Out-Law News 3 min. read
10 Mar 2015, 10:50 am
Salmon was commenting on the findings of a new report by the Cloud Security Alliance (CSA) on how cloud is being adopted by banks, insurers and other financial services companies. The CSA surveyed 102 people from banks, insurance companies, investment companies, governments and other bodies from 20 different countries on cloud computing issues in the last quarter of 2014.
The report by the CSA highlighted that cloud adoption in the financial services sector is "prevalent" but "ad hoc". It found that financial services companies operating in Asia Pacific are most likely to have adopted cloud solutions, with 41% of respondents from that region confirming that their business uses cloud services compared to 35% and 28% in Europe, the Middle East and Africa and the Americas respectively.
More than half of financial services companies (61%) are developing a cloud strategy, with both small and large businesses most likely to have an existing cloud strategy in place. Just 18% of businesses in the sector with between 501 and 5,000 employees have a cloud strategy, compared to 40% of smaller companies and 35% of larger businesses in the market, the report said.
According to Salmon, cloud strategies should be well-developed.
"In 2015, financial services businesses should not be asking elementary questions about whether or not to enter the cloud but should instead be thinking carefully about how best to deploy public cloud solutions, where it would be preferable to develop private ones, the benefits of taking a hybrid approach and where customisation continues to necessitate the use of in-house IT services", he said.
"If they have a strict 'private cloud only' strategy they should understand why, and have a solid basis for taking this approach. If they choose to use hybrid solutions, they should know where regulatory hurdles require data to be transferred only between private premises," Salmon said.
The CSA said 80% of the industry respondents it surveyed identified "increased transparency and better auditing controls" as the top feature they desired from cloud providers. Better data encryption tools and the ability to receive logs in real-time were the second and third features most sought by financial services companies looking into using cloud services, the CSA's report said.
"The top-desired feature finding resonates with what we are hearing from our clients," Salmon said. "Cloud providers need to be committed to providing clients with a greater amount of visibility over their own data than that which is currently generally being offered."
"The cloud provider that can create greater transparency over the performance of services and access to data, particularly when security or resilience issues occur, will be more attractive", he said.
The CSA also found that the more "digitised" customers that financial services the more likely those businesses are to have adopted cloud solutions or have a cloud strategy. It said customers that are served by financial services companies at least 50% of the time via digital channels can be said to have been 'digitised'.
Of the financial services companies using cloud services, there is a trend towards greater use of public cloud services, the survey found. The CSA said this showed there is "growing confidence" within the sector about cloud use.
However, where financial services companies are only adopting private cloud solutions they are doing so mainly because of security and regulatory compliance concerns, the survey found. Concerns about data privacy, retention and destruction and where data is stored are also influencing financial services companies to elect for a "strict private cloud only policy".
Respondents from financial services companies that have not adopted cloud solutions at all said that security concerns, such as control over data and data confidentiality, were a reason for not doing so.
Nearly three quarters of those respondents (71%) said "regulatory restrictions" are also a barrier to them taking up cloud-based services and "consider compliance as a reason to keep controls in-house and not migrate data to public cloud services". Data protection and corporate governance rules were the most common regulatory restrictions cited as a reason for not adopting cloud services, according to the report.
"This may not make sense to cloud providers, but regulators and law makers view cloud solutions as comparable to traditional outsourcings." Salmon said.
"While some regulatory concerns are cloud specific, many of the legal questions to be asked and solutions available – whether specific contract clauses, custom audit regimes or testing requirements, are no different to those that arise in the context of a traditional outsourcing arrangement," Salmon said.
"It is a little unfair therefore to compare keeping controls in-house to migrating data to public cloud services. A more useful exercise would be to highlight only the regulatory concerns that are required over and above what might be required in the context of a traditional outsourcing," he said.
According to the CSA survey, financial services companies mainly use cloud services for application development and testing, customer relationship management and email hosting.