State of Financial Services in Cloud 1687790580

State of Financial Services
in Cloud
The permanent and official location for the Financial Services Industry Working Group is
https://cloudsecurityalliance.org/research/working-groups/financial-services/
© 2023 Cloud Security Alliance – All Rights Reserved. You may download, store, display on your
computer, view, print, and link to the Cloud Security Alliance at https://cloudsecurityalliance.org
subject to the following: (a) the draft may be used solely for your personal, informational, non-
commercial use; (b) the draft may not be modified or altered in any way; (c) the draft may not be
redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote
portions of the draft as permitted by the Fair Use provisions of the United States Copyright Act,
provided that you attribute the portions to the Cloud Security Alliance.
© Copyright 2023, Cloud Security Alliance. All rights reserved. 2

Acknowledgments
Authors
Hillary Baron
Troy Leach
John Yeoh
Contributors
Josh Buker
Daniele Catteddu
Ryan Gifford
Jez Goldstone
Sean Heide
Erik Johnson
Alex Kaluza
Stephen Lumpe (graphic design)
Vinay Patel

Preface
The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to widely promote
best practices for ensuring cybersecurity in cloud computing and IT technologies. CSA also educates
various stakeholders within these industries about security concerns in all other forms of computing.
CSA’s membership is a broad coalition of industry practitioners, corporations, and professional
associations. One of CSA’s primary goals is to conduct surveys that assess information security
trends. These surveys provide information on organizations’ current maturity, opinions, interests,
and intentions regarding information security and technology.
CSA’s community of Financial Services brings together contributors from global banks, fintech,
payment processors, financial advisory, insurance, financial supervisory authorities, data protection
authority, and other national regulatory bodies. As adoption of cloud in the finance industry
continues to grow the challenges and concerns morph accordingly. For the past several years the
CSA has conducted surveys in order to better understand the adoption and challenges of cloud
computing technology in the finance industry. The goals of the study this year were to better
understand…
• Analyze the level of adoption of cloud solutions and requirements from financial institutions’
perspectives compared to prior surveys conducted in 2019-2020.
• Current challenges facing the financial service industry and engagement with their cloud
service providers.
• Identify opportunities to create guidance on protecting financial data and related assets
within secure cloud services.

Table of Contents
Acknowledgments��3
Preface��4
Executive Summary��7
Survey Methodology��8
Survey Results��9
Cloud Adoption Continues to Increase��9
Multi-Cloud is Reality for Financial Services �� 11
Zero Trust Adds Integrity to Access Within Financial Cloud �� 12
Managing Data Improves in the Cloud�� 13
Business Continuity Crucial for Operations in the Cloud�� 13
Meeting Regulatory Requirements in the Cloud �� 15
Data Privacy, Sovereignty, and Localization�� 16
Regulator Understanding of Auditing Practices for Cloud Services�� 17
CCM Harmonizes Security Approach to Cloud�� 18
Cloud HSMs and Confidential Computing Enhance Key Management�� 19
Skills Gap Still Exists in Cloud Security��20
Check out Key Management activities from CSA.��20
Cloud Key Management Working Group��20
Confidential Computing Working Group��20
Cloud Infrastructure Security Training��20
Opportunities in Financial Services and Cloud�� 22
Keeping up with New Technologies and CSP Features�� 22
Demonstrating Adequate Assurance Cloud Security for FSI��24
People: Maintain relevant knowledge (e.g. platform-specific training, micro trainings)��24
Training ��24
Process: Mappings to FSI Frameworks, Validating to STAR�� 25
CCM and Industry Standards �� 25
Technology: CSPs Supporting FSI with Advancements in Security Technologies�� 25
New Features, Artificial Intelligence Integrations �� 25
Enterprise and Cloud Risk Management��26
Threat Intelligence and Context Still Needed in the Cloud �� 27
CSA Financial Services Initiatives��28
Education ��28
Research ��28
Industry Briefings��28
Assurance Framework and Programs��29
Conclusion��30
Demographics�� 31

Executive Summary
The Financial Services Industry (FSI) adoption of cloud services has grown extensively in recent years
and is expected to increase with further adoption and integration of cloud service provider (CSP)
functions replacing traditional technology of banking, commerce, and other methods of performing
financial transactions and exchanging financial data.
The intention of this report was to evaluate the current state of adoption, compared to the industry’s
readiness just three years ago when CSA conducted a similar survey and identify the current issues and
opportunities that FSI leaders are addressing in their progression to further utilizing cloud services.
In interviews associated with this report, CISOs and cloud

architects for fintech said that harnessing the scalability and quick-
to-market capabilities to bring innovation to market was a much
more cost-effective approach than some of their prior practices.
Additionally, banking professionals, in part from the COVID
pandemic, said leveraging cloud for remote workers or ability to
deploy new software services more quickly with dynamic updates
were primary reasons along with the ability to harmonize security
policies for consistent deployments that met regulation.
Regulation was one of the greatest influencing factors from

the report. Despite the increase in use of cloud computing to
host regulated data, concerns remained on how Cloud Service
Providers could understand and demonstrate compliance with
global legislation.
Still, new approaches create

new types of risk and
respondents said that while use
of cloud services is increasing,
the pace of adoption will need to be at the speed at which CSPs
and Financial Services can both demonstrate the capabilities to
show adherence to regulation and overall data protection and staff
are comfortable with managing.
Other themes beyond regulation identified in the report include

the importance of data management, integrity of access, threat
intelligence and good enterprise risk management.
Most evident from the report is that cloud services are becoming
well-rooted into all aspects of financial services and are expected
to be used for a very long time. No longer is the question as to
whether cloud will be adopted but more about the execution of
“how”. How to adopt cloud-native security, how to apply zero trust

