Professional Documents
Culture Documents
State of Financial Services in Cloud 1687790580
State of Financial Services in Cloud 1687790580
in Cloud
The permanent and official location for the Financial Services Industry Working Group is
https://cloudsecurityalliance.org/research/working-groups/financial-services/
© 2023 Cloud Security Alliance – All Rights Reserved. You may download, store, display on your
computer, view, print, and link to the Cloud Security Alliance at https://cloudsecurityalliance.org
subject to the following: (a) the draft may be used solely for your personal, informational, non-
commercial use; (b) the draft may not be modified or altered in any way; (c) the draft may not be
redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote
portions of the draft as permitted by the Fair Use provisions of the United States Copyright Act,
provided that you attribute the portions to the Cloud Security Alliance.
Contributors
Josh Buker
Daniele Catteddu
Ryan Gifford
Jez Goldstone
Sean Heide
Erik Johnson
Alex Kaluza
Stephen Lumpe (graphic design)
Vinay Patel
CSA’s community of Financial Services brings together contributors from global banks, fintech,
payment processors, financial advisory, insurance, financial supervisory authorities, data protection
authority, and other national regulatory bodies. As adoption of cloud in the finance industry
continues to grow the challenges and concerns morph accordingly. For the past several years the
CSA has conducted surveys in order to better understand the adoption and challenges of cloud
computing technology in the finance industry. The goals of the study this year were to better
understand…
• Analyze the level of adoption of cloud solutions and requirements from financial institutions’
perspectives compared to prior surveys conducted in 2019-2020.
• Current challenges facing the financial service industry and engagement with their cloud
service providers.
• Identify opportunities to create guidance on protecting financial data and related assets
within secure cloud services.
The intention of this report was to evaluate the current state of adoption, compared to the industry’s
readiness just three years ago when CSA conducted a similar survey and identify the current issues and
opportunities that FSI leaders are addressing in their progression to further utilizing cloud services.
Most evident from the report is that cloud services are becoming
well-rooted into all aspects of financial services and are expected
to be used for a very long time. No longer is the question as to
whether cloud will be adopted but more about the execution of
“how”. How to adopt cloud-native security, how to apply zero trust
The information shared with CSA in this report has helped identify future research, standards
requirements, training and education that the CSA community may have interest in developing.
At the end of the report, we share some of these suggestions that will be socialized with our FS
Leadership Council for consideration.
Survey Methodology
The methodology for this report was to compare FSI adoption and readiness for cloud services by
comparing to the survey results from the 2020 Cloud Usage in the Financial Services Sector report.
Many of the questions were the same as originally developed by the CSA Financial Services Working
Group to have a fair comparison.
Several other questions were also included to understand the current state of awareness for the
Cloud Controls Matrix and STAR program along with other topics identified by the FSI Leadership
Working Group and CSA analysts and other industry experts.
Additionally, dozens of interviews were conducted with Chief Information Security Officers, Chief
Risk Officers and other leaders responsible for cloud architecture as well as data governance within
Financial Services.
Confidence in using cloud What percentage of workloads or services designated by your organization
computing workloads for as "business critical" do you have in production at cloud providers?
business critical functions
66% 17%
has seen a tremendous
increase. When asked about
2020 20% 46% 17% 2% 15%
the percentage of workloads,
designated as “business
43% 32%
critical” in production with
service providers, the 2020
2023 13% 30% 27% 16% 16%
survey results showed 66%
either had no business critical
(20%) or less than ten percent 0% 1-10% 11-50% 51-75% 76-100%
(46%). Those numbers
dropped significantly (43%) in the 2023 results while the number of organizations with a majority of
business critical workloads nearly doubled from 17% to 32% respectively.
as continuing on-premise
operations. However, there was recognition that many service providers have also migrated to cloud
offerings for the software services which has influenced broader adoption of cloud Still only 28% of
respondents said that a majority (50% or more workloads) of their regulated data was in public cloud,
a slight increase from 24% in 2020.
