Cloud security in a post-GDPR world
With an increase in cloud adoption throughout the financial services industry, the transition can have an advantageous impact on firms and allow for the better optimisation of IT resources.
Yet with the use of cloud challenges arise when it comes to the security of the data stored by either financial services in a private cloud ecosystem, or cloud service providers operating on behalf of banks.
While jurisdiction-specific data laws impact the way that firms in the space operate, the European Union’s General Data Protection Regulation (GDPR) has changed the way that firms which handle sensitive data operate when it comes to the cloud.
“GDPR has had a massive impact on cloud security in the finance sector,” says James Buckley, vice president and director for Europe at Infosys Finacle. “For one, it means that service providers need to make sure that any data from a bank is held securely.
“It also means that they need to make the data is available and secure across jurisdictions. GDPR is having a massive impact certainly when it comes to the contractual obligations of the service providers.”
With stricter controls being placed on cloud providers and those would store precious data in a cloud environment, it’s important that firms consider their options carefully when selecting a technology provider, says Buckley.
“When looking at a data service provider, especially when it comes to risk management with the cloud, it’s important to go through and get an independent assessment of that provider.
“This could be done by auditing firms or by a specialist consulting firm who can come down and ensure they investigate the privacy architecture from a design standpoint.”
European regulators are prepared to levy substantial fines on noncompliant firms. A historical concern for financial institutions when it comes to the deployment of the cloud has been data security and the potential for damages in the event of breaches. So, has GDPR made a cloud transformation a risky bet?
Buckley reckons not. “Just because there is a risk that someone could hack me for using a computer, does that stop me from using the computer? The answer is of course no.
If you have ensured that your computer is protected and safe for use, he adds, then there should be no concern about bad actors. Not using the computer would be a direct detriment to a person’s ability to get work done in an efficient way.
“The same goes for cloud technology,” adds Buckley. “It is giving you the scale, availability, time to market, agility and more. Of course, if you place everything into an insecure cloud then the risk increases, because the target increases in size.”
Firms are rightly concerned about the penalties that come with breaching GDPR, says Buckley, especially as the reputational hit could be as damaging as the potential revenue fine. “Yet the world is moving towards cloud and it is the way to go for the future.”
He adds: “You can’t escape from the way the market is moving. What you can control is ensuring that both you and your cloud provider have the proper strategy and proper frameworks in place.”