Source: https://disruptive.asia/fintech-players-cloud/
FinTech services are all the rage at the moment, and one reason for that is the prevalence of cloud computing platforms that enable such services. Which is ironic, given that traditional banks and financial institutions have been famously conservative about cloud adoption – even private clouds seemed risky compared to closed proprietary networks under their control. FinTech start-ups, on the other hand, have wholeheartedly embraced cloud as an enabler to break into the finance business quickly.
Dr Hing-Yan Lee, executive vice president of APAC for the Cloud Security Alliance, talks to Disruptive.Asia editor John C Tanner about the role of cloud in the FinTech explosion, and the security and compliance challenges that come with the territory.
FinTech services are all the rage at the moment, and one reason for that is the prevalence of cloud computing platforms that enable such services. Which is ironic, given that traditional banks and financial institutions have been famously conservative about cloud adoption – even private clouds seemed risky compared to closed proprietary networks under their control. FinTech start-ups, on the other hand, have wholeheartedly embraced cloud as an enabler to break into the finance business quickly.
Dr Hing-Yan Lee, executive vice president of APAC for the Cloud Security Alliance, talks to Disruptive.Asia editor John C Tanner about the role of cloud in the FinTech explosion, and the security and compliance challenges that come with the territory.
Disruptive.Asia: What trends are you seeing in terms of cloud adoption for FinTech services?
Dr Hing-Yan Lee: Adoption of cloud services in the FinTech industry is surely increasing. Benefits for FinTech services using cloud include higher scalability, market-dependent flexibility and much faster service update cycles. Industrial leaders like HSBC already report that they are adopting cloud solutions – we expect other FinTech players to follow.
The HSBC case is interesting because traditional finance players have been wary in the past of trusting anything to a “cloud” – why are start-ups more willing to risk embracing the cloud?
Many startups find cloud solutions to be a low-cost capex investment, spending on a pay-per-use basis, as their business grows. A faster deployment cycle also enables them to change their strategy according to market needs. Traditional players are in general of a bigger size, so migration to another technology is by necessity a much longer process. However, their executives and investors are also aware of this situation, and they’re demanding much faster and agile change.
What specific security challenges are there with cloud-based FinTech services?
The major security challenges depend on the skillset of current security practitioners. Security assessment methodologies against on-premise devices are usually well-developed compared to cloud connected devices. Most traditional security assessors are competent in system admin or network configuration, but not many of them are familiar or certified with cloud-related technologies. The Cloud Security Alliance has been working towards to better education for information security professionals in a cloud environment through its Certified Cloud Security Knowledge (CCSK) and Certified Cloud Security Professional (CCSP) courses and certification.
Apart from education, how else are security challenges being addressed, both by cloud providers and the FinTech companies?
Cloud service providers and FinTech companies are spending more resources to train their employees to embrace the latest cloud technologies and keep up with issues related to IoT adoption and compliance with general and sector-specific regulations – for example, data protection laws such as GDPR. Many of them are also engaging certification bodies to acquire cloud security related assurances like the STAR certification provided by CSA.
Speaking of GDPR, can you talk more about the regulatory and compliance challenges involved in terms of cross-border situations – for example, FinTech services that are available globally, not just a single market or regulatory environment?
Of course, regulatory requirements and laws differ from country to country, so any strategy for personal data protection can be determined individually, but not with a single global view. That said, the CSA has developed a Code of Practice for GDPR compliance to ensure transparency and compliance with the law. It provides cloud service providers with a tool to adhere to EU data protection compliance and demonstrate it via certification. It also provides cloud customers with a tool to evaluate the level of a cloud service provider’s data protection compliance.
Dr Hing-Yan Lee: Adoption of cloud services in the FinTech industry is surely increasing. Benefits for FinTech services using cloud include higher scalability, market-dependent flexibility and much faster service update cycles. Industrial leaders like HSBC already report that they are adopting cloud solutions – we expect other FinTech players to follow.
The HSBC case is interesting because traditional finance players have been wary in the past of trusting anything to a “cloud” – why are start-ups more willing to risk embracing the cloud?
Many startups find cloud solutions to be a low-cost capex investment, spending on a pay-per-use basis, as their business grows. A faster deployment cycle also enables them to change their strategy according to market needs. Traditional players are in general of a bigger size, so migration to another technology is by necessity a much longer process. However, their executives and investors are also aware of this situation, and they’re demanding much faster and agile change.
What specific security challenges are there with cloud-based FinTech services?
The major security challenges depend on the skillset of current security practitioners. Security assessment methodologies against on-premise devices are usually well-developed compared to cloud connected devices. Most traditional security assessors are competent in system admin or network configuration, but not many of them are familiar or certified with cloud-related technologies. The Cloud Security Alliance has been working towards to better education for information security professionals in a cloud environment through its Certified Cloud Security Knowledge (CCSK) and Certified Cloud Security Professional (CCSP) courses and certification.
Apart from education, how else are security challenges being addressed, both by cloud providers and the FinTech companies?
Cloud service providers and FinTech companies are spending more resources to train their employees to embrace the latest cloud technologies and keep up with issues related to IoT adoption and compliance with general and sector-specific regulations – for example, data protection laws such as GDPR. Many of them are also engaging certification bodies to acquire cloud security related assurances like the STAR certification provided by CSA.
Speaking of GDPR, can you talk more about the regulatory and compliance challenges involved in terms of cross-border situations – for example, FinTech services that are available globally, not just a single market or regulatory environment?
Of course, regulatory requirements and laws differ from country to country, so any strategy for personal data protection can be determined individually, but not with a single global view. That said, the CSA has developed a Code of Practice for GDPR compliance to ensure transparency and compliance with the law. It provides cloud service providers with a tool to adhere to EU data protection compliance and demonstrate it via certification. It also provides cloud customers with a tool to evaluate the level of a cloud service provider’s data protection compliance.