A common concern for organizations is whether they depend on a single CSP or if multiple providers
are approved for use. The intent to move into multi-cloud environments suggests that many
organizations recognize the benefits of diversifying their cloud providers, such as reducing the
risk of vendor lock-in and ensuring greater flexibility and resilience in their cloud environment. By
using multiple CSPs, organizations can also take advantage of each provider’s unique features and
best-of-breed functions of
each provider while avoiding Do you currently depend on a single cloud service provider for IaaS/PaaS or
single vendor lock-in and are multiple providers approved for use?
optimizing their cloud strategy,
maximizing the value of their
investment. 20 23
20 20
Despite requests by
government regulators to
support multiple cloud service providers for business resilience purposes, the number of CISOs
interviewed discussed the current challenges of trying to develop multi-cloud cohesion. This is
indicated by a slight increase in the number of respondents that are primarily using a single CSP for
IaaS/PaaS. Complexity with interoperability, ease of portability, visibility, data governance, security
policies, and more across third-party cloud services have led to the challenges of adopting multi-
cloud environments.
This lack of visibility can lead to unknown security and compliance risks such as lack of assurance
and the inability to demonstrate adherence to industry regulation. Organizations should consider the
implementation of robust SaaS management strategies to gain better visibility and control over their
cloud environment.
Financial organizations have several expectations for the integrity of who has access to view or
manipulate financial records. Several factors contribute to this including the aforementioned data
management aspects to maintain confidentiality and preventing data loss or corruption such as
money laundering or theft due to inappropriate protections to the integrity of data. This is one
possible reason why it was noted that Zero Trust was the top priority currently from the survey.
A Zero Trust methodology requires the continuous verification of access to sensitive data and assets
while minimizing the impact of when a compromise has occurred. In a cloud environment, inherited
Which of the following topics are you most interested in regarding the
financial services industry?
72%
67%
Zero Trust Cloud Multi-cloud Financial Confidential Key Use cases for Blockchain and
Regulations management shared computing management managing data cryptocurrency
responsibility for virtual localization
model HSM
security controls for any third-party access should be tested regularly to verify the privileges remain
relevant. This approach has the potential to achieve business and technical goals for protection of
financial assets while demonstrating adherence to various industry mandates.
Confidentiality of data and having transparency of where and how that data is routed is critical for the
financial services industry. Data must remain protected while stored, in transit, and when possible
in use for the ability to confirm the legitimacy of the corporation’s monetary accounting as well as
the protection for all consumers that trust the company with their funds. Additionally, there is the
need for data traceability and clear audit trails for how data moves and is being protected at all times.
The scalability of logging financial data in the cloud, according to several interviews, is superior to
many of the on-premise approaches and builds confidence in migration to cloud computing but must
remain reliable and consistent.
Availability concerns are a critical aspect of maintaining business continuity and ensuring the smooth
operation of organizations. The subject of financial institution resiliency and the ability to support
multiple CSPs has been highlighted in the recent U.S. Department of Treasury report. The European
Union (EU) is proposing cyber resilience in consideration within the European Cybersecurity Act (EU-
CSA) and the EU Network and Information Security Directive (NIS2 Directive) 2022/2555.
Discussions with CISOs have unveiled uneven ingress and egress data costs in the cloud. The cost to
move data out far exceeds the costs to migrate into a public cloud environment.
These attacks can cause significant disruptions to operations and lead to reputational damage,
making it essential for financial service organizations to have effective Business Continuity Planning
(BCP) and Incident Response Planning (IRP) strategies in place. Organizations need to invest in
robust cybersecurity measures and regularly test their backup and recovery plans to mitigate the risk
of downtime and ensure their systems are always available. With proactive security measures and a
focus on continuous improvement, the financial service industry can confidently navigate the cloud
landscape and protect their critical data and operations.
Financial service entities are governed by local and federal laws for all jurisdictions within which
they operate or conduct international business. In recent years, survey respondents indicated a
heightened review of third parties, especially cloud service providers, to document and demonstrate
compliance to various standards frameworks, citing regulator attention of third-parties to be able
to influence security. Respondents referenced high-profile data breaches of financial data and the
introduction of new legislation
as a catalyst for some of this Do you store or process regulated banking data in cloud services?
attention.
