Politics and the cloud: Who do you trust most to keep your data secure?

Rushing into a cloud migration to keep up with where you perceive your peers to be is a risky business says Virginie O’Shea founder of Firebrand Research, who urges financial institutions to carefully evaluate how and what we move, and when.

The last 12 months have been dominated by industry discussion about cloud. Regulators, politicians, bank CEOs and CTOs – they’ve all been in the headlines on the subject. Whether it’s a bank announcing a strategic partnership with one or other of the cloud providers, or political discussion about developing a European alternative to those providers (step forward Gaia-X), the refrain has been the same. The cloud is the future of the industry and we need to get there faster than we have been.

I wrote a report a couple of years ago that highlighted how slowly the industry has been moving to a cloud-hosted environment overall. Yes, there are exceptions to that—just look at hedge funds that set up with all their operations up in the cloud—but for large financial institutions the move has been slow and cautious. Unsurprisingly, securities services has been one of the slowest sectors of the industry to move.

The COVID-19 crisis has taught us the benefits of cloud-native technologies that easily enable remote access and can scale up and down as required without major redundancy. The benefits have been well-discussed over the last couple of decades and those seem to have intensified as large banks try to prove to the market they are digitally transforming at scale. After all, cloud environments are the perfect devops location.

But has this cautious approach been warranted? Are we missing a trick here? Regulators seem to be obsessed with the notion of concentration risk at the moment – especially in light of incoming global regulation on operational resilience. If banks move all of their operations to one cloud provider, what does that mean for their operational risk? How much influence can they realistically exert on a large technology company? How can they prevent anticompetitive pricing in the future?

There is also a huge political element to these discussions. I’ve already spoken about why Gaia-X is such a priority for the European Union (see my earlier comments here: https://www.globalcustodian.com/blog/is-that-a-pie-or-a-cloud-in-the-european-sky/), even if it’s something of a pipe dream, it’s a pillar of the Capital Markets Union and numerous other EU-level initiatives. The power of the bigtechs is seen as a direct threat to the power of the politicians and regulators in Europe, the US and many other parts of the world. That’s why we’ve seen discussions about monitoring and even limiting the influence of these players within various sectors. Data privacy laws reflect these concerns—after all, in a global and connected market, why should we be concerned about the location of data?

Importantly, outside of politics, cloud also isn’t always the cheaper option and we need to keep that in mind when assessing the future of our technology stacks. Firms have gone into cloud transformation programs expecting immediate or short-term savings and instead been faced with much higher costs and a shortage of qualified staff to help them with their migrations. All of this isn’t to say that cloud adoption is a bad thing, we just need to evaluate how and what we move and when.

Rushing into a cloud migration to keep up with where you perceive your peers to be is a risky business. Cybersecurity should be front and centre of your project and every application programming interface (API) that you build and every solution you design should factor this into the equation.

I had an interesting conversation with a contact about cloud the other day that made me think about how we perceive cloud providers. He championed the future of governmental clouds (including Gaia-X) as a more secure alternative to the likes of AWS, Google etc. His proposition was that if national security agencies feel these clouds to be secure, then they should be equally secure for banks and other large financial institutions. My thoughts, however, are do you trust that the government is better placed to keep ahead of cybercriminals or is it the technology companies themselves that have the most firepower?

After all, it all comes down to trust and control.