methodologies, how to educate all relevant stakeholders from staff to regulators to cloud partners.
The information shared with CSA in this report has helped identify future research, standards
requirements, training and education that the CSA community may have interest in developing.
At the end of the report, we share some of these suggestions that will be socialized with our FS
Leadership Council for consideration.
Survey Methodology
The methodology for this report was to compare FSI adoption and readiness for cloud services by
comparing to the survey results from the 2020 Cloud Usage in the Financial Services Sector report.
Many of the questions were the same as originally developed by the CSA Financial Services Working
Group to have a fair comparison.
Several other questions were also included to understand the current state of awareness for the
Cloud Controls Matrix and STAR program along with other topics identified by the FSI Leadership
Working Group and CSA analysts and other industry experts.
Additionally, dozens of interviews were conducted with Chief Information Security Officers, Chief
Risk Officers and other leaders responsible for cloud architecture as well as data governance within
Financial Services.

Survey Results
Cloud Adoption Continues to Increase
The adoption of cloud services by financial services has grown since the pandemic to represent
nearly all organizations. 98% of respondents cited that their organization is using some form of
cloud computing, up from 91% in 2020. Many respondents discussed the acceleration, in part,
required by the new working environment that the pandemic presented, and developing new
approaches to accommodate remote working and required accessibility of customers to their
accounts.
Confidence in using cloud What percentage of workloads or services designated by your organization
computing workloads for as "business critical" do you have in production at cloud providers?
business critical functions
66% 17%
has seen a tremendous
increase. When asked about
2020 20% 46% 17% 2% 15%
the percentage of workloads,
designated as “business
43% 32%
critical” in production with
service providers, the 2020
2023 13% 30% 27% 16% 16%
survey results showed 66%
either had no business critical
(20%) or less than ten percent 0% 1-10% 11-50% 51-75% 76-100%
(46%). Those numbers
dropped significantly (43%) in the 2023 results while the number of organizations with a majority of
business critical workloads nearly doubled from 17% to 32% respectively.
Use of regulated workloads

What percentage of regulated workloads are in public cloud services?
in public cloud have also
increased since our former 73% 24%
survey with 84% of
respondents saying that at 27% 34% 15% 12% 12%
2020
least some of their regulated
data is in public cloud, up 84% 28%
from 73%. It was also noted
that many financial service 2023 16% 30% 27% 14% 14%
entities are balancing a hybrid
approach of both private
and public cloud as well 0% 1-10% 11-50% 51-75% 76-100%
as continuing on-premise
operations. However, there was recognition that many service providers have also migrated to cloud
offerings for the software services which has influenced broader adoption of cloud Still only 28% of
respondents said that a majority (50% or more workloads) of their regulated data was in public cloud,
a slight increase from 24% in 2020.

Interestingly, when asked How challenging do you find each of the "blockers" that are holding back
about what is holding your organisation from deploying more sensitive workloads?
organizations back from
further adoption of sensitive 2020 2023
workloads, the top “blockers” 1 2 3 4
all increased in difficulty. Not Somewhat Moderately Very
Challenging Challenging Challenging Challenging
Regulation and compliance
functions, especially in privacy, Data privacy rules
along with technical staffing

issues remain the greatest
Requirements from your compliance function
challenges.
Technical security control gaps
Assurance concerns with CSP's control implementations
Meeting regulatory requirement
Contractual issues with CSPs related to security, risk, or liability
Skill gaps for staff to manage cloud services

Multi-Cloud is Reality for Financial Services
A common concern for organizations is whether they depend on a single CSP or if multiple providers
are approved for use. The intent to move into multi-cloud environments suggests that many
organizations recognize the benefits of diversifying their cloud providers, such as reducing the
risk of vendor lock-in and ensuring greater flexibility and resilience in their cloud environment. By
using multiple CSPs, organizations can also take advantage of each provider’s unique features and
best-of-breed functions of
each provider while avoiding Do you currently depend on a single cloud service provider for IaaS/PaaS or
single vendor lock-in and are multiple providers approved for use?
optimizing their cloud strategy,
maximizing the value of their
investment. 20 23
20 20
According to survey 35% 43% Single CSP Only

respondents, 57% of
organizations currently use 65% 57% Multiple CSPs
multiple CSPs for their IaaS/
PaaS needs.
Despite requests by
government regulators to
support multiple cloud service providers for business resilience purposes, the number of CISOs
interviewed discussed the current challenges of trying to develop multi-cloud cohesion. This is
indicated by a slight increase in the number of respondents that are primarily using a single CSP for
IaaS/PaaS. Complexity with interoperability, ease of portability, visibility, data governance, security
policies, and more across third-party cloud services have led to the challenges of adopting multi-
cloud environments.
With third-party management

Rate your organization's visibility into the following environments:
across the cloud stack
2020 2023
becoming increasingly
important for multi-cloud
IaaS deployments, visibility remains
3% 21% 51% 24% a concern.
17% 20% 52% 11%
The comparison of visibility

