For capital markets companies, describing data security as mission-critical may be an understatement. A failure to meet tightening compliance mandates can result in monetary fines and reputational damage; worse, a breach or hack can crater customer and counterparty confidence.

So any consideration about migrating to the cloud must begin and end with security. Agility, connectivity, efficiency, and performance are selling points, but only if the cloud environment is secure. “Security seems to be one of the biggest hurdles” in cloud adoption, said Bill Fenick, strategy and marketing director, financial services for Interxion, a provider of European colocation data-centre services​. “It’s a topic that often comes up first in conversations.”

Securing data is not a DIY project.

“Financial services companies are looking for a cloud partner that can help them ensure the privacy and security of their data,” Gavan Corr, principal, financial services at Google Cloud, told Markets Media. “Many financial services companies are finding they are able to better ensure the security of their data in the cloud than on-prem, due to the resources, scale, and expertise of public cloud providers.”

One strategy that addresses security concerns while also unlocking benefits of the cloud is the hybrid cloud, in which a company works with a cloud provider to scale and deliver services to customers, while keeping sensitive data ring-fenced in on-premises IT servers.

“The hybrid cloud solution plays a nice role” in easing companies onto the cloud, Fenick said. “This can enhance security because you’re mixing the cloud, with a lot of capacity and storage there, with your on-premises IT resource. You protect the very sensitive stuff by having it stay within your control, but the non-sensitive stuff you can abstract away.”

The most direct security concern regarding the cloud is having data exposed to actor(s) with bad intentions. On a more brass-tacks level, the concern is meeting the demands of regulators, who are increasingly paying attention to the technology as it gains prevalence.

In Europe, Markets in Financial Instruments Directive II and General Data Protection Regulation come into force in the first half of 2018. Both rulesets will give regulators broader power to mandate reporting of data loss, as well as punish transgressions. “A lot of the main security concerns are around regulation and compliance,” Fenick said. “Companies don’t want to be ‘named and shamed’ and fined.”

For a financial firm, broad cloud-security considerations should include being data-centric, understanding how to protect data, and understanding how to protect the availability of systems to avoid business disruptions. That’s according to Jim Reavis, co-founder and chief executive officer of the Cloud Security Alliance.

Reavis noted that any concerns about a security breach should be de minimis with the top tier of cloud providers, which includes bellwether tech names such as AWS, Google, and Microsoft. “The top tier can provide superior security than almost any other type of organization,” he said. “They have the people and the processes, and with their scale, they can invest in state-of-the-art security technology.”

Corr noted Google Cloud customers benefit from the years of effort and investment Google has put into its own platform, and it offers advanced safeguards such as a private dedicated global fibre network as an end-to-end security model supported by more than 700 security engineers

“Google Cloud encrypts customer data content at rest, encrypts remote procedure calls between data centers by default and defaults to HTTPS between the user and Google,” Corr said. “All of this is on top of a purpose-built hardware chip which establishes a root of trust for machines and peripherals which run the physical cloud infrastructure.”

Financial services customers can also take advantage of customer-supplied encryption keys, which enables full ownership of data assets; homomorphic encryption, which allows algorithms to use encrypted data values without first having to decrypt them; and an identity and access management platform that allows for role-based access control.

So once the specs of the actual security are squared away, it comes down to a compliance issue, plus just general comfort about a different and decidedly less tangible system. A financial executive might say “I understand that my information can be protected well in the cloud, probably better than I can do myself, but yet I can’t touch it and grab it like I used to,” Reavis said. “I can’t go in my own data center and see it.”

Cloud adopters need to be okay with moving from a physical security control to more of a virtual security control. “And then they need to get all the necessary compliance check-offs in what is a heavily regulated business,” Reavis said. “Showing compliance can be a problem, because the technology is new and regulatory regimes are typically behind.”

Going forward, Reavis expects said more interest and activity in the area of cloud security, given the seemingly inevitable migration of IT to the cloud.

“Almost all organizations I talk to, including financial services, are saying cloud is the endgame. So there definitely will be more comfort,” he said. “But on the other hand, just as why you rob a bank is because that’s where the money is, we will see a proportionate rise in cyber-security incidents in cloud computing over the next several years as that becomes area of focus.”