Changing The Cloud Security Conversation

What are the pertinent questions banks should ask about security in the cloud?
November 08, 2013

A Risk Management-Focused Approach

Chris Rezek, Consultant
McKinsey & Company

Cloud computing is being rapidly adopted by enterprise IT, but concerns about trust are still inhibiting the rate of that adoption, particularly for financial services and public cloud.

To enable prudent cloud adoption, enterprises should expand scope beyond technology-focused security questions to include key risk management issues, such as transparency, governance, and compliance.

Bank executives should ask themselves four questions: How much value do we leave on the table if we do not adopt cloud? How pervasive is unofficial cloud adoption already, across the organization? What concentration risks do we create or avoid through managing distribution of data? Can we achieve cloud scale with in-house demand alone (i.e., private cloud)?

In addition, they should also ask vendors four questions: What level of transparency and control will the provider deliver? What third-party inspections and certifications are available? How will our compliance requirements be met for each jurisdiction? What level of access to physical and logical systems do we retain?

Instead of making binary, enterprise-wide decisions about cloud, organizations should understand and balance the benefits and risks of available cloud offerings. Adoption decisions should be structured around individual workloads and data and avoid enterprise-wide blanket cloud bans.

Banks should reduce legal exposure through a prudent contracting approach, while at the same time recognizing the essential novelty of the legal environment and unavoidable uncertainty. Key contract elements include the right to audit, right to transparency and reporting, coverage of compliance requirements, and visibility and consideration of the full supply chain (i.e., the cloud provider's service providers).

Cloud can deliver new benefits, along with new risks. Cloud solutions can improve transparency, simplify log and event management and enable more centralized planning. A business- and risk management-focused approach can enable banks to take advantage of efficient, flexible cloud solutions while still protecting data and delivering security.

Bank Systems & Technology encourages readers to engage in spirited, healthy debate, including taking us to task. However, Bank Systems & Technology moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Bank Systems & Technology further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
< Previous1 2 3 4 5 6 Next > 

< Previous1 2 3 4 5 6 Next >