Blog article
See all stories »

Compliance in the Cloud?

There is always a trade-off

If you ask a cyber security expert to secure your enterprise environment, they may not allow anyone to login or even access email remotely and would request that you use passwords such as s23r8@#$23nr2345$% and also request that you change them to something just as confusing every 7 days. This quickly gets in the way of people doing their job. There has to be trade-off. But is this really a risk vs reward scenario or can there be a happy (and secure) medium?

We see something similar with software solutions that are hosted onsite (your IT manages it) vs cloud solutions (the vendor manages it). The latter is often referred to as SaaS (Software as a Service). Normally to get new software installed, which in turn provides a service to the business, there are a number of hurdles to get over. Those hurdles predominantly involve time and money when the outcome you want is really the service the software provides. In the argument of software onsite vs cloud services, what are you really risking? With the recent proliferation of FinTech and RegTech (Regulatory Technology) and it's tendency's to lean towards the cloud for faster deployments and scalability, we look at the questions that vendors and their customers are facing.


"Financial services software either makes you money, saves you money or reduces your risk. Some do all 3"


Your data, at someone else’s house

As the world of technology moves away from high upfront software and hardware costs towards subscription based services or cloud offerings, the questions heard from the market and businesses looking to make this move are:


"Is all my data secure?"

"Is my client’s personal and/or company data secure?"


These questions are valid and businesses should definitely be asking them. The reality is, SaaS or cloud providers have the exact same concerns. Their businesses depend on their client’s and the data they hold for them. They are responsible for their client’s data and need to make every effort to ensure it’s security. The cornerstone of any SaaS or cloud provider’s business is data security. If they were to be hacked and have data leaked, this could be potentially very damaging to their business, and for some companies this would put them out of business entirely.


"Is cybersecurity and its effects on compliance something you discuss at management meetings?"


Strap in

The move to the cloud is happening fast and it’s no longer a matter of if or when. If you look at the largest cloud provider on the planet, Amazon Web Services (AWS), you’ll see they are growing at a rapid rate. Many companies are not buying servers anymore and hosting themselves, they are leveraging the power and scale of cloud providers. Oracle and Microsoft have effectively become cloud companies and are actively promoting this.

Microsoft Office 365 Cloud now hosts all email data for insurance giant Metlife, with 64,000+ staff on their platform. Monthly active users of Office 365 commercial now number over 85 million, up more than 37% year over year. The SaaS CRM leader, Salesforce, now has a market cap of US$61.32B(at time of writing) and is a 100% cloud company. You cannot install their software onsite.

Salesforce now boasts such clients as Barclays, American Express, GE, Unilever and more. These companies all trust their data with a cloud software provider. Not just any data; but sensitive data such as their client lists, prospects, partners etc. All on Salesforce cloud. Even UBS has moved compliance functions to Microsoft Azure cloud and DTCC are moving to the cloud “to reduce risk and cost and improve the resiliency and security of DTCC’s systems”. Reduce risk?

These vendors, large or small, are all too aware of the kind of scrutiny placed on cloud or SaaS providers. To do business with big companies, you need to pass through vetting processes and lengthy due diligence questionnaires. Ever seen these kind of questions below asked of your business?


"Who in the organization is the owner for the Information Security program?"

"Does the organization encrypt data at-rest?"

"Does the organization multi-tenant data or processing on the same system? If so, how is confidential client data kept secure?"


100% cloud is not always the only option

Before SaaS or cloud vendors make any changes to their offerings, they think of data and application security. The cost of getting this wrong far outweighs the efforts involved in getting it right. Some companies will offer a number of ways to deploy their software, including: Public Cloud, Private Cloud and onsite/Hybrid solutions.

It’s by far easier to manage a shared service/public cloud offering as they only need to manage a group of scalable servers that they have control over. If deploying their offering onsite, they need to engage with IT teams, security teams, operational infrastructure teams etc. This presents some challenges and certainly adds to the hurdles.

Decision makers are often caught in a tough position when exploring cloud or SaaS as a viable alternative to traditional infrastructure and application service methods. Fear of data leak and location is the primary concern. But does the cost savings outweigh the perceived risk?

The financial argument

From a purely financial standpoint, many decision makers are not entirely aware of the true cost of operating their environments. Expenses relating to a facility and infrastructure often are hidden in other budgets. So their view of operational cost is limited to staff, hardware purchases, maintenance agreements and software licensing. Overlooked expenses often include the impact of business damaging downtime and the cost of capital that could be more efficiently used in generating income. On the whole, the SaaS or cloud initial outlay and ongoing costs have proven to be more cost effective than going with onsite. However not everyone is ready for the cloud.

Evaluating business needs

Research shows that cost is seldom the primary driver toward cloud services. Instead, improved service levels, infrastructure agility and increased security ranks as the top three drivers. Overburdened infrastructure or small IT teams often cannot cope with the rate of change and demand, and desperately need to empower business units to provision services that add value, fast.

If the goal of a business is to move more quickly than their competition, the platforms on which they innovate and operate must keep up with these requirements. If they cannot, then irrespective of the cost of a cloud solution, they are simply not performing a business enablement role.

So where are we now?

The question of whether cloud is a viable alternative to the existing methods of deployment is not a comparison of apples to apples. An organisation needs to determine accurately what it’s objectives and goals are at a business level, understand whether they can afford to divert much-needed capital into a non-core activity such as operating IT infrastructure and then consider whether a scalable, flexible and cost-efficient solution will serve their original goals more effectively. And most importantly, securely. Make sure you do your research and due diligence on any vendor holding sensitive data.

For many providers, time will tell and the market will drive them in the direction it sees fit. At this point, there is a definite increased interest in cloud and SaaS but some companies are reluctant the be the first movers, but don’t the first movers often get the advantage?

Comments welcome below. 

Originally posted in our blog series here


Comments: (1)

A Finextra member
A Finextra member 29 August, 2017, 04:08Be the first to give this comment the thumbs up 0 likes

Find us at 

Member since




More from member

This post is from a series of posts in the group:

Asia Financial Services

Covering all aspects of financial services in Asia from banking in China to algo trading in Japan.

See all

Now hiring