Cybersecurity insights from industry experts.

Securely Moving Financial Services to the Cloud

Financial services organizations migrating applications to the cloud need to think about cloud governance, applying appropriate policies and oversight, and compliance and regulatory requirements.

David Stone, Solutions Consultant, Cloud CISO, Google Cloud

October 10, 2023

4 Min Read
Businesswoman in a dark suit working at a desk with a calculator and financial paperwork.
Source: Kittiphan via Adobe Stock Photo

When it comes to financial services moving securely to the cloud, there are several important considerations. Secure cloud usage first starts with secure use of the cloud by the financial services industry, including secure configurations, resiliency, and using pipelines that ensure consistent guardrails for developers, infrastructure teams, and security teams. This is layered on top of a secure foundation from cloud service providers. Additionally, there are compliance and regulatory requirements that must be met in order to demonstrate the effectiveness of the security measures in place.

Key areas to consider:

  • Business objectives and risk appetite

  • Oversight and governance of the cloud program

  • Threat and compliance-driven security controls

  • Continuous monitoring and drift detection

  • Talent

  • Culture

When migrating to the cloud, every organization must think about how they'll govern the process. This includes applying appropriate policies and oversight, as well as implementing technical controls. It is crucial to approach this from a threat-driven perspective, considering the various threat actors that may try to compromise security practices and policies.

Cloud Governance is Key

For financial services, cloud governance is essential. Cloud governance is a set of policies and procedures that help organizations manage their cloud computing resources effectively. It is important to establish a clear cloud governance structure before moving to the cloud, as it helps ensure that cloud resources are used securely and efficiently. This requires an organizational, operational, and technological approach to assist financial services in leveraging the cloud.

There are three lines of governance that are important for cloud governance:

  • First line of governance: This is responsible for the day-to-day management of cloud resources. It typically includes IT teams, development teams, cybersecurity, and DevOps teams.

  • Second line of governance: This is responsible for overseeing the first line of governance and ensuring that cloud resources are being managed in accordance with organizational policies and procedures. It typically includes audit and risk teams.

  • Third line of governance: This is responsible for providing independent assurance that cloud governance is effective. It typically includes an audit that reports to the board's audit committee.

When implementing an  organizational, operational, and technological approach to cloud governance, you should consider the following:

  • Infrastructure pipelines: These are automated pipelines that can be used to deploy and manage cloud infrastructure via terraform.

  • Application pipelines: These are automated pipelines that can be used to deploy and manage cloud applications with embedded security controls and checkers.

  • Data pipelines: These are automated pipelines that can be used to move and manage data in the cloud using tools like data classification, data tokenization/encryption, and data loss prevention tooling.

  • Change management: An integrated process for managing changes to cloud resources that enforces good governance around change.

  • Policy revisions: This is the process of reviewing and updating cloud governance policies and procedures with stakeholders.

  • Monitoring: This is the process of logging and tracking changes to cloud resources, as well as monitoring the environment for security. This includes both application, infrastructure, and security monitoring.

  • Asset inventories: This is a process for identifying and tracking cloud resources and what is running at any given time,

What to Consider With Cloud Adoption

As you move to adopt the above, it’s important to take an “everything as code” approach, in order to scale the operations and ensure repeatability in deploying, recovering applications, and ensuring controls are working effectively.

Financial services is a highly regulated industry, and cloud adoption brings increased scrutiny from regulatory and compliance partners. To address this, a cloud-native approach should be taken to mitigate risk and alleviate concerns. This requires collaboration among different teams, including frontline, technology, business, security, tech controls, operational risk management, and audit teams. By working together, a secure and compliant framework can be established.

Trusted third parties may also be involved in the implementation process. It is important to consider how their work will be verified and how their expertise can support the project. This may involve testing and verification of audit and compliance solutions.

From an executive perspective, it is crucial to communicate the cloud strategy and its benefits to the business. This includes demonstrating how security and compliance controls are continuously monitored and maintained. The cloud offers opportunities to showcase compliance and risk through data analysis. Gradual improvements should be made to the control environment over time, fostering a culture of quick learning and adaptation.

In summary, financial services moving to the cloud must address security, compliance, and governance considerations. Collaboration among various teams is essential, as is the involvement of trusted third parties. Executives should effectively communicate the cloud strategy and ensure continuous compliance and risk monitoring.  As with all organizational change management, culture is an important aspect to keeping the team motivated and being able to fail fast. This culture has to be demonstrated by leadership and all teams working collaboratively to achieve the mission.

Read more Partner Perspectives from Google Cloud

Read more about:

Partner Perspectives

About the Author(s)

David Stone

Solutions Consultant, Cloud CISO, Google Cloud

David has been a leader in cyber security across multiple industries including his last position serving as the CISO for Wholesale and Enterprise Technology where he protected trillions in annual payments and billions in assets under management.  He has decades of experience across multiple verticals including as Global Director of Security Architecture at Lenovo, State and Local government, and the National Security Agency.  He currently serves on the advisory BoarPrior d of EC-Council Certified CISO and previously on the Federal Reserve Secure Payment task force. 

David is now part of the Office of the CISO at Google Cloud where using that expertise to advise other companies and security teams in order to protect the world in Google’s “shared-fate” model as they digitally transform. 

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights