December 28, 2015 By David Strom 3 min read

The ENISA report titled “Secure Use of Cloud Computing in the Finance Sector,” published in December 2015, showed just how far European banks and other financial institutions lag behind with respect to perceptions and usage of cloud computing in their businesses.

While more than 87 percent of those institutions are already using some form of cloud computing, their knowledge of basic cloud technologies and best practices is either sadly disappointing or shocking, depending on your perspective.

There’s a Need for More Information Regarding Cloud Security

The study was sponsored by the European Union Agency for Network and Information Security (ENISA is its French acronym) and had input from the Cloud Security Alliance, an international best practices body. The authors, Rossen Naydenov, Dimitra Liveri, Lionel Dupre and Eftychia Chalvatzi, developed two survey instruments: one for financial and cloud service providers, and the other for the national regulatory bodies in various EU countries. The surveys were followed up with a series of phone calls. More than 40 entities participated.

Results showed that there is a big perception gap between financial institutions and security professionals regarding cloud security. Many regulators mistakenly see outsourcing and cloud computing as similar entities. For example, almost half of the financial institutions surveyed have not developed a cloud risk assessment even though they are aware of specific risks associated with cloud computing.

There are many misunderstandings about the cloud, from the basic underlying technologies to which regulations are relevant for cloud computing and how to improve cloud security. Some survey respondents blamed the confusing patchwork of cloud security regulations across the EU as the main obstacle for implementing cloud initiatives.

It seems Europe’s attitudes about the cloud are behind the times, especially when compared to North America: Many surveyed felt security and privacy were the biggest limitations for cloud adoption. Almost a quarter of survey respondents from the regulatory bodies believed public cloud services should never be used in the finance sector.

Inside Banking and the Cloud

Nevertheless, not everything is gloom and doom with EU cloud adoption; the report highlighted several exemplary case studies. For example, the Dutch national banking regulatory body has put together guidelines for how financial institutions and banks can deploy Amazon Web Services (AWS), and a top Spanish bank, Bankinter, is already using it as an integral part of its credit risk simulation application.

The bank was able to run millions of simulations in the AWS cloud and decreased the average time to solution from 23 hours to 20 minutes. It also dramatically reduced processing time and the overall cost of these applications. This is a good example of how cloud computing can be used to do something that would be either impossible or else very difficult to do on-premises.

Cloud Security Recommendations

What I found most useful is that the report concluded with a series of recommendations that can be used by financial institutions around the globe:

  • Regulatory bodies should define best practices and de facto cloud security standards to help facilitate better incident information sharing and increase the trustworthiness of cloud computing.
  • Regulators should make current national legislation more similar across countrie as well as define baseline requirements and guidance on cloud computing throughout the European financial sector.
  • Everyone should adopt a similar set of minimum cloud security and privacy requirements.
  • Cloud service providers should disclose the location of their data centers and the number of staff that have access to confidential data or critical components. They should also be required to periodically update this information.
  • Organizations should adopt a risk-based approach when moving to the cloud and their cloud security strategy should be aligned with their own corporate risk assessments.
  • Finally, various EU and other international standards bodies should do a better job of informing financial institutions and others about the benefits and risks of cloud computing.

More from Banking & Finance

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today