While cloud services are being What percentage of regulated workloads are in public cloud services?
widely deployed by most
financial service organizations, 28%
only 28% of respondents said
they are using public cloud 2023 16% 30% 27% 14% 14%
Additionally, with 72% expected to transfer or store regulated banking data in the cloud within the
next twelve months (up from 63% in 2020), the report shows future trust and reliance on cloud for
the financial services industry has increased.
In recent years, governments around the world have either established or considered legislation
regarding data sovereignty and data localization that may restrict the transfer of personal financial
or other personal data that financial service entities may be in possession of. These regulations may
impact both the financial service entities and their customers. Additionally, this could impact the
cloud service providers that may host or have operations in these countries.
Certain data localization laws require either personal information that is collected be first stored
within the country before transferring beyond national jurisdiction while other regulations may
be even stricter preventing foreign systems from storing any data associated with citizens of that
nation. During interviews, CISOs recommended internal legal counsel regularly monitor for these
particular changes and risk professionals develop ways to be alerted of impending adjustments that
may be necessary to demonstrate adherence.
Understanding the laws by both the financial service entities and cloud service providers is growing
in complexity which has led to some hesitancy for further adoption of cloud services according to
some interviewed for this report. Some examples commonly cited included the EU CSA and GDPR.
A common point made during interviews and the survey was the need for broader awareness of
approaches to auditing cloud services by regulators and auditors.
Several themes from respondents included better understanding by regulators of differences
between cloud platforms, such as:
This is consistent with the majority of respondents mentioned they required multiple audit requests
to their CSPs.
Another discovery of the survey is that the majority of respondents use the CSA Cloud Controls
Matrix (CCM) or the Consensus Assessment Initiative Questionnaire (CAIQ). With the diversity of
cloud offerings and various needs for assurance, the CCM and CAIQ provide organizations with a
set of vendor-neutral controls to help mitigate these concerns. CCM requirements address various
areas of concern, such as availability, key management, and third-party management. 65% of the
organizations surveyed, use the CCM and CAIQ to demonstrate adherence to frameworks, establish
internal cloud security controls framework, and establish an internal cloud risk management
approach. However, only 33% of organizations have fully integrated cloud services risk assessments
into their overall company risk assessment methodology. Identity and Access Management (IAM) and
Zero Trust are emerging research areas that can help the financial services industry eliminate some
concerns around cloud security. By adopting these best practices, organizations can stay ahead of
evolving threats and ensure their cloud environments remain secure and compliant.
How do you use the CSA Cloud Controls Matrix (CCM) or the Consensus
Assessment Initiative Questionnaire (CAIQ)?
Demonstrate adherence Establish internal cloud Establish an internal cloud Support cloud Support cloud
to frameworks security controls risk management procurement process procurement process
framework approach
The most common frameworks referenced were NIST Cybersecurity Framework (NIST CSF), Payment
Card Industry Data Security Standard (PCI DSS), ISO 27001, General Data Protection (GDPR), Monetary
Authority of Singapore (MAS), Federal Financial Institutions Examination Council (FFIEC) and SOC2
while other responses indicated use of unnamed frameworks/requirements along with regional laws.
CSA STAR was identified as Do you currently use or plan to use the STAR Registry to do the following?
an opportunity to evaluate
cloud service providers more Evaluate Cloud Service Providers
transparently and consistently.
The use of STAR was cited 45% 20% 27% 8%
as a potential practice to be
included within procurement Demonstrate security practice for the adoption of cloud-based financial service
activities as it demonstrates
38% 19% 32% 11%
proper due diligence of third-
party suppliers. The majority of
financial service organizations No, not planning or using No, but planning to use
(80% of survey respondents) Yes, but only for some cloud services Yes, all cloud services
said they were using the CCM
and STAR program in some
capacity.
Key management is a critical What is your organisations policy position on key management for different
aspect of maintaining data classes of data? Who "holds the keys"?
security and integrity,
especially in the financial 2020 2023
services industry. Regulated
Non-sensitive
and critical data sets have
17% 36% 19% 7% 21%
strict key management
24% 29% 18% 10% 18%
policies to assure financial
data remains confidential with Public
a high-level of assurance the 16% 33% 20% 10% 21%
encryption used can be trusted.