PaaS
from the previous report
5% 36% 52% 8%
reveals an unexpected increase
20% 22% 48% 48%
in the number of responses
that perceive they have no
SaaS
visibility across the cloud
14% 46% 32% 8%
stack, particularly with IaaS
16% 22% 40% 22%
and PaaS. Overall, respondents
showed an increase in good
No visibility Okay visibility Good visibility Excellent visibility
to excellent visibility for SaaS

and PaaS but a decrease in IaaS environments. Further evaluation from CISO interviews revealed
that it wasn’t just visibility but a lack of context or disclosure with notifications and changes in those
environments. This leaves the door open for major IaaS providers to add additional layers of visibility,
control, and context at the operational and activity levels. Improvements with solutions such as
Cloud Native Application Protection Platforms (CNAPPs) and change notification standards will play
a role in leading these efforts.
This lack of visibility can lead to unknown security and compliance risks such as lack of assurance
and the inability to demonstrate adherence to industry regulation. Organizations should consider the
implementation of robust SaaS management strategies to gain better visibility and control over their
cloud environment.
Zero Trust Adds Integrity to Access Within Financial Cloud
Financial organizations have several expectations for the integrity of who has access to view or
manipulate financial records. Several factors contribute to this including the aforementioned data
management aspects to maintain confidentiality and preventing data loss or corruption such as
money laundering or theft due to inappropriate protections to the integrity of data. This is one
possible reason why it was noted that Zero Trust was the top priority currently from the survey.
A Zero Trust methodology requires the continuous verification of access to sensitive data and assets
while minimizing the impact of when a compromise has occurred. In a cloud environment, inherited
Which of the following topics are you most interested in regarding the
financial services industry?
72%
67%
45% 44% 42%

38%
30% 28%
Zero Trust Cloud Multi-cloud Financial Confidential Key Use cases for Blockchain and
Regulations management shared computing management managing data cryptocurrency
responsibility for virtual localization
model HSM
security controls for any third-party access should be tested regularly to verify the privileges remain
relevant. This approach has the potential to achieve business and technical goals for protection of
financial assets while demonstrating adherence to various industry mandates.

Managing Data Improves in the Cloud
Confidentiality of data and having transparency of where and how that data is routed is critical for the
financial services industry. Data must remain protected while stored, in transit, and when possible
in use for the ability to confirm the legitimacy of the corporation’s monetary accounting as well as
the protection for all consumers that trust the company with their funds. Additionally, there is the
need for data traceability and clear audit trails for how data moves and is being protected at all times.
The scalability of logging financial data in the cloud, according to several interviews, is superior to
many of the on-premise approaches and builds confidence in migration to cloud computing but must
remain reliable and consistent.
Still, concerns by respondents over data exposure lead to a

cautious migration to placing sensitive workloads into public
cloud services. Measuring the security of data management in
cloud with a Zero Trust maturity model, such as the CISA Zero
Trust Maturity Model v2, while applying the shared security
SSRM: Delineates control
responsibility model (SSRM) and cloud-specific controls like those implrementation responsibility
found in the CSA Cloud Controls Matrix (CCM) can help establish for CSPs & CSCs
requirements for transparency related to data exfiltration,
confidentiality, and misconfigurations. Typical Control Applicability and
Ownership (CSP-Owned,
CSC-Owned, Shared)
IaaS PaaS SaaS

Business Continuity Crucial for Operations
CSC-Owned CSC-Owned CSC-Owned
in the Cloud
Availability concerns are a critical aspect of maintaining business continuity and ensuring the smooth
operation of organizations. The subject of financial institution resiliency and the ability to support
multiple CSPs has been highlighted in the recent U.S. Department of Treasury report. The European
Union (EU) is proposing cyber resilience in consideration within the European Cybersecurity Act (EU-
CSA) and the EU Network and Information Security Directive (NIS2 Directive) 2022/2555.
Do you have a backout plan to change cloud providers?

Cloud computing ensures
business continuity for
financial services by securely
20 23 storing critical data and
20 20
applications in third-party
35% 28%
Yes, documented services and infrastructure to
but untested
reduce the risk of data loss
Yes, documented
30% 20%
and tested
and on-site infrastructure
failures. At the same time,
35% 52% No these services must continue
to be designed to meet
changing financial service
industry security standards
and requirements. Financial

regulators, auditors and examiners have been asking questions such as “what if the CSP goes fully
down?”. This highlights the likely need to have a robust multi-cloud management strategy that
includes backup and disaster recovery solutions. But it can come at an efficiency and operational cost
in the cloud. Interestingly, the report showed a slight decrease in the readiness for a backout plan for
current service providers compared to respondents of our 2020 survey.
Discussions with CISOs have unveiled uneven ingress and egress data costs in the cloud. The cost to
move data out far exceeds the costs to migrate into a public cloud environment.
The concern over availability is further compounded by the

rise in attacks such as Distributed Denial of Service (DDOS)
and ransomware, particularly in the financial services industry.
According to Cloudflare, financial services accounted for 45% of
DDOS attacks in June ‘22. The Verizon Data Breach Investigation
Report (DBIR) continuously lists financial services as the top
industries impacted by data breaches. Earlier CSA survey reports
showed DDOS and ransomware as top security concerns with
data exfiltration, loss of system access, system sabotage,
persistent adversarial access, account takeover, and fraud. It’s
not a surprise that DDOS and ransomware, which can lock down
an organization’s critical data and bring operations to a standstill,
are heavily covered in the latest CSA Top Threats to Cloud
Computing: Pandemic Eleven report.
These attacks can cause significant disruptions to operations and lead to reputational damage,
making it essential for financial service organizations to have effective Business Continuity Planning
(BCP) and Incident Response Planning (IRP) strategies in place. Organizations need to invest in
robust cybersecurity measures and regularly test their backup and recovery plans to mitigate the risk
of downtime and ensure their systems are always available. With proactive security measures and a
focus on continuous improvement, the financial service industry can confidently navigate the cloud
landscape and protect their critical data and operations.

