A large number of security concerns – particularly data security concerns – have financial services firms apprehensive about adopting cloud computing, according to the “How Cloud is Being Used in the Financial Sector” study from the Cloud Security Alliance (CSA).
In a survey of 102 global participants – less than 50 percent had a solidified cloud strategy – from banking and credit unions, insurance groups, investment firms, and government organizations, “security concerns” were unanimously cited as a reason not to adopt the cloud, according to the study.
Security of data, specifically, was such an issue that it was named as four out of the top five concerns.
For 60 percent of respondents, confidentiality of data was the biggest concern, while 57 percent cited loss of control of data, 55 percent cited data breaches, and 42 percent cited data loss, according to the study. Legal and compliance issues was cited by 51 percent of respondents.
Chenxi Wang, CSA corporate member and report contributor and VP of Cloud Security and Strategy at CipherCloud, told SCMagazine.com in a Thursday email correspondence that financial groups are always concerned about data incidents, but those worries are kicked up a notch when it comes to the cloud.
“With cloud, the concerns are amplified due to the lack of control and lack of visibility,” Wang said. “If there is a way to de-value the data going into the cloud, either through encryption, masking, or some kind of information dispersal techniques before the data hits the cloud, it will alleviate a lot of the concerns over data incidents with respect to cloud computing.”
In the report, 42 percent of respondents said that data encryption solutions have been implemented for the cloud, and 61 percent indicated that ownership of the encryption keys is a concern. Wang said that, for data going into the cloud, organizations can use encryption offered by the cloud service provider, or a solution offered by a third party.
“The advantage of the former may be seamless integration with the service, but your keys are held by the cloud service provider, which means they have access to your crown jewels,” Wang said. “The advantage of the latter is not only multi-cloud, but also separation of duty – you manage the key, the cloud provider manages the storage of encrypted data.”
Although Wang said that encryption is the primary technique being used to protect data, the study indicates that 23 percent of respondents are deploying data anonymization techniques, such as tokenization or masking.
“Tokenization is typically used to protect ultra sensitive information or to meet specific data residency requirements,” Wang said. “With encryption, all you need to protect is the key. With tokenization, you need to protect the tokenization database, so the infrastructure burden is slightly higher.”
Jim Reavis, CEO of the CSA, told SCMagazine.com in a Thursday email correspondence that cloud computing has become a requirement for doing business in the financial sector, and that it has shown to be superior to other solutions in certain instances.
“A common example is replacing the extranet with cloud to collaborate with business partners, such as with mortgage lending, where banks, mortgage brokers, appraisers and real estate agents all work with the same documents,” Reavis said.
He added, “Sound encryption, key management, identity management and digital signing are among the key investments financial institutions are making to establish virtual security controls that approximate the effectiveness of legacy, physically-oriented security practices.”