Data breaches at major retailers seem to grab the headlines, but financial institutions are also popular targets of cyber-theft. As one example, in May 2013 U.S. federal agents busted a ring of cyber-criminals that, in a matter of hours, stole $45 million from financial institutions around the world. In fact, 37 percent of cyber-attacks are leveled at financial services companies, according to the Verizon 2013 Data Breach Investigations Report.
Headlines like those above will likely give financial services firms pause as they consider migrating their data and processes to the cloud. Although cloud computing promises tremendous advantages in agility and lower total cost of ownership, it also introduces unique security issues.
The answer isn’t to avoid the cloud; the potential benefits to businesses are simply too great. Instead, the solution lies in identifying the right data and processes to move to the cloud, and in determining the right policies and technical controls to project your data—and your business—once you’re there.
For financial institutions, cloud computing is a cost-effective way to manage processes that are sufficiently standardized when there’s no competitive advantage to keeping them onsite.
The primary reason is that in financial services, each business application is typically assigned to a specific portion of the IT infrastructure. That infrastructure is designed to function under peak demand, even though average capacity usage might be as low as 20 percent. That can result in high fixed costs for infrastructure implementation and maintenance.
Cloud computing enables a shared infrastructure that accommodates multiple applications. That means lower overall cost for servers and data storage. It also allows for cost-effective scaling up or down as needed, as well as lower cost for upgrading software. Perhaps just as important, it enables greater agility, as companies can quickly respond to changing needs.
Data Security Dilemmas
The challenge is that cloud computing introduces new security issues. To understand why, it helps to recognize the kinds of data financial institutions might maintain in the cloud.
This content falls into three categories. First is information purchased from vendors like Reuters or Bloomberg. Second is information about consumers and business customers, including personally identifiable data and financial information. And third is the company’s own data, such as employee information and intellectual property.
All three types of data must be protected, for varying reasons. Purchased information typically is contractually restricted in terms of who can access it. Customer data is governed by a growing array of federal and state privacy laws, and its compromise carries heavy legal, reputational, and financial risk. Company data such as intellectual property often represents significant competitive advantage, and its exposure can seriously damage a firm’s business outlook.
For financial institutions, these issues are serious enough that they’ve limited their use of the cloud.
Fortunately, there are solutions that should position financial institutions to take advantage of the cloud’s strategic and financial benefits while maintaining compliance and minimizing risk.
First is to identify the data and processes appropriate for the cloud. Start with standardized processes that don’t deliver competitive advantage. These would likely be things like monthly financial statements, customer e-newsletters, and econometric models used for forecasting. More volatile processes, such as trade-order generation or algorithms for arbitrage, should probably be maintained onsite.
Second is to ensure the right policies and technical controls to protect cloud-based data and processes. Start by recognizing that data security is ultimately about risk management. No organizations will achieve 100 percent security. Instead, each enterprise must determine the level of risk appropriate for its industry and business, and the expenditure in time, effort, and dollars to manage that risk.
You can then apply the right policies to the right types of data. For purchased information, you might write into your vendor contracts that the data will be maintained in the cloud and subject to the risks that might entail, perhaps in exchange for higher royalty payments. For customer data, especially for business customers, you might come to an understanding that the balance between risk and cost-efficiency in the cloud can be shared by both parties.
For all data, you need controls that strictly limit which users are permitted to access which physical systems and data. You might create different instances of data for particular user populations or particular periods of time. Certainly you want to make sure there’s no single point of entry that allows users to access data they don’t absolutely need.
The advantages are significant enough that financial institutions won’t wait for long before they leverage the cloud in greater ways. By understanding how they can use the cloud safely, they’ll be able to reduce fixed costs, respond to market changes, and better serve their customers.
Sinan Baskan is Vice President, Capital Markets for SAP. He is responsible for developing integrated solutions for Capital Markets and Business and Ecosystem Development. His team has developed and delivered solutions for e-Trading, Risk Analytics and Regulatory Reporting and Compliance for financial services customers. Prior to his current position, Sinan was Vice President of Risk Technology for the Americas at HSBC Corporate and Investment Bank. He has held positions in engineering and product management at Sybase (1993- 2005) and rejoined Sybase in 2007. He started his career at Philips Research Laboratories and at IBM Research Division.