8% 23% 27% 10% 31%
The latest survey shows
only 2% of financial service Regulated
organizations have undefined 10% 14% 33% 16% 27%
or unpublished internal key 8% 35% 8% 48%
management policies down
from 12% in 2020. Additionally, Critical
key management policies were 12% 9% 43% 9% 27%
When it comes to policy positions on key management, 52% of organizations place critical
information within cloud-based Hardware Security Modules (HSMs) with master keys stored in the
HSM and no access granted to the cloud service provider. An increase of 25% from 2020. On the
other hand, 38% use an on-premise solution where the organization must hold the keys. This is down
5% from 2020 tracking.
Other data collected was around the use of additional key management or encryption services
for protecting regulated and non-regulated workloads. HSM-as-a-Service, security enclaves, and
confidential computing were all mentioned as being applied to protect both.
In addition to the technical solutions for data encryption, the respondents also called out for FSI-
focused research, training, and education in CCM domains (specifically Cryptography, Encryption,
and Key Management (CEK) and Data Security and Privacy Lifecycle Management (DSP)) and HSM-as-
a-Service for regulators, enterprises, and CSPs.
These statistics emphasize the growing importance of key management and data encryption
solutions and the shift towards cloud-based services to enhance data security and compliance in the
financial services industry.
One common challenge still How are you addressing the cloud security skills gap within your
faced by financial services organisation?
organizations is the cloud
2020 2023
security skills gap, which
refers to the shortage of Internal - developing my existing staff
professionals with the
78%
necessary expertise to
70%
manage and secure cloud
environments effectively. Internal - hiring cloud security professionals
To address this issue, 40%
organizations are scrambling 57%
to train and hire cloud security
professionals to bridge the 3rd party consultants
Technology - automation
50% of organizations are
using third-party consultants, 33%
Do you currently have cloud-specific training for your technology Cloud-specific training is
professionals? being offered by 68% of
organizations, with CSP-
specific training being the
most common. The survey
9% Yes, a robust training curriculum
shows that while 68% of
Yes, but limited scope
organizations have cloud-
59%
specific training for tech
No, but encourage self-learning
professionals, 9% of the
28%
organizations offer robust
cloud-specific training, and
4% None that I’m aware of
32% of organizations do not
offer cloud-specific training.
Among the cloud security training offered, CSP-specific training is the most common (54%),
followed by CCSP (41%), CCSK (27%), Other (20%), and CCAK (17%).
Financial services organizations must navigate these challenges prudently, striking a balance
between innovation and risk management to harness the full potential of these technologies while
safeguarding customer trust and data security.
Training
Rate your level of concern with security and operational issues resulting
Only 9% of respondents felt from the high volume of CSP-initiated cloud service changes.
that they had a highly robust
cloud security program:
9% 37% 54%
The majority of respondents appear to be using CCM for multiple purposes but seeing the derivative
of an external assessment or using the STAR program as part of current business practices was
low. This may be due to lack of awareness or consideration as part of their compliance practices.
Discussions with regulators and compliance officers on the potential of using the CCM framework
and STAR registry, along with awareness campaigns for use of STAR may influence broader adoption
in the future.
How do you use the CSA Cloud Controls Matrix (CCM) or the Consensus
Assessment Initiative Questionnaire (CAIQ)?
Demonstrate adherence Establish internal cloud Establish an internal cloud Support cloud Support cloud
to frameworks security controls risk management procurement process procurement process
framework approach
Cloud service providers are collaborating closely with their cloud customers that need to
demonstrate security assurance.
In the interviews conducted, several financial service entities referenced dedicated teams within
cloud service providers that were specifically addressing how to achieve adherence to financial
service requests to meet unique regulatory or other expectations.
Cloud service providers are also working with industry to develop approaches that achieve
confidentiality and key management that separates any access by the cloud service provider to
have access to regulated data. Examples of this include security enclaves and mechanisms such as
confidential computing that prevent the hosting cloud service provider from accessing financial data
in readable formats. Additional examples of this include the use of HSM-as-a-Service where the “root
of trust” prevents the CSP from accessing sensitive information.
Many financial service organizations have mature enterprise risk management (ERM) programs
that address many different types of risk to the organization, including financial market, regulatory,
and information security risks. ERM programs generally include an enterprise risk assessment
methodology along with risk acceptance procedures. Third party and supply chain risks are
commonly included in these programs and procedures.