Meeting Regulatory Requirements in the Cloud
Financial service entities are governed by local and federal laws for all jurisdictions within which
they operate or conduct international business. In recent years, survey respondents indicated a
heightened review of third parties, especially cloud service providers, to document and demonstrate
compliance to various standards frameworks, citing regulator attention of third-parties to be able
to influence security. Respondents referenced high-profile data breaches of financial data and the
introduction of new legislation
as a catalyst for some of this Do you store or process regulated banking data in cloud services?
attention.
Still, the majority of Financial

59% Yes
Services use cloud computing
for regulated data with 59% Plan to in the next
13%
saying they store or process 12 months
regulated banking information Plan to in the next

3%
within cloud services, with 1-3 years
only 25% having no future 25% No plans

plans to do so.
Participation in the survey

included global representation
from APAC (20% of
respondents), EMEA (28%)
52% 28% 20%
and the Americas (52%)
which indicates there is
worldwide attention to how
to address regulation in cloud
environments.
While cloud services are being What percentage of regulated workloads are in public cloud services?
widely deployed by most
financial service organizations, 28%
only 28% of respondents said
they are using public cloud 2023 16% 30% 27% 14% 14%
services for the majority of

their regulated workloads. In 0% 1-10% 11-50% 51-75% 76-100%
interviews, this was attributed
to the lack of transparency with cloud service providers, inability to demonstrate compliance to
auditors or concerns over enough cybersecurity resources to confidently manage as primary reasons
for not using public cloud services further for regulated data.

The number of organizations What percentage of workloads or services designated by your organization
that have a majority of business as "business critical" do you have in production at cloud providers?
critical workload in the cloud
17%
(50% or more) has nearly
doubled in only three years.
2020 20% 46% 17% 2% 15%
87% of financial organizations
have moved their business 32%
87%
critical workloads to the cloud.
Another 15% (32% from 17%) 13% 30% 27% 16% 16%
2023
are moving more than half of
business critical workloads to
the cloud. 0% 1-10% 11-50% 51-75% 76-100%
Additionally, with 72% expected to transfer or store regulated banking data in the cloud within the
next twelve months (up from 63% in 2020), the report shows future trust and reliance on cloud for
the financial services industry has increased.
Data Privacy, Sovereignty, and Localization
In recent years, governments around the world have either established or considered legislation
regarding data sovereignty and data localization that may restrict the transfer of personal financial
or other personal data that financial service entities may be in possession of. These regulations may
impact both the financial service entities and their customers. Additionally, this could impact the
cloud service providers that may host or have operations in these countries.
Certain data localization laws require either personal information that is collected be first stored
within the country before transferring beyond national jurisdiction while other regulations may
be even stricter preventing foreign systems from storing any data associated with citizens of that
nation. During interviews, CISOs recommended internal legal counsel regularly monitor for these
particular changes and risk professionals develop ways to be alerted of impending adjustments that
may be necessary to demonstrate adherence.
Understanding the laws by both the financial service entities and cloud service providers is growing
in complexity which has led to some hesitancy for further adoption of cloud services according to
some interviewed for this report. Some examples commonly cited included the EU CSA and GDPR.
When compared with the 2020

What percentage of regulated workloads are in public cloud services?
survey results, a notable trend
emerged, there is an overall
27% 34% 15% 12% 12%
increase in the percentage
2020
of regulated workloads from
FSIs in public cloud services.
2023 16% 30% 27% 14% 14%
In particular, those reporting
between 11-50% increased from
0% 1-10% 11-50% 51-75% 76-100%
15% to 27% and at 0% which
decreased from 27% to 16%.

There was little discernment between all the categories of identified privacy and regulatory blockers
from respondents. All “blockers” were considered moderately or very challenging at preventing
deployment of more sensitive workloads. The categories included:
• Data privacy rules;

• Requirements from your compliance function;
• Technical security control gaps;
• Meeting regulatory requirement;
• Assurance concerns with CSP’s control implementations;
• Contractual issues with CSPs related to security, risk, or liability;
• Skill gaps for staff to manage cloud services)
Regulator Understanding of Auditing Practices for Cloud Services
A common point made during interviews and the survey was the need for broader awareness of
approaches to auditing cloud services by regulators and auditors.
Several themes from respondents included better understanding by regulators of differences
between cloud platforms, such as:
• Unique security traits and nomenclature for each CSP

• Inefficiencies for requiring multi-cloud environments for resiliency or to scale quickly
• Additional cost and resourcing associated with managing different CSP environments
• Staff training and coordination required to manage different CSP environments
• The ability to address multi-regulation validation with one-time assessments
This is consistent with the majority of respondents mentioned they required multiple audit requests
to their CSPs.
What is the number of regulatory audits requests your organization must

coordinate with your CSPs to satisfy all governance assessments?
7% 35% 35% 4% 11% 9%
None 1-5 6-15 16-25 25+ Unsure

CCM Harmonizes Security Approach to Cloud
Another discovery of the survey is that the majority of respondents use the CSA Cloud Controls
Matrix (CCM) or the Consensus Assessment Initiative Questionnaire (CAIQ). With the diversity of
cloud offerings and various needs for assurance, the CCM and CAIQ provide organizations with a
set of vendor-neutral controls to help mitigate these concerns. CCM requirements address various
areas of concern, such as availability, key management, and third-party management. 65% of the
organizations surveyed, use the CCM and CAIQ to demonstrate adherence to frameworks, establish
internal cloud security controls framework, and establish an internal cloud risk management
approach. However, only 33% of organizations have fully integrated cloud services risk assessments
into their overall company risk assessment methodology. Identity and Access Management (IAM) and
Zero Trust are emerging research areas that can help the financial services industry eliminate some
concerns around cloud security. By adopting these best practices, organizations can stay ahead of
evolving threats and ensure their cloud environments remain secure and compliant.
How do you use the CSA Cloud Controls Matrix (CCM) or the Consensus
Assessment Initiative Questionnaire (CAIQ)?
65% 65% 59% 22% 14%
Demonstrate adherence Establish internal cloud Establish an internal cloud Support cloud Support cloud
to frameworks security controls risk management procurement process procurement process
framework approach
The most common frameworks referenced were NIST Cybersecurity Framework (NIST CSF), Payment
Card Industry Data Security Standard (PCI DSS), ISO 27001, General Data Protection (GDPR), Monetary
Authority of Singapore (MAS), Federal Financial Institutions Examination Council (FFIEC) and SOC2
while other responses indicated use of unnamed frameworks/requirements along with regional laws.
CSA STAR was identified as Do you currently use or plan to use the STAR Registry to do the following?
an opportunity to evaluate
cloud service providers more Evaluate Cloud Service Providers
transparently and consistently.
The use of STAR was cited 45% 20% 27% 8%
as a potential practice to be
included within procurement Demonstrate security practice for the adoption of cloud-based financial service
activities as it demonstrates
38% 19% 32% 11%
proper due diligence of third-
party suppliers. The majority of
financial service organizations No, not planning or using No, but planning to use
(80% of survey respondents) Yes, but only for some cloud services Yes, all cloud services
said they were using the CCM
and STAR program in some
capacity.

