The Cloud Security Alliance (CSA) recently issued its latest survey report, State of Financial Services in Cloud. The survey found that while the use of cloud services is increasing, the pace of adoption is dependent on the speed at which cloud service providers (CSP) and financial services can meet security and operational expectations as well as demonstrate adherence to regulations.
- Cloud adoption continues to increase within the financial services sector with 98% of respondents reporting that their organization is using some form of cloud computing. This is up from 91% in 2020.
- Multi-cloud is the new reality for financial services with 57% of organizations surveyed reporting they currently use multiple cloud service providers (CSPs) for their IaaS/PaaS needs.
- Zero trust was cited as the top priority by respondents, followed by cloud regulation, multi-cloud management and shared security responsibility.
- The majority of financial services use cloud computing for regulated data with 59% saying they store or process regulated banking information within cloud services, and only 25% having no future plans to do so. However, only 28% of respondents said they are using public cloud services for the majority of their regulated workloads, an 18% increase from 2020.
- 91% of respondents reported their concern with security and operational issues resulting from CSP-initiated cloud service changes as High or Medium.
- Only 9% of respondents felt they had a highly robust cloud security program.
- 65% of those surveyed use the Cloud Controls Matrix (CCM) and Continuous Assessment Initiative Questionnaire (CAIQ) to demonstrate adherence to frameworks, establish internal cloud security controls framework, and establish an internal cloud risk management approach.
The findings of this report will be used by CSA’s soon-to-be-launched Financial Services Leadership Council. Composed of financial service representatives, CSPs, and other relevant organizations, this committee will identify priorities pertaining to research, education, analyst briefings, assurance frameworks and programs and use them to guide future research, standards requirements, training and education.