Strong Winds Behind Financial Service Adoption of Cloud (As Long as We Stay Between the Buoys)

This month we released the findings from our research into the current use of cloud services by financial service organizations and the data suggests a growing comfort with leveraging the technology to manage critical workloads. In fact, 98% of respondents said their financial company is using cloud services in some capacity.

So what has strengthened the use of cloud services?

Since it is officially summertime and I’m preparing for my annual attempt to navigate a catamaran in the isles of Turks and Caicos, I decided to (over)use sailing terms to share our insights.

Primary reason for the ‘run’ of momentum

Several factors have assisted with this adoption since the last report was published in early 2020. Most noticeably was the global pandemic that shifted much of the workforce to remote working situations and accelerated testing of internal application and other use cases.

Also, more familiarity of security features that create isolation of sensitive data, as well as security triggers that quickly identify misconfigurations, increased confidence to deploy more workloads considered ‘business critical.’

In fact, 84% of respondents said they currently have regulated data within their cloud architecture. And 32% said their organization had the majority of their critical business functions in cloud. That is a significant shift from the 2020 survey when the same question was posed and only 17% claimed to use cloud predominantly.

Additionally, there was greater public recognition by policymakers that cloud computing was ubiquitous and acceptable as long as certain assurances exist and are effectively in place.

The response to this report was well represented globally throughout Asia, Europe, and North America, with not many discernible differences between regions during both the interviews and survey.

If the main sail for cloud is Zero Trust, good compliance management is the jib

In my defense, I did say I was going to overuse the sailing analogy.

When asked to identify top priorities, Zero Trust received the most interest followed by cloud regulation, multi-cloud management, and the shared security responsibility model.

Access management and the ability to continually improve authentication and authorization to both data and resources was mentioned consistently in interviews as both the most important and often most challenging current activity.

Nearly as important was good compliance practices to easily and automatically collect necessary test results to meet compliance requests and the ability to articulate the specific responsibilities of the Shared Security Responsibility Model. As better approaches have been developed, it has made cloud justification easier to convey to decision-makers.

What could increase the wakes

Despite the increase in use of cloud, several issues were seen as preventing even further adoption. Most notably was data privacy rules and other regulation. From several interviewees, it appeared this conclusion was less about personal confidence in cloud and more a concern that auditors would not understand or agree with their cloud strategy. Or that the ability to demonstrate security for compliance purposes was more challenging than showing adherence to current practices.

Several respondents suggested more education and guidance for validating specific types of deployments to various regulatory requirements within GDPR, PCI, and other frameworks.

Similarly, overall training and a general feeling of a cloud skills gap was cited as a potential long-term problem. For example, if there were not enough internal professionals trained on good cloud security practices and how to optimize technical controls, then the required oversight of third-party services may be seen as inadequate.

Finally, the current uncertainty of how regulators all around the world will address ‘resiliency concerns,’ data sovereignty, or the potential ‘overleverage’ in CSP contracts, may require more time to sort out prior to significant new investment. Substantiating that concern in the report was the fact that 2023 respondents said they were less prepared with a backout plan from their current CSPs compared to 2020 results. In 2023, 48% of respondents said they had a documented backout plan, while 65% of respondents had one in 2020.

What the horizon holds

As outlined in the report, there are many potential opportunities ahead where CSA can help support. This begins with a newly formed Financial Services Leadership Council that will help recommend strategic direction for future initiatives. The inaugural meeting was held on June 8^th and is anticipated to meet quarterly with several activities during the interim.

Areas of interest that have been suggested include:

• Supporting collateral for meeting financial regulation
• Industry-centric use cases for multi-cloud management
• Additional survey and other research on general trends of cloud
• Education focused on auditing practices to address security and governance expectations
• Specific CCM guidance or requirements for financial services
• Protection of financial information via confidential computing

Other activities already underway include mappings to various financial frameworks such as ECUC and PCI DSS v4.0, as well as guidance for leveraging HSM-as-a-Service, which is critical for meeting certain key management expectations.

We plan to continue to have industry experts share their knowledge and experience in our ongoing FinCloud Friday series that we hope you both listen to and share with your colleagues.