which were included in February 2019 in an updated form in the higher-level EBA Guidelines on outsourcing arrangements. The document provides suggestions and recommendations on how banks can keep an eye on and manage the risks arising from outsourcing.
A shared responsibility approach allows companies that want to use the cloud to share responsibility with the cloud provider: On the one hand, the cloud provider is responsible for the security of the cloud itself and offers a first-class level of protection. The financial institutions, on the other hand, are responsible for Security Management in the Cloud.
For more information on data protection and compliance requirements for financial institutions in relation to the cloud, please refer to our free whitepaper linked at the end of this article.
Encryption and Cloud Security in the Financial Industry
We cannot stress the security factor enough. Obviously, a large proportion of companies still use the cloud without sufficient encryption and security technology. According to a study by Ponemon/Thales from 2019, 48% of all corporate data is now stored in the cloud. What is alarming, however, is that only a third (32%) of companies attach the greatest importance to security.
At least half of the participants are aware that storing sensitive data in the cloud represents a security risk. More than half of the respondents also stated that this represents a compliance risk. 35% see the responsibility for data security mainly with the cloud provider, which is irritating, considering that only 23% state that security is a major factor when choosing these providers.
But there is also good news from the study:
Over the past three years, the use of encryption, tokenization, or other cryptologic tools to protect data in the cloud has increased.
80% of respondents say that the ability to encrypt or tokenize sensitive or confidential data is either very important or critical to their organization’s decision to use cloud resources.
Out of these, 49% of cloud users encrypt their data at rest.
... the encryption or tokenization of sensitive or confidential data directly in cloud applications (SaaS) has decreased to 29% of respondents compared to the previous study.
... only about half of all companies state that control over encryption keys is in their own hands when data is encrypted in the cloud. 20% of respondents say that the cloud provider has control. 16% indicate they outsource control of encryption keys to a third, independent party.
Why is this a problem? First, data is only encrypted at rest, not in transit, so it could be tapped. Second, the person who encodes the data also has the keys to encode it. So, providers could decrypt the data if they wanted to. Since the data is only encrypted at rest once is has arrived at the provider, it is possible and very likely that a plain text version of your data is also available at the provider.
Only with additional local encryption your data can be private and protected in the cloud.
Boxcryptor offers an encryption solution for companies that is compatible with the most common cloud providers. A glance at our corporate customers shows that the financial industry is one of the top 5 industries using our security solution. Our customers from the banking and financial industry rely on the security of the public cloud in combination with local encryption.
The move of the financial sector to the cloud will continue to progress in the coming years, especially as many large companies are currently taking or have taken this step, in a pioneering manner. However, a good security strategy is absolutely essential to act in compliance with data protection regulations and to prevent data leaks. If you use the cloud of your choice in combination with Boxcryptor, your data is perfectly protected as it is encrypted before it enters the cloud. We are happy to help you use the cloud securely.