Security is key in a cloud future

What can investment managers do to feel safe about moving data to the cloud?

Daniele Catteddu, CTO, Cloud Security Alliance

Talks about the cloud future and balancing resources for compliance and security.

Read this article and learn about:

  • Best practices and a strategic approach to the cloud
  • Key questions to ask service providers moving to the cloud
  • Balancing resources for compliance and security
Security is key in a cloud future 
Daniele Catteddu, Chief Technology Officer, Cloud Security Alliance

Is the cloud secure? Being able to answers this question positively is a top priority among investment managers whose service providers are moving to the cloud. Currently, security is a main concern when it comes to cloud computing, especially within financial services. Now is the time for investment managers to take a best-practice approach to the inevitable cloud future and getting priorities right.

In the financial sector, Boards of Directors as well as systems architects and operations managers are already looking forward to the benefits of cloud computing: reduced IT costs, increased operational agility, and easier upgrades, just to mention the most obvious. Furthermore, some experts claim that public cloud platforms are safer than private data centers.

While acknowledging that the cloud is the inescapable future, the financial services industry is traditionally conservative when it comes to applying new technology. So, while some may be excited about the cloud future, many executive officers at investment management firms have concerns about cloud computing and the outlook of system platform vendors moving their key asset, data, to the cloud.


...many executive officers at investment management firms have concerns about cloud computing and the outlook of system platform vendors moving their key asset, data, to the cloud.Daniele Catteddu Chief Technology Officer, Cloud Security Alliance


Understandably, there is a kind of uncertainty about moving data to the cloud. However, as already indicated, the public cloud is likely to be far more secure as a platform for storing data than any in-house system available. The explanation is that big players, like for instance Microsoft, Amazon and Google, have the scale, and hence resources, to put the best and largest security teams in place. Hence, they are able to provide a security level which no private cloud service provider could ever match.

Taking a best-practice approach to the cloud future

Many banking institutions have already embarked on the cloud journey and taken a very consistent approach to security in the cloud. They have established a clear picture of the key functional and regulatory requirements to present to their system providers. In this process, some of these banks have found it helpful to make use of a security control framework. Among the frameworks applied, the Cloud Control Matrix developed and provided by the Cloud Security Alliance is an example of a standardized approach by which financial institutions can express security requirements and find out if they are matched by the security capabilities of the cloud providers.

In a similar manner, investment managers also need to take a consistent cloud strategy approach. In 2017, there is no longer a risk of being an early adopter – more so of being a late adopter of cloud computing. The question is not if you should be moving to the cloud, but how you make the move safely.


The question is not if you should be moving to the cloud, but how you make the move safely. Daniele Catteddu Chief Technology Officer, Cloud Security Alliance


The European Network and Information Security Agency’s (ENISA) 2015 report ‘Secure Use of Cloud Computing in the Finance Sector’, which is based on input from 24 financial institutions, six cloud service providers, and 12 national financial supervisory authorities, include recommendations on establishing best practices and de facto standards for minimum security requirements. The report recommends a risk-based approach, to create mechanisms for compliance, transparency, and assurance, to make an effort for harmonizing regulatory requirements, and finally to foster awareness, and education both within the financial sector community and the financial regulators.

Establishing this setup can seem a somewhat overwhelming task, which builds the case for promoting cooperation among stakeholders in the cloud future project. When it comes to the regulatory stakeholders, their requirements do not suggest that are against the adoption of cloud computing. Their main requirement is that financial institutions, like banks and investment management firms, are able to perform proper risk management.

In the investment management industry discourse, it often comes up that regulation is a burden. However, regulation can also be a source of positive change. Your goal should not “just” be achieving compliance, but rather to follow the gist of the regulation. In the case of security requirements, this means your goal should be to understand and adopt the motivation behind the security standards. This will make it easier to meet the requirements – also when it comes to the many overlapping security standards a firm may be subject to if it does business across borders.

Ensuring your vendor is in control of your data

If your platform vendor has decided to move its infrastructure to the cloud, your most important obligation is to know exactly what your vendor will be doing with your data. In order to make a proper due diligence, you need, as mentioned above, to apply a standard security framework. You need this framework to establish a set of cloud security requirements, which you then present to your vendor. The framework will enable you to assess your vendor against your cloud security requirements by asking them the right questions. Furthermore, you need to ensure that your vendor in turn is enforcing these cloud security requirements on to its cloud service provider.

As a cloud future means that it is no longer a matter of having a piece of hardware under control. You need to establish a relationship with your vendor where you know exactly what they will be doing with your data – a focused due diligence process is going to be key here. 

You need to establish a relationship with your vendor where you know exactly what they will be doing with your data. Daniele Catteddu Chief Technology Officer, Cloud Security Alliance

Balancing resources for compliance and security

Regulations and compliance have for a long time been key topics in the investment management industry. Moreover, in recent years, there seems to be a clear trend of compliance becoming more and more complex, which inevitably increases the resources which investment management firms must allocate to this. Very often, however, we notice an unbalanced distribution of resources between security compliance and operations security, with the result that compliance is eating up to 70% of a shared budget.

Under the assumption that your key assets, and especially your data, are protected through the implementation of robust operational security measures, both technical and organizational, it seems obvious that there is a need for reestablishing a balance between the resources dedicated to compliance vs security. One key challenge in this balancing act is to reduce the burden of compliance. A way of doing this is by identifying practices and tools that can help simplifying and streamlining the compliance effort. Regulatory compliance must never be at the expense of compromising the allocation of sufficient resources and focus to ensure a secure cloud future for your firm and its key asset, data.

About the author

Daniele Catteddu

Daniele Catteddu is an information security and risk management practitioner, technologies expert and privacy supporter with over 15 years of experience. He worked in several senior roles both in the private and public sector. He is a member of various national and international security expert groups and committees on cyber security and privacy, a keynote speaker at several conferences and an author of numerous studies and papers on risk management, cyber security and privacy. Currently he is the Chief Technology Officer at Cloud Security Alliance, where he is responsible to drive, on a global scale, the adoption of the technology strategy within key CSA lines of business: research, standards, education and products. He identifies technology trends, global policies and evolving social behavior and their impact on information security and on CSA’s activities.

Daniele is the co-founder of the CSA Open Certification Framework/STAR Program and he is a member of the CSA International Standardization Council. Mr. Catteddu is a member of the Policy and Scientific Committee of the European Privacy Association. In the past, he worked at CSA as Managing Director for the EMEA Region, at ENISA (European Network and Information Security Agency), as an expert in areas of Critical Information Infrastructure Protection (CIIP) and Emerging and Future Risks Management, and had a leading role in developing EU cloud security research. Before joining ENISA, Daniele worked as an Information Security consultant in the banking and financial sector. Daniele graduated from the University of Parma (Italy) in Business Administration and Economics, and he is an ISACA Certified Information Security Manager and Certified Information Systems Auditor.