Intelligence in Offensive Security: How to Level Up + Compliance + Financial Services
Financial services banking cloud

Banking in the Cloud: Key Considerations for IT Leaders

It seems like a lot of organizations are sprinting to get their data and services into ‘the cloud,' but for financial institutions, there are specific challenges to consider. This article lays out those obstacles and some considerations for overcoming them.

According to the Boston Consulting Group (BCG), it is estimated that two-thirds of companies are already utilizing cloud environments, with the expectation that more than 30% of core business applications will run on public cloud services by 2025 [1].

The big exception – financial institutions. While other companies are quickly moving their workloads and applications to services like Amazon Web Services (AWS) or Azure, financial institutions have more obstacles and challenges that slow their adoption of cloud solutions.

So, why are financial institutions falling behind?

Internal Challenges – Risk and Cost

There are two major internal challenges identified by BCG that are halting financial institutions’ adoption of the cloud – risk and cost.


Unless a consumer stores their money under a mattress, banks are an integral part of their livelihood. From paying rent to getting a loan for a new car, banks are trusted to securely store money for when consumers need it most.

If any core banking systems are misconfigured during the transition, or disrupted once in the cloud, the ripple effects could be severe. A consumer might not be able to pay their water bill that month or buy groceries for their family that week. The damage to the bank’s reputation and brand may be unrecoverable, costing the bank customer trust and valuable business. For many banks, those risks might not be worth the reward.


Cloud services are often a cost-saving solution for organizations. But for financial institutions, moving custom applications, systems, and back-office data into the cloud might be too costly and complex.

This complexity is due in part due to the many customizations of their systems and applications, which are designed to support pre-existing best practices. This challenge directly affects medium-sized financial institutions. Larger banks have more resources and manpower to overcome those challenges, while smaller banks may not.

Technical Challenges

In addition to the internal challenges, there are also many technical challenges involved in transitioning financial institutions over to cloud solutions. Three of these challenges include legacy systems, custom applications, and security.

Legacy Systems

Many financial institutions still rely heavily on legacy systems. This includes mainframes and the applications running on them. In many cases, these systems are still viable and resilient solutions, which means there’s no urgent need for banks to transition to the cloud.

It is worth noting, however, that many of the professionals who have spent decades working on mainframes and building the custom applications on them have since retired or are likely approaching retirement.

In addition, there is a lack of understanding and education around these legacy systems amongst younger professionals in or entering the workforce. This lack of understanding might just be the push some banks need to move into the cloud. Up until this point, it was okay to have the mentality, “If it ain’t broke, don’t fix it.” However, this may not be a valid argument moving forward.

Custom Applications

Custom applications are another barrier of entry since many banks have spent years – or even decades – building their own software and applications to best serve their customers. Because of these customizations, cloud environments like AWS or Azure might not be able to support all the pre-existing functionality of those custom apps.


In addition to providing services to their customers, another priority of any financial institution is to make sure their customer and proprietary data is secure. But just because the data sits on some server somewhere in ‘the cloud,’ doesn’t mean it’s inherently secure. When cloud customers store their data in a datacenter that is separate from their own, they lose visibility to how secure it is.

Addressing the Challenges

Many banks are wondering if moving custom applications and data to cloud solutions, such as AWS or Azure, is the right decision for them and their consumers. Here are some things to think about.

Consider a Multi-Cloud Strategy

One solution to address some of the challenges outlined above is the multi-cloud strategy, which is the implementation of multiple cloud solutions.

According to a Google Cloud survey, 90% of financial service provider respondents deemed a multi-cloud strategy to be of interest [2]. This strategy reduces the likelihood of disruption due to outages, ensuring that consumers are able to access their banking services whenever they have a need.

A multi-cloud strategy would also address the challenges of customization needs due to in-house applications, unique regulations, and security controls. Since many banking institutions have application customizations that would require support from their cloud provider, using more than one cloud solution will allow banks to support much more of their application’s functionality and criteria. This is because different cloud solutions offer different functionality, allowing financial institutions to choose solutions based on their services and controls that best fit their needs.

Understand the Shared Responsibility Model

The shared responsibility model of your specific cloud provider(s) is extremely important to understand.

This model means that the cloud provider secures the physical infrastructure while the cloud customer secures the data on those devices. While the shared responsibility model reduces some of the security team’s duties, the division of responsibilities between the cloud provider and cloud customer isn’t as clear as it appears.

The shared responsibility model differs granularly between each cloud provider. Understanding the fine line between the cloud provider’s responsibilities and your own will be the first step to understanding what security gaps exist in your environment.

Take Some Security Steps

If you currently or plan to use AWS, here are some easy action items to lock down your environment:

  • Create a Security Account
  • Turn on CloudTrail, GuardDuty, and Access Analyzer for all accounts and send those logs to the Security Account
  • Turn on S3 Public Block Access

By setting up and sending logs to a designated Security Account, your organization will have increased visibility and a forensic trail if, and when, an incident was to occur.

By blocking any S3 bucket which does not need public access, the organization will limit the access and potential misuse of data that resides within those buckets.

Security can be a daunting task, but your posture can be greatly improved with a few simple steps and by understanding your responsibilities.

Performing a Cost-Benefit Analysis

Deciding if and when to move your environment to the cloud isn’t a one size fits all decision. As a team, perform a cost-benefit analysis to determine if moving your financial institution to the cloud is the right decision for you and your consumers.

During this exercise, consider the following:

  • Direct & indirect costs (ex. labor, inventory, materials)
  • Cost of potential risks (ex. regulatory risks)
  • Intangible costs (ex. customer and employee impact)

And through the process, keep your consumers top of mind. They are at the core of any business, but this is especially true for financial institutions.



Sign up to get Cyber Intelligence Weekly in your inbox.