Is the cloud secure enough for financial services?

The financial services sector was a major get for cloud providers. After initial hesitation, it seems like banks have jumped in with both feet in recent years, with big names like Goldman Sachs, Discover, Capital One, TD Bank, UBS and HSBC among those which are now leveraging the cloud. But just how safe is financial data in the cloud? Would banks even know if a hack happened? And could an attack on a cloud giant bring banking to a grinding halt? 

These are apparently among the concerns of the U.S. Treasury Department. Last month, the Department decided to launch a new Cloud Services Steering Committee after flagging several potential risks for financial services customers which have taken to the cloud in a 71-page report.   

The report highlighted half a dozen points of concern, among other things noting cloud providers offer “insufficient transparency” to allow financial institutions to effectively understand risks and respond to incidents. It also called out a skills gap preventing the secure deployment of cloud services, pointing to misconfiguration errors as a specific threat, and warned that market concentration “could expose many financial services clients to the same set of physical or cyber risks.” 

Responsibility questions 

In its quest to address some of the points raised in the report, Silverlinings ran into something of a brick wall. Google and Microsoft did not respond to a request for comment on security practices specific to financial services. We also got silence from HSBC and Goldman Sachs after asking about their cloud deals. 

Amazon Web Services (AWS) declined to comment but referred us to publicly available information about its cloud security. 

Long story short, AWS uses a shared responsibility model under which it is responsible for the security of the cloud (i.e. the hardware, software, networking and facilities infrastructure) while customers are responsible for security in the cloud (the operating system, firewall configuration, applications, identity and access management and customer data). While AWS doesn’t provide security services itself, customers can tap into third party offerings from AWS partners. 

It also offers tools via its Amazon Simple Storage Service which can help customers avoid misconfiguration errors and identify unintended public access, including AWS Config and AWS Identity and Access Management (IAM) Access Analyzer.  

And in terms of incident visibility, there’s the AWS Service Health Dashboard, which flags events and can provide troubleshooting guidance.  

However, nothing appeared to address the worry that too many financial services customers have concentrated critical operations with too few cloud providers.  

Steering away from danger 

The Treasury Department isn’t waiting for outage or hack headlines to take action. The aforementioned steering group will aim to increase coordination and collaboration among U.S. financial regulators to address the six specific concerns it outlined in its report.  

It also plans to develop a sector-wide way to measure just how concentrated critical use cases are with certain vendors and update incident response processes to enable better communication between regulators, cloud vendors and banks. Additionally, it will push for the development of international standards related to the sector’s use of cloud services. 


Want to get the low-down on cloud security? Register for our Cloud Cover virtual event from March 14-15 here.