Cloud HSMs and Confidential Computing Enhance Key Management
Key management is a critical What is your organisations policy position on key management for different
aspect of maintaining data classes of data? Who "holds the keys"?
security and integrity,
especially in the financial 2020 2023
services industry. Regulated
Non-sensitive
and critical data sets have
17% 36% 19% 7% 21%
strict key management
24% 29% 18% 10% 18%
policies to assure financial
data remains confidential with Public
a high-level of assurance the 16% 33% 20% 10% 21%
encryption used can be trusted.
8% 23% 27% 10% 31%
The latest survey shows
only 2% of financial service Regulated
organizations have undefined 10% 14% 33% 16% 27%
or unpublished internal key 8% 35% 8% 48%
management policies down
from 12% in 2020. Additionally, Critical
key management policies were 12% 9% 43% 9% 27%
established for all critical data 2% 6% 38% 2% 52%
which also was not the case

Subject to obligations agreed or accepted with
in 2020. There is a clear rise No defined/published internal policy
3rd parties (regulators, clients, suppliers)
in key management policy
"On premise": Our organisation must
establishment for critical, "Bring your own key" in a non-HSM service
"hold" the master keys
regulated, public, and non-
"Cloud HSM": Master keys stored in an HSM, CSP cannot access the keys
sensitive data.
When it comes to policy positions on key management, 52% of organizations place critical
information within cloud-based Hardware Security Modules (HSMs) with master keys stored in the
HSM and no access granted to the cloud service provider. An increase of 25% from 2020. On the
other hand, 38% use an on-premise solution where the organization must hold the keys. This is down
5% from 2020 tracking.
Other data collected was around the use of additional key management or encryption services
for protecting regulated and non-regulated workloads. HSM-as-a-Service, security enclaves, and
confidential computing were all mentioned as being applied to protect both.
In addition to the technical solutions for data encryption, the respondents also called out for FSI-
focused research, training, and education in CCM domains (specifically Cryptography, Encryption,
and Key Management (CEK) and Data Security and Privacy Lifecycle Management (DSP)) and HSM-as-
a-Service for regulators, enterprises, and CSPs.
These statistics emphasize the growing importance of key management and data encryption
solutions and the shift towards cloud-based services to enhance data security and compliance in the
financial services industry.

Check out Key Management activities from CSA.
• Cloud Key Management Working Group
• Confidential Computing Working Group
• Cloud Infrastructure Security Training
Skills Gap Still Exists in Cloud Security
One common challenge still How are you addressing the cloud security skills gap within your
faced by financial services organisation?
organizations is the cloud
2020 2023
security skills gap, which
refers to the shortage of Internal - developing my existing staff
professionals with the
78%
necessary expertise to
70%
manage and secure cloud
environments effectively. Internal - hiring cloud security professionals
To address this issue, 40%
organizations are scrambling 57%
to train and hire cloud security
professionals to bridge the 3rd party consultants
gap and improve their cloud 58%

security posture. 50%
Technology - automation
50% of organizations are
using third-party consultants, 33%
57% are hiring more internal 52%
cloud security professionals

No skills gap issues
and 52% are relying on
3%
automation to address
7%
these issues. Compared to
2020, more organizations
today are directly bringing in cloud security professionals (57% from 40%) and maintaining some
of the development of their internal existing staff (70% from 78%). Automation technology (52%
from 33%) has increased, indicating the maturing and availability of deploying, integrating, and
implementing automation tools.

The 2023 survey explored
How knowledgeable is your organization’s staff regarding the following:
the level of expertise in cloud
security and compliance Cloud Security
within cloud environments.
A few organizations showed 16% 61% 23%
low levels of knowledge

on their teams (16% cloud Compliance requirements within cloud environments
security, 13% compliance in
13% 58% 29%
cloud) and a slightly larger
amount showed high levels of
expertise (23% cloud security, Low Medium High
29% compliance in cloud).
Do you currently have cloud-specific training for your technology Cloud-specific training is
professionals? being offered by 68% of
organizations, with CSP-
specific training being the
most common. The survey
9% Yes, a robust training curriculum
shows that while 68% of
Yes, but limited scope
organizations have cloud-
59%
specific training for tech
No, but encourage self-learning
professionals, 9% of the
28%
organizations offer robust
cloud-specific training, and
4% None that I’m aware of
32% of organizations do not
offer cloud-specific training.
Among the cloud security training offered, CSP-specific training is the most common (54%),
followed by CCSP (41%), CCSK (27%), Other (20%), and CCAK (17%).
Which specific types of cloud security training does your organization

