Businesses today are relying more and more on the cloud to meet their computing and data storage needs. The benefits are many – reduced costs, operational efficiencies, flexibility and scalability, enhanced ability to quickly deliver new capabilities and services to clients, etc.
Financial services firms hold significant amounts of sensitive data, in a highly-regulated environment, that can’t be offline even for a second. The decision to migrate from legacy computing platforms to the cloud often faces several challenges and key questions such as:
1) Will it meet our security requirements?
2) Will it be reliable?
3) Will my regulators approve of its use?
To answer these questions, FSR’s Technology Collaborators brought together leading cloud service providers, other technology innovators and financial services firms to identify key shared principles for successful cloud adoption. This produced a white paper, Data Security, Integrity and Accessibility in the Cloud: Shared Responsibility Principles for Financial Services Institutions & Cloud Service Providers. This paper addresses cross-cutting areas of concern for financial executives and provides recommendations to help build trust and transparency between the financial institution (FI) and the cloud service provider (CSP) necessary for a successful transition to the cloud.
The paper details three principles jointly developed by FSR member firms and cloud service providers to enable the agility, security and compliance financial executives seek.
- Cloud migrations depend upon trust and transparency. The use of risk management frameworks, cloud deployment models, and contractual and legal considerations such as data use, breach notification, and compliance with security standards are all complicated questions where firms can learn from one another. Our white paper includes recommendations around these questions. For example, CSPs should make available the information required to support the FI’s assessment including periodic access to certification, attestation and continuous monitoring documentation. The cloud migration process should also include discussion of data management practices, including what must remain under the FI’s control, data portability, data segregation, multi-user tenancy and data recoverability.
- Cloud security responsibilities are allocated between CSPs and FIs. There are common cloud service models and distribution of responsibilities and accountability for operating and managing security controls. Regardless of the chosen service model, it is critical that the FI and CSP clearly understand the boundaries of the relationship and document the responsibilities for operation, management and reporting for each security requirement. Through this process, the FI should include in the agreement the level of oversight or visibility they will have into security functions outside their control.
- Cloud resilience depends upon cloud architecture and user configurations. Our paper details ways to help ensure service availability, such as deployment model selection, exercises to test and verify resilience, and awareness of potential concentration and subcontracting risks. Cloud computing can offer a more resilient environment than many on-premise networks; however, this depends on the CSP’s underlying infrastructure and capabilities and the FI’s vendor management practices. The FI should include resilience considerations in their cloud deployments and should carefully assess the resilience enhancements offered by CSPs such as geo-redundancy in data center selection.
As more and more services and new applications, like blockchain, will be enabled by the cloud, it is imperative that financial firms understand cloud service models and build partnerships to effectively meet their needs and those of their customers.
These principles provide financial services leaders a series of recommendations to help evaluate and build successful cloud partnerships for today and into the future.
Heather Hogsett is Vice President of Technology and Risk Strategy at Financial Services Roundtable
