Financial institutions and their clients have good reasons to be concerned about cybersecurity. Firms in this sector experienced twice as many unique cyber incidents in 2023 as in 2022, according to research from IT security specialist Positive Technologies.
These institutions’ increasing reliance on the cloud has opened a wide range of attack vectors. IBM’s X-Force cybersecurity team noted a 194% increase in cloud-related vulnerabilities and exposures in 2023 vs 2022.
The Cloud and Why Your Firm Is Almost Certainly Using It
Conceptually, the cloud is a model of on-demand access to computing resources like storage, processing power, and software, delivered over the internet. The cloud allows you and your colleagues to access data stored centrally in a remote server as opposed to a single computer located in your office.
In 2023, 98% of the financial services providers surveyed by the Cloud Security Alliance said they were using some form of cloud computing. And according to the International Banker, more than 44% of financial services organisations had data in the cloud in 2023, and 52% will in 2024.
Almost every cloud setup involves remote (off-premises or “off-prem”) data servers that are not located in the same place as the users accessing the data stored on them. There are, however, three different cloud deployment models distinguished by who has access to and control over the remote servers:
- Shared cloud (also known as a public cloud): This deployment model involves multiple users sharing remote servers owned and operated by a cloud service provider (CSP). Examples of well-known CSPs include Amazon, Google, and Microsoft. Shared clouds are often considered relatively cost-effective, easy-to-set-up, and quickly scalable options for cloud computing.
- Hosted private cloud: Here, a CSP owns and operates remote servers used exclusively by a single organisation. Dedicated resources mean higher costs, but users have more control over configuring resources to meet specific organisational requirements related to performance predictability and compliance with data regulations, for example.
- Private cloud: A private cloud involves dedicated cloud infrastructure owned and controlled by a single organisation. While this infrastructure may sometimes be located on-premises within the organisation’s facilities, a prevalent practice is “colocation,” or leasing space for the servers from a data centre provider. These providers primarily handle physical security, electrical power, connectivity, and other similar necessities not related to the inner workings of the servers. While generally the most expensive of cloud computing models, private clouds offer the highest degree of customisation to meet specific organisational needs, control over data storage and access, and performance for particular workloads and requirements.
It is also worth noting that so-called hybrid clouds combine at least two of the above types of cloud environments.
Cloud Security Risks
The growing popularity of cloud computing, estimated to account for 68% of all external IT spending in 2023 according to HG Insights, has brought a heightened focus on cloud security. The total cloud security market reached US $76 billion last year, with financial institutions spending a report-topping $23.4 billion on related solutions.
Broadly speaking, the challenges these solutions present depend on the type of cloud the organisation is relying on.
- Shared cloud security concerns: Because the CSP manages infrastructure, users do not have complete control of their security posture. Sharing resources with other organisations increases the chances of potential security vulnerabilities, as attacks on one domain can impact other domains relying on the same components and code.
- Hosted private cloud security concerns: While a dedicated environment allows an organisation greater flexibility in implementing security measures, CSP employees may still be able to access – if not necessarily decrypt and read – the organisation’s files. Encrypted files can be accidentally or intentionally damaged, often leaving the organisation with limited technological recourse.
- Private cloud security concerns: Private clouds offer the ultimate in cloud security – for organisations that know what they are doing. The organisation is in complete control of its servers and must have the expertise to deploy advanced mechanisms like firewalls, intrusion detection systems, and access controls. Such expertise is not easy to get: 80% of enterprises Flexera surveyed said a lack of expertise is their top cloud challenge. The Cloud Security Alliance found that only 29% of surveyed financial firms said that their staff had a high knowledge of cloud security.
Cloud Choices in the Financial Industry
Judging from Cloud Security Alliance statistics, your firm is likely to be relying on a hybrid cloud powered by at least one CSP, with different types of data handled in different environments. Of the financial service providers the Alliance surveyed,
- 84% said they were using a public cloud to store at least some regulated data, including what would be termed personally identifying information under the EU’s General Data Protection Regulation,
- 59% said they were storing or processing regulated banking data in cloud services,
- 28% said that more than half of their regulated data was stored in a public cloud, and
- 57% reported working with more than one CSP.
Your takeaway? To be able to give your clients an accurate overview of how their data is secure in your cloud, you’ll probably need to do a little homework.
A good starting point would be to find out which CSPs you are working with, the types of cloud you are using, and the tiers of the data centres where your cloud data is stored. Tier 4 is top of the line.
Actionable Insights
- Your firm is a top target for cyberattackers – Expect clients to ask you where their data is stored and how it is secured.
- Your firm is almost certainly using the cloud – There are three main types of cloud; find out which one(s) you are using.
- Cloud models are not all equally secure – Know the basics on how they differ with respect to security.