The ENISA report titled “Secure Use of Cloud Computing in the Finance Sector,” published in December 2015, showed just how far European banks and other financial institutions lag behind with respect to perceptions and usage of cloud computing in their businesses.

While more than 87 percent of those institutions are already using some form of cloud computing, their knowledge of basic cloud technologies and best practices is either sadly disappointing or shocking, depending on your perspective.

There’s a Need for More Information Regarding Cloud Security

The study was sponsored by the European Union Agency for Network and Information Security (ENISA is its French acronym) and had input from the Cloud Security Alliance, an international best practices body. The authors, Rossen Naydenov, Dimitra Liveri, Lionel Dupre and Eftychia Chalvatzi, developed two survey instruments: one for financial and cloud service providers, and the other for the national regulatory bodies in various EU countries. The surveys were followed up with a series of phone calls. More than 40 entities participated.

Results showed that there is a big perception gap between financial institutions and security professionals regarding cloud security. Many regulators mistakenly see outsourcing and cloud computing as similar entities. For example, almost half of the financial institutions surveyed have not developed a cloud risk assessment even though they are aware of specific risks associated with cloud computing.

There are many misunderstandings about the cloud, from the basic underlying technologies to which regulations are relevant for cloud computing and how to improve cloud security. Some survey respondents blamed the confusing patchwork of cloud security regulations across the EU as the main obstacle for implementing cloud initiatives.

It seems Europe’s attitudes about the cloud are behind the times, especially when compared to North America: Many surveyed felt security and privacy were the biggest limitations for cloud adoption. Almost a quarter of survey respondents from the regulatory bodies believed public cloud services should never be used in the finance sector.

Inside Banking and the Cloud

Nevertheless, not everything is gloom and doom with EU cloud adoption; the report highlighted several exemplary case studies. For example, the Dutch national banking regulatory body has put together guidelines for how financial institutions and banks can deploy Amazon Web Services (AWS), and a top Spanish bank, Bankinter, is already using it as an integral part of its credit risk simulation application.

The bank was able to run millions of simulations in the AWS cloud and decreased the average time to solution from 23 hours to 20 minutes. It also dramatically reduced processing time and the overall cost of these applications. This is a good example of how cloud computing can be used to do something that would be either impossible or else very difficult to do on-premises.

Cloud Security Recommendations

What I found most useful is that the report concluded with a series of recommendations that can be used by financial institutions around the globe:

• Regulatory bodies should define best practices and de facto cloud security standards to help facilitate better incident information sharing and increase the trustworthiness of cloud computing.
• Regulators should make current national legislation more similar across countrie as well as define baseline requirements and guidance on cloud computing throughout the European financial sector.
• Everyone should adopt a similar set of minimum cloud security and privacy requirements.
• Cloud service providers should disclose the location of their data centers and the number of staff that have access to confidential data or critical components. They should also be required to periodically update this information.
• Organizations should adopt a risk-based approach when moving to the cloud and their cloud security strategy should be aligned with their own corporate risk assessments.
• Finally, various EU and other international standards bodies should do a better job of informing financial institutions and others about the benefits and risks of cloud computing.