The financial services uptake of cloud services

By | 3rd May 2016

I have worked in ICT for a long time. I have seen many things and witness the evolution of the cloud. I was asked to make a slide presentation about cloud maturity a while back and it was an interesting introspection. From production servers under someones desk (you know who you are) to kubernetes clusters running polymorphic code. There is some cool stuff out there and there are some died hard server huggers (which reminds me I need to post about bunny huggers at some point).

The cloud is here. I wrote about fast movers here. It is here to stay. I deal with the mainframe boys every now and then and they just say “we were doing this before you were born”. Sure you were, but the impact is now being felt across every aspect of life even if you are not connected. Policy, rewards programs, planning and strategy are all making use of effectively unlimited processing power. In the financial services sector your meet some interesting people. Some of them are on the vanguard of cloud services even if the companies seem like archaic behemoths. Why is cloud uptake in financial services so slow?

There is a interesting spin on risk here. “If you can provide unlimited risk cover to a financial institution they will go cloud.” In my opinion and this is solely mine: Cloud providers generally are better resourced and better secured than any other organization because they have to be. I am talking about the big ones, Microsoft Azure, Google Cloud Platform and Amazon Web services. They spend more money on infosec than most other organizations on the planet. They have better response teams and skills because they can buy them. They  also have their security tested on a millisecond basis, they are big targets.

Financial institutions have there security tested because money is always a great incentive. This is where the schism occurs. I am sure than the underlying cloud infrastructure is very secure. Hacking the Amazon provisioning system to compromise a VM is very difficult. People are testing this every day, or every second. Most financial institutions rely on a hyper-visor which they trust, they update moderately frequently (is downtime more costly than a breach). Is their VM environment secure? Maybe. Is the code on the VM secure? Probably not. NASA landed a man on the moon with code having an estimated 1 error per million lines of code, at least two orders of magnitude better than some of the best commercially available software and 4 orders of magnitude better than windows 95. Criminals are like water, they will take the path of least resistance, they will attack the code of the VM rather than the hyper-visor. They will enter through the website rather than through the firewalls. They may even walk in the door instead of sitting in front of a laptop.

From a risk profile cloud providers are not willing to provide the cover to the financial institutions because the likely flaw is in the code that the institution  runs on the VMs and not the VMs themselves. Realistically, financial institutions are at the same risk is the cloud as on premises. In fact they are probably at a slightly lower risk technically because the hyper-visor layer has to be more secure. I think where the real problem comes in is that the institutions are scared on having their code tested. There are ways to mitigate this using hybrid cloud platforms where any personally identifiable information is kept on premises. there are many encryption technologies that support this like: tokenisation and  format preserving encryption. The benefits of cloud computing is the scale you can achieve for short periods of time. Somewhere in the near future I believe we will see a tipping point where the benefits will exceed the risk and that the benefits will be able to finance the mitigation of those risks and then we will see the uptake of cloud services in by the financial institutions.