Around the Cloud in Eighty Days – The Fifth Leg of the Journey: Cloud Security

This is Part 5 of our ten-legged journey to explore how the Cloud can enable productivity, innovation, and scalability in financial services.

Each of my ten blogs over the eighty days will echo the themes discussed in Reply’s ten-part webinar series, Cloud in Financial Services, in which we’ll highlight some of the key points offered by our presenters and panel members.

In the fourth webinar, we benefited from a panel of senior leaders from Google and Unicredit as well as some of Reply Cloud experts (Alan Clacher, Marco Noli and Julien Recan). They shared their ideas on the operating models and governance considerations of Cloud adoption. If you haven’t yet read the write up for part four, you can do so here.

At this point in the series, we have seen the countless benefits of cloud adoption in financial services. But one sticking point keeps recurring: is it safe? That’s why, in this blog relating to the fifth leg of the journey, we’ll cover the security issues pertaining to cloud adoption by financial institutions that the board and C-suite must consider.

My panel of speakers included Luca Mayer, Manager at Spike Reply; Keyun Ruan, Head of Security, Risk & Compliance at Google Cloud; Julien Recan, Associate Partner with Alpha Reply; and Julian Schmücker, Policy Advisor, Digital Innovation, European Banking Federation.

I have summarised the expertise that they so generously shared with us here in this short blog.

Cloud Security — Strategic Considerations

Luca highlighted five key considerations that will help you adopt the Cloud more securely:

1. Alter your thinking from “is the Cloud secure?” to “am I using the Cloud securely?” This is the keystone of a secure, fact-based Cloud Security Framework. No cloud service provider (CSP) or infrastructure is 100% secure, in part because they are dependent on how you use them.
2. Cloud computing is based on new concepts. Review your security controls and decide to reuse, adapt, or add controls depending on specific cases. Existing security controls may be only partially applicable to a Cloud-based ecosystem. That doesn’t mean you need to start from scratch. It means you should review each control case by case.
3. Take care of security in the Cloud. Do not aim for a one-size-fits-all solution. Prepare for a multi-Cloud, hybrid, dynamic environment. As with any third-party relationship, security considerations should be identified during the selection of your CSP. Part of your due diligence is to assess which security tools and features your CSP will give you and which you must provide yourself.
4. With Cloud, you can create a new environment. Don’t waste this chance: “Shifting” security to the left is not enough. Push it to the left instead. Too many organisations, including those in financial services, began Cloud adoption without taking security into account from the start. This means they end up losing control as their needs evolve and expand.
5. Cloud adoption requires a strategic approach. The security department must be key to that. To adopt the Cloud in a stable way that sets you up for the future without major security risks, it’s best to include the security department in the strategic conversations from the very beginning.

Security in Policy — the regulatory Framework for Cloud

Julian described some of the work of the European Banking Federation (EBF) regarding Cloud and the important dialogue between the industry, policymakers and regulatory bodies, including the European Banking Authority (EBA), the European Commission, and the European Network and Information Security Agency (ENISA).

Regulators require that financial institutions must have adequate oversight of outsourcing arrangements, including to third-party ICT providers and CSPs. The industry is working closely with the regulatory community to ensure that the regulatory requirements are harmonised across jurisdictions and respond to technology evolutions.

Risk reduction using Google Cloud in financial services

Keyun began by echoing Luca’s previous sentiment that Cloud adoption requires a mindset shift. In the same way that money is now less minted coins and more digital numbers in a bank account, Cloud is transforming how we manage, store, and send data.

From there, she went on to detail a number of risks financial institutions face with the Cloud and how Google Cloud helps its customers overcome them, including:

1. Data loss and leakage risk;
2. Access risk;
3. Supplier risk;
4. Concentration risk

Following the explanation of the various risks a financial institution may face, Keyun shared a useful image that shows the shared responsibility between the financial institution and Google in managing Cloud security in various scenarios from on-premise infrastructure to SaaS, as you can see below.

If you have any questions about any of the above, please feel free to reach out to us at Reply at .

Keep an eye out for episode 6 where we’ll discuss Cloud Regulation.