Stung by high-profile data breaches and heightened scrutiny from regulators, banks and other financial services companies are making major investments in sophisticated cloud security infrastructure. The move allows them to operate in cloud environments and assure customers and enterprises that sensitive financial data can be stored and managed securely.
Companies that have sensitive financial data have spent billions to get out of legacy data centers turning to cloud technology, citing the need for agility, flexibility and to better adapt to rapidly changing threats.
Equifax, one of the nation's leading credit services firms, spent more than $1.5 billion — the largest investment in its history — to convert its systems to the cloud in an effort to ensure that data security was embedded into its systems, not just bolted on, according to Jamil Farshchi, CISO of Equifax.
Changes have been underway for several years, as financial institutions faced sophisticated attacks from ransomware, supply chain attacks and other sophisticated nation-state activity. Equifax said it worked to overhaul its technology stack following the high-profile breach disclosed in 2017, which resulted in a leadership shakeup and regulator scrutiny.
"The cloud provides our company and customers with unmatched security layers and controls, greater than anything an on-premises infrastructure can offer," Farshchi said.
Equifax now has full visibility into the operating effectiveness of it's cloud security environment and can view 200 controls in real time, which is something it could not do with an on-premises system.
The company also has the ability to make universal changes to its security policies without having to make disparate configuration changes.
Security concerns are driving financial services companies toward a hybrid cloud model with increased investments in private cloud, according to a study by Nutanix released earlier this week. The study is based on a survey of 3,400 IT decision makers around the world by U.K.-based researcher Vanson Bourne.
The company's third-annual Enterprise Cloud Index Report shows 43% of financial services companies expect to boost spending in private cloud over the next year, while hybrid cloud is expected to grow by 39% over a five year period.
"The challenge for legacy-based institutions lies in balancing the need for multi-market expansion at speed and scale, whilst overcoming the reliance on traditional IT systems," said Tapan Mehta, director, industries solution marketing at Nutanix.
Financial institutions have traditionally favored on premises infrastructure, hosted IT or private cloud over public cloud and cloud services providers due to compliance and regulatory requirements, Mehta said. While many organizations continue to invest in public cloud, a large number of financial services organizations are taking a hybrid cloud approach to balance security and manage costs.
The ability to capture, store, secure and analyze this data in real time is critical for financial institutions as this capability is necessary to combat financial crime, remain competitive and drive innovation, according to Mehta.
"By being able to crunch down granular data ranging from call center notes, criminal records, credit ratings, past claim records and transactional patterns, you will be far better equipped to accurately and effectively transact business," Mehta said.
Financial services firms have remained wary of public cloud-based workloads after Capital One's data breach, disclosed in 2019, exposed the records of 106 million customers in the U.S. and Canada.
"Security is number one in terms of things that need to be done by a significant margin in terms of things that need to be done, but we're starting to see a lot more concerns around complexity," Jason Malo, a research director at Gartner.
Financial services providers can effectively deploy using hybrid or private cloud when initial security concerns are addressed with an accurate threat model during design and deployment, as opposed to waiting after the cloud has been rolled out, according to Alex Heid, chief research and development officer at SecurityScorecard.
"A secure development/deployment lifecycle process that ensures proper configurations, combined with continuous external perimeter monitoring of both infrastructure and applications will go a long way to identify vulnerabilities before they become exploited incidents." Heid said.