Five Cloud Myths about Core Banking Systems (Article 2)
Article 2: Cloud as a Cost Driver and a Gateway for Cyber Attacks?
In collaboration with Swisscom, a series of articles has been written to address common cloud myths in the banking context. Through four articles, we aim to explain and clarify these myths while providing simple and common cloud terminology to help you understand cloud technology.
In today’s article, we clarify Myth 1 and Myth 2, and in the final article, we will cover the other three myths:
- Myth 1: The Cloud always saves money
- Myth 2: The Cloud makes it easy for cybercriminals
- Myth 3: Once you choose a cloud provider, there’s no turning back
- Myth 4: Moving software to the cloud automatically makes you more innovative
- Myth 5: Cloud migration is too complex
To learn more about the current cloud trend, see here.
Myth: The Cloud always saves money
Reality: Cloud is not necessarily cheaper; it must be correctly configured, optimized, and monitored to achieve lower costs.
In theory, it’s often argued that operating expenses (OpEx) outweigh capital expenses (CapEx) and that pay-per-use models are more cost-effective than running an in-house data center. However, in practice, this assumption can be misleading. Cost reduction should not be the primary decision factor for moving to the cloud. Instead, the cloud offers technological advantages, such as faster time-to-market for financial products that can be tested on a small scale and quickly scaled if successful. Although running a data center requires significant investments in hardware, infrastructure, and personnel, companies can achieve long-term savings and customized control with careful planning. Therefore, the cloud is not automatically cheaper than an in-house data center.
Why can the cloud be more expensive? One major reason is the flexible billing models, which allow companies to pay only for the resources they actually use. This is especially beneficial when data processing demands fluctuate. However, costs can quickly escalate when processing large volumes of data with intensive I/O demands or using complex, specialized financial applications. Additionally, reliance on various external providers (cloud providers, SaaS vendors) and hidden costs can make expenses hard to calculate. The complexity arises from managing and integrating different services, making it difficult to get a clear overview of actual costs. This shows that the cloud is not automatically cost-efficient, and a thorough analysis of individual requirements and usage patterns is necessary.
Choosing the public cloud only makes sense if it leads to significantly higher business value. An important aspect here is the use of managed services and dynamic scalability, allowing companies to efficiently and flexibly respond to changes in demand. However, this alone does not always guarantee faster time-to-market (TTM); the time-to-market also depends on the company’s overall strategy and the integration of cloud technologies.
A proven framework for managing cloud costs transparently while maximizing business value is FinOps. FinOps promotes a cost-conscious culture across all areas – from development and architecture to finance and operations. The goal is to increase cost efficiency, improve system robustness, and bring products to market faster (Bill Anderson, 2024; Google, n.d.).
Myth: The Cloud makes it easy for cybercriminals
Reality: Cloud technology follows the latest security standards, technologies, and processes.
The myth that cloud technologies make it easier for cybercriminals is widespread but incorrect. While an in-house data center may initially seem to provide a sense of control and security, the reality is much more complex. In fact, major cloud providers offer extensive security measures that often exceed what many companies and banks could implement themselves.
While using cloud services means giving up some direct control, providers like AWS, Microsoft Azure, and Google Cloud invest significant resources in developing cutting-edge security protocols, processes, and technologies. Microsoft, for instance, employs thousands of security experts who monitor and counter threats 24/7. They invest over a billion US dollars annually in cybersecurity (Microsoft Corporation, n.d.-a; Microsoft Corporation, n.d.-b). These economies of scale are difficult for many organizations managing their IT internally to match. Running an in-house data center also requires highly specialized experts for regular maintenance, access controls, physical security, and hardware firewalls – all within an environment where the “war for talent” makes such specialists particularly hard to find (Wintergerst, 2024).
One major risk, however, remains in both cloud and in-house data centers: the human factor. Studies show that human error and carelessness are responsible for nearly 70% of all security incidents, regardless of where the data is hosted (Meyer et al., 2023; Verizon, 2024; Wintergerst, 2024).
Despite this, cloud technologies offer significant advantages for banks and core banking system providers, particularly concerning security mechanisms. These include advanced encryption methods, continuous monitoring, and modern security protocols that help manage security risks while also simplifying regulatory compliance. Notably, FINMA circulars (FINMA-RS), such as 2008/01 on Cyber Security and Operational Risk (OpRisk), are relevant here. They regulate the strict requirements for cybersecurity and data access management that banks must adhere to.
The Global Public Cloud (GPC) offers a wide range of integrated security solutions, including encryption, data loss prevention (DLP), intrusion detection/prevention systems (IDS/IPS), identity and access management (IAM), and more. These features provide significant advantages through their scalability and availability. However, the key point is: all of these security features must be properly configured and implemented before they can be effectively used. The “out-of-the-box” model does not always work, and specialized expertise is needed to use these built-in tools optimally and fully exploit the security potential.
Thus, cloud services alone do not automatically guarantee comprehensive cybersecurity. A continuous security approach is essential, where all available measures are correctly implemented, constantly monitored, and regularly updated to adapt to evolving threat scenarios. Principles like “Zero Trust,” 24/7 monitoring, and regular security reviews must be deeply integrated into the security strategy to ensure that potential threats are detected early and effectively countered (Microsoft Corporation, n.d.-a; Microsoft Corporation, n.d.-b).
In addition to providing security protocols, operating in a GPC ensures that protection against cyber threats remains a dynamic and ongoing process. Systems must be constantly updated and optimized to be prepared for new threats. Only through this continuous approach can a high level of security be guaranteed and the long-term resilience of systems ensured.
References
Bill Anderson. (2024, June 22). What is FinOps? Microsoft Learn: Build skills that open doors in your career. https://learn.microsoft.com/en-us/cloud-computing/finops/overview
Google. (n.d.). What is cloud FinOps? Google Cloud. https://cloud.google.com/learn/what-is-finops
Lucas Augusto Meyer, Sergio Romero, Gabriele Bertoli, Tom Burt, Alex Weinert, & Juan Lavista Ferres. (2023, May 1). How effective is multifactor authentication at deterring cyberattacks? arXiv.org. https://doi.org/10.48550/arXiv.2305.00945
Microsoft Corporation. (n.d.-a). Microsoft digital defense report 2023 (MDDR) | Microsoft security insider. https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023
Verizon. (2024, January 5). 2024 data breach investigations report: Half of the breaches in EMEA are internal. Verizon: Wireless, Internet, TV and Phone Services | Official Site. https://www.verizon.com/about/news/2024-data-breach-investigations-report-emea