After years of doubt, financial professionals are trusting the cloud. Research released last month by Adaptive Insights found 73 percent of surveyed CFOs trust the cloud to host their financial data today. That trust has permeated the financial services industry, too, as banks begin to migrate data and apps to the cloud and FinTechs launch entirely on cloud infrastructure.
But it’s led financial organizations to recalibrate their security initiatives, because while the industry may trust the cloud, no technology is impervious to a cyberthreat. According to Morgan Gerhart, VP Product Marketing at cybersecurity firm Imperva, cloud security today is hardly a straightforward concept.
One reason, he recently told PYMNTS, is that the major cloud providers themselves can only go so far to provide security.
“There’s a split responsibility model,” he explained. “Major cloud providers out there will step up and make clear that they take responsibility for securing their platform. They will make sure their network is secure and take ownership for the physical security of their underlying servers and of their entire data centers.”
Top players like Microsoft Azure, Amazon and Google, he said, are able to more adequately safeguard their own systems than a company might be able to if they are using their own, on-premise data storage solution. But there’s a limit to this security, said Gerhart.
“Where the rubber meets the road is that they won’t take responsibility for the security of the applications themselves,” he explained. For instance, a cloud provider won’t take responsibility for a bug in the code of an application that a developer built on the cloud.
“The cloud providers also can’t take responsibility for insuring the security of the developers that write the code or the contractors running the application on the cloud,” the executive added. “This is where the inherent tension in moving to the cloud is. Ten years ago, people didn’t know whether they trusted cloud providers, but they got over that. Now they’re moving up the stack and looking at ways they can protect the assets they are deploying on the cloud at the application level that the cloud providers themselves are not taking responsibility for.”
According to Gerhart, members of the financial services industry are actually ahead of the pack when it comes to cybersecurity of the cloud.
“What we see with finance and FinTech is that they are, in many cases, some of the more sophisticated in terms of their security postures,” he said, adding that these companies’ access to money makes them a prime target. “They’ve been targeted for years and years, because they actually have something to steal.”
Intense regulatory scrutiny also pushes financial companies to safeguard their systems, he noted. But, like enterprises in other verticals, these companies are in a shift of trusting the cloud, but not yet fully adopting it.
“They’re not yet at the point where they’re wholeheartedly saying they’re going to move everything into the cloud, but in every decent-sized financial services institution, there is a cloud initiative, and they’re planning on moving at least some element of their applications or data portfolios into the cloud.”
That gradual migration into the cloud presents yet another area of trouble when it comes to securing the cloud and the applications that operate on it. Gerhart explained that the players responsible for cloud cybersecurity — IT teams and cybersecurity providers — aren’t the ones making the decision about what data gets migrated into the cloud, and when. It places immense pressure on these teams to be flexible, he said.
“This most certainly applies to financial services: Companies realize they have hybrid deployments — some elements of their application and data portfolios sit in their own data center and some elements are moving into the cloud,” Gerhart said. “They are looking for partnerships that give them the flexibility to know their security posture will work where their assets run at any given time. Security departments need to be able to have the flexibility to respond and say, ‘Yes, we can protect that.’”
Cloud cybersecurity providers also need to provide the protection in a climate of split security responsibility, he added.
“Increasingly what companies are focused on is not a low-level protection of infrastructure, but protection of the applications themselves,” the executive said, adding that these security providers also have to constantly be on top of the emerging and evolving threats against the enterprise.
Organizations today across industries acknowledge the importance of cloud security, and of cybersecurity in general, “because they have to,” said Gerhart. But the increasing complexity of safeguarding not only cloud infrastructure, but also the assets like, say, an accounting app on the cloud are pushing cybersecurity providers into a collaborative role with their enterprise clients.
“The key thing we see enterprises struggling with is managing the uncertainty around how their application portfolio will shift between their own data centers and a cloud provider — or across multiple cloud providers,” he explained. “From a security perspective, it’s then about managing that inherent level of business uncertainty. The people responsible for the security of a portfolio aren’t the ones making the decision around how and when things are moved. What they need to manage is, how does their security give them the flexibility to protect all of that, given that businesses over the next five to ten years are going to see a lot of changes.”