Do you have a formal cloud policy or standard signed off as part of your Despite an increasing
overall Enterprise Risk Management framework? utilization of cloud services
for mission critical business
20 23 functions and customer
20 20 engagement, formal
55% 53% Yes
cloud policies are still in
development. The survey
33% 30% In development results from 2020 mirror the
current results with about
13% 13% No one third still developing their
cloud policies and just over
4% Unsure half including them in ERM
programs.
The digitalization of financial To what level are cloud services risk assessments integrated into the overall
services and the adoption company risk assessment methodology?
of cloud over the last two
years has exceeded the pace
in which cloud policies have 20 23
20 20
been implemented into
ERM. Rapid adoption, larger 53% 33% Fully integrated
digital supply chains, along
with hybrid and multi-cloud 38% 58% Partially integrated
The reliance of cloud for financial services adds significant, highly dynamic aspects to legacy
methodologies that often necessitate cloud-specific risk assessment and management approaches.
Information sharing and having a central mechanism to learn about threats to Financial Services
is a common pain point mentioned in open feedback within the survey as well as the interviews
conducted. The greatest concern is the speed at which new vulnerabilities are discovered and the
transparency to when changes made by a cloud service provider could possibly influence the security
or required auditing necessary by financial entities.
However, there was recognition that further sharing of sensitive security issues is sometimes difficult
without the ability for anonymity. Even within our survey results, which were already anonymous,
many respondents said they were unable to share data due to company policy or other concerns
such as disclosing the number of audits the financial service entity had to complete.
Additional countermeasures that were mentioned included some form of vulnerability tagging that
would escalate the severity for certain industries, such as financial services, if recognized to be
commonly deployed for that sector.
To maintain a relevant perspective to changes in the industry, CSA will invite financial service
representatives, cloud service providers and other relevant organizations to a strategic leadership
committee which will convene to identify priorities of research, education, research, analyst
briefings, assurance frameworks and programs.
Education
Research
CSA continues to map CCM to other regulatory frameworks with mappings recently completed
comparing requirements to the Monetary Authority of Singapore’s data security standard and work
is underway to update the CCM mapping to the most recent version of Payment Card Industry Data
Security Standard (PCI DSS).
Cloud service providers and other organizations with cloud operations may determine to assess
against the CCM and be listed in the STAR program registry. Benefits identified by banking for the
STAR program include third-party assurance and potential prerequisite for onboarding new vendors
during their third-party procurement process.
Organizations also can harness greater security with the ability to rollout homogenous workloads
hardened by administrator rules that are consistent with adhering to company policy and regulatory
requirements.
And these survey results show the growing use of cloud services to deploy business critical
applications and handle regulated financial data in both public and private cloud implementations.
The predominant concerns mostly stem from meeting a very diverse set of regulatory requirements,
resiliency to maintain the integrity and availability of financial systems to be accessible to the proper
individuals, assurance those security controls can be demonstrated by third-party partners and the
ability for staff to properly configure access controls.
How the cloud security community can help is by further industry collaboration to develop easy-
to-understand guidance and use cases for applying controls, training that is specialized for financial
service professionals, studies on the latest approaches to protecting financial data and frameworks
that set good security baselines regardless of which cloud services are used that meet the
expectations of global regulations.
r
ce
y
an ct
er
r
rit
ffi
ce
/M ite
ag
cu
er ch
ffi
ne r
Se
CI ps rati ns
y
gi s/A
O
rit
io
e
En on
n
at
cu
nc
io
D d O per
Se
at
ia
ou k O
e
ev p
rm
pl
d
er
r
SO
o
m
ou
O
w
th
fo
Co
O
et
CI
Cl
In
O
Cl
N
28% 20% 13% 11% 20%
2%
n
io
at
n
io
ci
cy
un
so
en
as
it
ag
ed
al
t
ry
cr
on
en
e
g/
to
nc
FI
m
si
h
la
in
es
ec
ra
st
er
er
gu
nk
su
of
ve
th
th
nt
CS
Re
Ba
Pr
In
In
O
Fi