provide for your staff?
CSP-specific Other Cloud

training Security
Training

Opportunities in Financial Services
and Cloud
Keeping up with New Technologies and CSP Features
The financial services industry faces a multitude of challenges as

it embraces new technologies to innovate and enhance business
applications. The expansion of cloud into the Internet of Things (IoT)
and edge computing offers increased connectivity, data collection,
and interaction to conduct commerce but it amplifies the complexity
of security and privacy, requiring robust safeguards.
Blockchain and Confidential Computing technologies address the need

to protect sensitive data, secure transactions, and meet regulatory
compliance but scalability and integration challenges exist.
The rise and advancement of artificial

intelligence and large language models
(such as ChaptGPT/GPT, Bard/LaMDA) offers enhanced efficiency,
insights, and capabilities to the industry but also demand the careful
handling of customer data, transparency, and ethical considerations.
Quantum computing adds to the

urgency of preparing for future computing threats while benefiting
from the technological advantages. As mentioned previously,
the current reliance on cryptography to keep financial information
confidential could be immediately challenged and require hyper-
change to how financial services are offered digitally.
Financial services organizations must navigate these challenges prudently, striking a balance
between innovation and risk management to harness the full potential of these technologies while
safeguarding customer trust and data security.

Additional advanced security Are you leveraging Dev(Sec)Ops methodologies and tools for your
techniques could involve cloud workloads?
further use of DevSecOps in
the financial services industry.
20 23
20 20
Use of DevSecOps methods For all workloads
18% 9%
under our control
actually decreased slightly
from the 2020 survey results. 35% 42% A significant amount
Further CSA analysis considers
that the ability to incorporate 45% 36% A minor amount
complex DevOps practices
with security integrations and 3% 13% Not at all
automations has impacted
the adoption of DevSecOps
for some organizations. The importance of training developer and security teams on these methods
needs to be emphasized in financial services industry. CSP solutions must also focus on simple and
less disruptive integrations of security and DevOps for these teams.
Other legacy IT service

Rate your level of concern with security and operational issues resulting
from the high volume of CSP-initiated cloud service changes. management processes
such as release and change
management are also
9% 37% 54%
significantly challenged by
the modern technology and
Low Medium High third party aspects inherent
in cloud service utilization,
and particularly the intricacies of the cloud shared security responsibility model. CSP functions and
technologies often advance faster than financial services customer adoption. Improvements with
change notification and management that can impact CSP customer applications, environments, and
actions are still needed.

Demonstrating Adequate Assurance Cloud Security
for FSI
People: Maintain relevant knowledge (e.g. platform-specific training,

micro trainings)
Training
How knowledgeable is your organization’s staff regarding the following:

There is recognition of the
importance of training with
Cloud Security industry certification such as
CCSP or CSP-specific training
16% 61% 23% of greatest interest as well
as use cases that used FSI
Compliance requirements within cloud environments examples. Further analysis
may be warranted by CSA to
13% 58% 29%
see whether FSI-centric cloud
security training for specific
Low Medium High cloud platforms would be of
interest by stakeholders.
Rate your level of concern with security and operational issues resulting
Only 9% of respondents felt from the high volume of CSP-initiated cloud service changes.
that they had a highly robust
cloud security program:
9% 37% 54%
Low Medium High

Process: Mappings to FSI Frameworks, Validating to STAR
CCM and Industry Standards
The majority of respondents appear to be using CCM for multiple purposes but seeing the derivative
of an external assessment or using the STAR program as part of current business practices was
low. This may be due to lack of awareness or consideration as part of their compliance practices.
Discussions with regulators and compliance officers on the potential of using the CCM framework
and STAR registry, along with awareness campaigns for use of STAR may influence broader adoption
in the future.
How do you use the CSA Cloud Controls Matrix (CCM) or the Consensus
Assessment Initiative Questionnaire (CAIQ)?
65% 65% 59% 22% 14%
Demonstrate adherence Establish internal cloud Establish an internal cloud Support cloud Support cloud
to frameworks security controls risk management procurement process procurement process
framework approach
Technology: CSPs Supporting FSI with Advancements in Security

Technologies
New Features, Artificial Intelligence Integrations
Cloud service providers are collaborating closely with their cloud customers that need to
demonstrate security assurance.
In the interviews conducted, several financial service entities referenced dedicated teams within
cloud service providers that were specifically addressing how to achieve adherence to financial
service requests to meet unique regulatory or other expectations.
Cloud service providers are also working with industry to develop approaches that achieve
confidentiality and key management that separates any access by the cloud service provider to
have access to regulated data. Examples of this include security enclaves and mechanisms such as
confidential computing that prevent the hosting cloud service provider from accessing financial data
in readable formats. Additional examples of this include the use of HSM-as-a-Service where the “root
of trust” prevents the CSP from accessing sensitive information.

Enterprise and Cloud Risk Management
Many financial service organizations have mature enterprise risk management (ERM) programs
that address many different types of risk to the organization, including financial market, regulatory,
and information security risks. ERM programs generally include an enterprise risk assessment
methodology along with risk acceptance procedures. Third party and supply chain risks are
commonly included in these programs and procedures.
Do you have a formal cloud policy or standard signed off as part of your Despite an increasing
overall Enterprise Risk Management framework? utilization of cloud services
for mission critical business
20 23 functions and customer
20 20 engagement, formal
55% 53% Yes
cloud policies are still in
development. The survey
33% 30% In development results from 2020 mirror the
current results with about
13% 13% No one third still developing their
cloud policies and just over
4% Unsure half including them in ERM
programs.
The digitalization of financial To what level are cloud services risk assessments integrated into the overall
services and the adoption company risk assessment methodology?
of cloud over the last two
years has exceeded the pace
in which cloud policies have 20 23
20 20
been implemented into
ERM. Rapid adoption, larger 53% 33% Fully integrated
digital supply chains, along
with hybrid and multi-cloud 38% 58% Partially integrated
environments have added

complexity to traditional 10% 9% No integration
IT systems. With 90% of

financial service institutions
integrating cloud risk
assessments to the overall company risk assessment methodology, the balance of partial and full
integration has changed.
The reliance of cloud for financial services adds significant, highly dynamic aspects to legacy
methodologies that often necessitate cloud-specific risk assessment and management approaches.

