Many banks do not dare to outsource critical data to the cloud because the geopolitical and regulatory uncertainties are significant. But Europe has already taken the initiative to become more independent as an economic area. Banks should, therefore, not miss their opportunities in the cloud.
Tok-Tok? Forbidden. Huawei? Locked. Microsoft Teams? Declared inadmissible for banks by the Data Protection Commission. These are just a few examples of the potential impacts of geopolitical tensions that the financial industry has grappled with over the past year. Because not only the Corona crisis has massively changed the global framework. Financial institutions today are also constantly exposed to new global dynamics to which they must react.
These uncertainties make the path to the public cloud difficult for many. Their use would be urgently needed for banks because with comprehensive offers from cloud service providers, higher availability, greater flexibility, and scalability, and a higher level of security can be achieved than in their own data center. Resilience, or rather “operational resilience,” is strengthened. Therefore, the financial sector would have to take the next step into the cloud and outsource essential applications and data. But how is that supposed to work?
Data Security In The Cloud – Get Out Of The Dilemma
The dilemma can only be resolved if Europe succeeds in becoming more independent as an economic area. The EU has already recognized this. The European cloud initiative “Digital Operational Resilience Act” (DORA) launched an initiative that subjects cloud service providers such as Microsoft, Google, or Amazon to the same regulations that apply to banks. This also clarifies the question of how data can be stored, shared, and used. With the European cloud initiative “Gaia-X,” a pioneering project has also been launched. EU states will have a standardized set of rules and a marketplace for cloud services following European values. And thus an alternative to purely US and Chinese offers.
Off To The Cloud – They Are Making The Proper Use Of Opportunities
But how can the path to the cloud succeed safely? Before starting, banks should first get an overview of the risks associated with using the cloud. The institutes evaluate aspects such as the dependency on the service provider, data security, availability, or political upheavals. Ideally, they follow a structured decision-making process. In the end, independent third parties can also freely assess risks. This is also in the interests of the board of directors and the management, which under no circumstances wants to be accused of negligence due to the current board liability.
Financial institutions should take a holistic view of the risk position compared to the status quo. Many houses could even improve their risk profile if they swap weaknesses in their own data center for professional and resilient operation at the cloud providers. The institutes often overlook the opportunities in risk assessment, and ultimately business strategy factors. What tools can I use to analyze my database deeply and quickly? How can I fully understand my customers and support them across all channels? What will my employees need in their future workplace?
Data Security Within The Cloud: The Exemplary Architecture
Data is technically secured in the cloud. If there are weaknesses, they are often not due to the cloud provider but rather to the financial service provider himself: In practice, cloud architectures are sometimes poorly designed and thus open gateways for hackers. Since the responsibility for data security within the cloud lies with the banks, it is their sole responsibility to establish an appropriate (security) architecture. Cloud providers cannot be held responsible here.
It is essential to plan the architecture of cloud solutions stringently, taking into account data protection requirements and associated measures: It is essential to choose wisely in which countries or regions the data may be stored and processed. The selective choice of cloud services as the architecture is also decisive since processing the USA’s data cannot be ruled out for some.
Finally, there is the question of who holds the key used to process and store the data in the cloud. The supervisors demand that banks themselves are responsible – especially for accounting-related systems. In an emergency, the institutes could remove the key to make the data in the cloud unusable. However, this is equivalent to an IT blackout. It should therefore be considered whether the key management is not left with the cloud provider. Services are then integrated that ensure practicability and usability.