Cloud Security a Concern in Financial Sector: Survey
Most financial services providers are now implementing cloud strategies, but concerns linger over security.
The Cloud Security Alliance survey, “How Cloud Is Being Used in the Financial Sector,” found the financial industry still in the embryonic stage of cloud adoption.
According to the findings, 61% of respondents acknowledged that a cloud strategy was in the formative stages within their organization. Thirty-nine percent to 47% said they planned to use a mix of in-house IT, private and public clouds, while 18% said they planned to use private clouds. Top reasons respondents said they adopted the technology were infrastructure flexibility, reduced total cost of ownership and shortened time to market.
“The results of this report are insightful into understanding how the financial services industry is progressing in terms of cloud adoption and how cloud providers can best serve their interests and needs,” CSA CEO Jim Reavis said.
The study focused on three areas of interest to analyze the level of adoption of cloud solutions and requirements from financial institutions’ perspectives: Security fears, approach to cloud services and compliance concerns. While the survey found that cloud computing is becoming more and more prevalent throughout the financial sector, less than 50% of the industry had yet to build a solidified, concerted approach to cloud adoption.
The results indicated data security is a major worry.
“It far surpasses the concern over the infrastructure or communication security, it is really about data,” observed Dr. Chenxi Wang, vice president, cloud security and strategy at CipherCloud, a sponsor of the survey.
“That shows some maturity of thinking [and] that the industry is moving toward data-level control,” she added.
When it comes to data security on the cloud, 43% of companies considered public breach notification as one of the top obstacles in adopting cloud. Another 13% reported a cloud-related security incident. Specifically, data security was the most commonly cited area of concern for the reported incidents. Half of the respondents reported data availability and leakage cloud incidents, with 33% due to unauthorized access, 25% from malware and other vulnerabilities and 17% as service abuse.
“The governance practice for computing remains a patchy exercise today,” Wang said. “CSA is in the center of putting together standards, but in terms of executing the governance there is a ways to go before we have a concerted strategy.”
Reavis pointed out there are a wide variety of top-level cloud providers that are very diligent and have strong security practices in place, but others do not.
So what approach should financial institutions take when it comes to the cloud?
“We always ask that a company put together a cloud security platform, much like companies put together a policy platform,” Wang suggested. That policy should govern each use of the cloud.
Reavis said there is no reason why financial institutions can't deploy state of the art data security, encryption, key management and other sorts of controls.
Once adequate data security measures are in place, financial institutions could consider hosting a virtual branch inside a data center or some other public cloud, Reavis said. The industry is not there yet, he added, but the adoption is showing strong growth.