Threat Intelligence and Context Still Needed in the
Cloud
Information sharing and having a central mechanism to learn about threats to Financial Services
is a common pain point mentioned in open feedback within the survey as well as the interviews
conducted. The greatest concern is the speed at which new vulnerabilities are discovered and the
transparency to when changes made by a cloud service provider could possibly influence the security
or required auditing necessary by financial entities.
As one CISO at a bank said during an interview, “There have

been instances where we were given less than a 48-hour The greatest concern is
notice of significant changes [by our cloud service provider] the speed at which new
that would impact our environment. While some issues may
be necessary for serious zero day threats, this instance could
vulnerabilities are discovered
have been coordinated better with us to prepare our teams for and the transparency to when
the change.” changes made by a cloud
service provider could possibly
The other challenge is the collection of relevant threats to
cloud environments and having broader industry sharing. influence the security or
Several organizations such as the Financial Services required auditing necessary by
Information Sharing & Analysis Center (FS-ISAC) and MITRE financial entities.
were referenced as organizations that respondents rely upon
for vulnerability information relevant to their environments.
Several respondents suggested that an opportunity for further collaboration on cloud-centric
vulnerabilities, which are likely more significant to financial services, coming to public discussion
more quickly would be advantageous for security professionals.
Recommendations from respondents included advancement of a global security database

customized to industry-centric threats as well as use cases for how cloud vulnerabilities may be
exploited.
Additionally, references back to FSI-centric frameworks that may be out of compliance if

vulnerabilities were exploited, was an idea that was suggested in open comments. For example, if
malware were to be successfully installed that disabled logging or monitoring, which controls within
PCI DSS requirements would no longer be in compliance?
However, there was recognition that further sharing of sensitive security issues is sometimes difficult
without the ability for anonymity. Even within our survey results, which were already anonymous,
many respondents said they were unable to share data due to company policy or other concerns
such as disclosing the number of audits the financial service entity had to complete.
Additional countermeasures that were mentioned included some form of vulnerability tagging that
would escalate the severity for certain industries, such as financial services, if recognized to be
commonly deployed for that sector.

CSA Financial Services Initiatives
Cloud Security Alliance conversations with industry stakeholders has identified future contributions
that will be considered.
To maintain a relevant perspective to changes in the industry, CSA will invite financial service
representatives, cloud service providers and other relevant organizations to a strategic leadership
committee which will convene to identify priorities of research, education, research, analyst
briefings, assurance frameworks and programs.
Education
Education will include awareness campaigns, development and

promotion of training relevant to FSI stakeholders.
Examples of awareness campaigns could include the relevancy

of HSM-as-a-Service guidance currently under development,
mapping to frameworks used within Financial Services and how to
complete the Shared Security Responsibility Model (SSRM).
Training begins with understanding the basics of cloud

fundamentals that can be applied to financial assets. But in
addition to FSI professionals studying for certificates of cloud knowledge or attending introductory
cloud courses, CSA will explore the opportunity to work with industry to develop FS-centric
training, if warranted. Examples of training may include auditing in cloud environments to financial
frameworks or use cases.
Research
Financial service organizations identified the ability to develop in

SaaS environments helps to accelerate innovation and put new
technology into production at faster than traditional methods.
There is also a wealth of new methodologies and security
solutions being introduced that require guidance on how best to
implement for various platforms.
Of the potential areas that CSA could support, respondents

requested more guidance on financial service practices related to integrity and trust associated with
cloud HSM and governance of multi-cloud environments among other ideas. CSA can potentially
develop research surveys and papers that identify the greatest areas of interest and need with
practical security suggestions.

Industry Briefings
Already a benefit for CSA members is the ability for organizations

associated with CSA to request analyst briefings on various areas
of cloud computing or technologies such as Artificial Intelligence,
blockchain, quantum computing that all leverage cloud services.
Moving forward, CSA will begin a series of regular, industry-centric

briefings. This will allow for FSI peers to hear the questions being
asked to a subject matter expert for their own learning and further
the discussion that is more likely relevant to their work. Subject
matter experts will be attending from a specific cloud service provider, regulator or other relevant
domain of knowledge to share the latest approaches to meeting FSI matters in cloud computing.
Assurance Framework and Programs
The Cloud Controls Matrix (CCM) has been used globally as a

reference of security best practices for cloud services. CCM has
been applied across many industry verticals looking to protect
digital assets in the cloud and financial services is no different.
Several organizations such as the Cybersecurity Risk Institute
and IBM Financial Services have incorporated within their related
frameworks.
Further work has been done with several European consortias

and working groups to evaluate the CCM as part of their financial
auditing practices. As such, CSA could evaluate the relevancy of
additional requirements to the CCM that would be designed for FSI entities that may meet specific
regulatory requirements or unique handling of financial data beyond the general construct. This
could result in a FSI addendum to CCM or whitepapers on the applicability of CCM for those issues.
CSA continues to map CCM to other regulatory frameworks with mappings recently completed
comparing requirements to the Monetary Authority of Singapore’s data security standard and work
is underway to update the CCM mapping to the most recent version of Payment Card Industry Data
Security Standard (PCI DSS).
Cloud service providers and other organizations with cloud operations may determine to assess
against the CCM and be listed in the STAR program registry. Benefits identified by banking for the
STAR program include third-party assurance and potential prerequisite for onboarding new vendors
during their third-party procurement process.

