Read this article and learn about:
- Best practices and a strategic approach to the cloud
- Key questions to ask service providers moving to the cloud
- Balancing resources for compliance and security
Daniele Catteddu, Chief Technology Officer, Cloud Security Alliance
Is the cloud secure? Being able to answers this question positively is a top priority among investment managers whose service providers are moving to the cloud. Currently, security is a main concern when it comes to cloud computing, especially within financial services. Now is the time for investment managers to take a best-practice approach to the inevitable cloud future and getting priorities right.
In the financial sector, Boards of Directors as well as systems architects and operations managers are already looking forward to the benefits of cloud computing: reduced IT costs, increased operational agility, and easier upgrades, just to mention the most obvious. Furthermore, some experts claim that public cloud platforms are safer than private data centers.
While acknowledging that the cloud is the inescapable future, the financial services industry is traditionally conservative when it comes to applying new technology. So, while some may be excited about the cloud future, many executive officers at investment management firms have concerns about cloud computing and the outlook of system platform vendors moving their key asset, data, to the cloud.
...many executive officers at investment management firms have concerns about cloud computing and the outlook of system platform vendors moving their key asset, data, to the cloud.Daniele Catteddu Chief Technology Officer, Cloud Security Alliance
Understandably, there is a kind of uncertainty about moving data to the cloud. However, as already indicated, the public cloud is likely to be far more secure as a platform for storing data than any in-house system available. The explanation is that big players, like for instance Microsoft, Amazon and Google, have the scale, and hence resources, to put the best and largest security teams in place. Hence, they are able to provide a security level which no private cloud service provider could ever match.
Taking a best-practice approach to the cloud futureMany banking institutions have already embarked on the cloud journey and taken a very consistent approach to security in the cloud. They have established a clear picture of the key functional and regulatory requirements to present to their system providers. In this process, some of these banks have found it helpful to make use of a security control framework. Among the frameworks applied, the Cloud Control Matrix developed and provided by the Cloud Security Alliance is an example of a standardized approach by which financial institutions can express security requirements and find out if they are matched by the security capabilities of the cloud providers.
In a similar manner, investment managers also need to take a consistent cloud strategy approach. In 2017, there is no longer a risk of being an early adopter – more so of being a late adopter of cloud computing. The question is not if you should be moving to the cloud, but how you make the move safely.
The question is not if you should be moving to the cloud, but how you make the move safely. Daniele Catteddu Chief Technology Officer, Cloud Security Alliance
The European Network and Information Security Agency’s (ENISA) 2015 report ‘Secure Use of Cloud Computing in the Finance Sector’, which is based on input from 24 financial institutions, six cloud service providers, and 12 national financial supervisory authorities, include recommendations on establishing best practices and de facto standards for minimum security requirements. The report recommends a risk-based approach, to create mechanisms for compliance, transparency, and assurance, to make an effort for harmonizing regulatory requirements, and finally to foster awareness, and education both within the financial sector community and the financial regulators.
Establishing this setup can seem a somewhat overwhelming task, which builds the case for promoting cooperation among stakeholders in the cloud future project. When it comes to the regulatory stakeholders, their requirements do not suggest that are against the adoption of cloud computing. Their main requirement is that financial institutions, like banks and investment management firms, are able to perform proper risk management.
In the investment management industry discourse, it often comes up that regulation is a burden. However, regulation can also be a source of positive change. Your goal should not “just” be achieving compliance, but rather to follow the gist of the regulation. In the case of security requirements, this means your goal should be to understand and adopt the motivation behind the security standards. This will make it easier to meet the requirements – also when it comes to the many overlapping security standards a firm may be subject to if it does business across borders.