Bank of England CIO: ‘think twice about cost, security, data sovereignty in the cloud’
Finch: “you need to ask questions”.
Firms looking to adopt cloud-based services should consider the security and data privacy implications associated with moving critical systems into the cloud, and not let vendors drive their technology strategies for them, according to Bank of England CIO John Finch.
Finch, who was speaking at the Cloud World Forum in London on Wednesday, told an audience of enterprise IT professionals and technology vendors that businesses should consider the data sovereignty implications when moving into the cloud.
“If you go to a partner to host your data, you need to ask questions. Do you know where the boxes it runs on are and do you know the legislation that covers those boxes?” he said. “One well-known provider promises your data will stay in Europe. But with this provider the boxes sit in the Nordic region somewhere. Who here knows Nordic law?”
He said that businesses should exercise caution when it comes to assessing cloud service providers’ approach to security, a huge area of concern for the Bank and the rest of the financial services community among others.
“Remember, when you go to a third-party provider you are placing some of your security posture in their hands. That may be a good thing if they have the expertise, but remember you are leasing part of their perimeter,” he said.
While stressing the challenges associated with bringing more cloud services into organisations more barodly he did say that he didn’t want to seem like a “cloud denier,” acknowledging the many benefits his among others have realised as a result of using these platforms (he said he couldn’t discuss specific systems for security reasons) – agility, reduced cost, and faster time to market for instance.
But Finch also suggested that cloud vendors have had a tendency to over-promise and under-deliver, particularly on the cost of cloud services, and that businesses should resist letting vendors set their technology strategy for them.
“All the vendors will be telling you ‘you don’t need IT teams, they’ll do the heavy lifting for you.’ That is sometimes true, and there are cases where cloud can be a real enabler, but that doesn’t mean it’s always right,” he said.
“The vendors will also tell you there is a financial upside but my answer is, don’t let their bean counters tell you how to count your beans, go and see an external accountant.”
The Bank of England is among a number of financial services companies stressing caution when it comes to cloud adoption, in large part because of the often significant cost implications of a security breach, but also because of data sovereignty restrictions within some contexts.