Conclusion
The Financial Service industry, in many ways, observes the same benefits of cloud computing as
other industry verticals. It provides efficient ways to come to market with solutions faster and in a
manner expected by customers that have become accustomed to cloud-native applications.
Organizations also can harness greater security with the ability to rollout homogenous workloads
hardened by administrator rules that are consistent with adhering to company policy and regulatory
requirements.
And these survey results show the growing use of cloud services to deploy business critical
applications and handle regulated financial data in both public and private cloud implementations.
The predominant concerns mostly stem from meeting a very diverse set of regulatory requirements,
resiliency to maintain the integrity and availability of financial systems to be accessible to the proper
individuals, assurance those security controls can be demonstrated by third-party partners and the
ability for staff to properly configure access controls.
How the cloud security community can help is by further industry collaboration to develop easy-
to-understand guidance and use cases for applying controls, training that is specialized for financial
service professionals, studies on the latest approaches to protecting financial data and frameworks
that set good security baselines regardless of which cloud services are used that meet the
expectations of global regulations.

Demographic
What is your primary role?
r
ce
y
an ct
er
r
rit
ffi
ce
/M ite
ag
cu
er ch
ffi
ne r
Se
CI ps rati ns
y
gi s/A
O
rit
io
e
En on
n
at
cu
nc
io
D d O per
Se
at
ia
ou k O
e
ev p
rm
pl
d
er
r
SO
o
m
ou
O
w
th
fo
Co
O
et
CI
Cl
In
O
Cl
N
28% 20% 13% 11% 20%
2%
Which of the following best describes your organizations industry?
n
io
at
n
io
ci
cy
un
so
en
as
it
ag
ed
al
t
ry
cr
on
en
e
g/
to
nc
FI
m
si
h
la
in
es
ec
ra
st
er
er
gu
nk
su
of
ve
th
th
nt
CS
Re
Ba
Pr
In
In
O
Fi
37% 19% 4% 4% 4% 4% 6% 2% 17%
What size is your organization?
13% 1-50 employees 24% 2001 - 10,000 employees
11% 51 - 500 employees 37% 10,000+ employees
15% 501 - 2000 employees
What region are you location in?
Americas - North, Central, and

South America 52% 28% 20%
EMEA - Europe, Middle East,
Africa
APAC - Asia Pacific

State of Financial Services in Cloud 1687790580

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

State of Financial Services in Cloud 1687790580

Uploaded by

Copyright:

Available Formats

State of Financial Services

© Copyright 2023, Cloud Security Alliance. All rights reserved. 2

© Copyright 2023, Cloud Security Alliance. All rights reserved. 3

© Copyright 2023, Cloud Security Alliance. All rights reserved. 4

© Copyright 2023, Cloud Security Alliance. All rights reserved. 5

In interviews associated with this report, CISOs and cloud

Regulation was one of the greatest influencing factors from

Still, new approaches create

Other themes beyond regulation identified in the report include

© Copyright 2023, Cloud Security Alliance. All rights reserved. 6

© Copyright 2023, Cloud Security Alliance. All rights reserved. 7

Use of regulated workloads

© Copyright 2023, Cloud Security Alliance. All rights reserved. 8

along with technical staffing

Technical security control gaps

Assurance concerns with CSP's control implementations

Meeting regulatory requirement

Contractual issues with CSPs related to security, risk, or liability

Skill gaps for staff to manage cloud services

© Copyright 2023, Cloud Security Alliance. All rights reserved. 9

According to survey 35% 43% Single CSP Only

With third-party management

The comparison of visibility

© Copyright 2023, Cloud Security Alliance. All rights reserved. 10

Zero Trust Adds Integrity to Access Within Financial Cloud

45% 44% 42%

© Copyright 2023, Cloud Security Alliance. All rights reserved. 11

Still, concerns by respondents over data exposure lead to a

IaaS PaaS SaaS

Do you have a backout plan to change cloud providers?

© Copyright 2023, Cloud Security Alliance. All rights reserved. 12

The concern over availability is further compounded by the

© Copyright 2023, Cloud Security Alliance. All rights reserved. 13

Still, the majority of Financial

regulated banking information Plan to in the next

only 25% having no future 25% No plans

Participation in the survey

services for the majority of

© Copyright 2023, Cloud Security Alliance. All rights reserved. 14

Data Privacy, Sovereignty, and Localization

When compared with the 2020

© Copyright 2023, Cloud Security Alliance. All rights reserved. 15

• Data privacy rules;

Regulator Understanding of Auditing Practices for Cloud Services

• Unique security traits and nomenclature for each CSP

What is the number of regulatory audits requests your organization must

7% 35% 35% 4% 11% 9%

None 1-5 6-15 16-25 25+ Unsure

© Copyright 2023, Cloud Security Alliance. All rights reserved. 16

65% 65% 59% 22% 14%

© Copyright 2023, Cloud Security Alliance. All rights reserved. 17

established for all critical data 2% 6% 38% 2% 52%

which also was not the case

© Copyright 2023, Cloud Security Alliance. All rights reserved. 18

• Cloud Key Management Working Group

• Confidential Computing Working Group

• Cloud Infrastructure Security Training

Skills Gap Still Exists in Cloud Security

gap and improve their cloud 58%

57% are hiring more internal 52%

cloud security professionals

© Copyright 2023, Cloud Security Alliance. All rights reserved. 19

low levels of knowledge

Which specific types of cloud security training does your organization