Making Cloud SLAs readily usable in the EU private sector

Spotlight: Finance

Recommendations for the use of cloud services by the finance sector

A report published in December 2015 by the European Union Agency for Network and Information Security (ENISA) (Secure Use of Cloud Computing in the Finance Sector Good practices and recommendations) provides a set of recommendations for financial institutions, industry regulators and cloud service providers (or their brokers) to overcome the barriers to cloud service adoption within the sector. The recommendations cover four key areas: co-operation, risk-based approach, transparency and assurance, and information campaigns.
 
A key finding of the report is that the adoption of cloud services within the financial sector is slow, with most of the institutions still relying on in-house infrastructures. There are several reasons for this, ranging from the risk of losing control over information assets, caution on the part of regulatory authorities and a general lack of awareness and guidance on the security benefits of the cloud. Where adoption is taking place, it is most often a hybrid of public and private cloud, with test environments and email management among the top uses.
 
The report identifies 7 challenges, perceived or real, which cloud service providers will need to address:
 
1. Managing governance and compliance risk. 
2. Defining better tools for contract/SLA negotiation, especially for small financial institutions.
3. Increasing the level of transparency of cloud service providers.
4. Increasing the understanding of cloud security within the sector.
5. Clarifying the differences between outsourcing and cloud computing. 
6. Encouraging NFSAs to provide more guidance on cloud adoption. 
7. Improving the security and privacy certification schemes currently available. 
 
Recommendations
 
Greater co-operation
The cloud market will evolve more rapidly wherever there is close co-operation between financial institutions, regulators (National Financial Supervisory Authorities) and cloud service providers and/or their brokers. The key message is: making the rules of the game clear, will encourage more players to participate. 
As industry regulators, national financial supervisory authorities (NFSAs) are called upon to define national good practices and (de facto) standards on cloud governance and risk management to enable the adoption of cloud services in the finance sector. 
NSFAs are also called upon to define good practices and de facto standards for incident information sharing. Co-operation between national regulators, financial institutions and cloud service providers should focus on mechanisms to increase the level of trust between the members of the financial services information sharing and analysis centre (FS-ISAC), and consequently increase the amount of detail of the incident information. 
ENISA recommends that the NSFAs, the European Commission and the European banking authority (EBA) work at European and global levels, to define a common set of good practices for cloud security and privacy.
 
Risk-based approach is best
Financial institutions (FI) should develop a cloud computing strategy in order to define their approach to cloud computing. Organisations should adopt a risk-based approach when moving to the cloud, and their strategy should be aligned with their corporate risk assessment. 
FIs should perform a corporate risk assessment on cloud computing by using their corporate risk assessment framework, and by leveraging existing cloud specific tools and methodologies. 
 
Transparency and assurance
Misconceptions about the technology have lead FIs and NFSAs to be overly cautious about the use of cloud computing. Cloud Service Providers should be more transparent and help customers and supervisory authorities understand better levels of assurance. 
 
Information campaigns
The European Commission, relevant European agencies such as ENISA and the European Banking Authority, and industry bodies should work together to create information campaigns targeting the financial objectives. These should increase the understanding of the NFSAs, financial regulators and FIs on security risks and benefits and clarify the differences between cloud based services and outsourcing, as well as trade-offs between public and private cloud.