The US Treasury Report on Cloud Adoption in Financial Services and how AWS is supporting customers
Earlier this year, the United States Department of the Treasury (UST) released a report titled “The Financial Services Sector’s Adoption of Cloud Services,” based on discussions with financial services and technology organizations, including AWS. The report discusses the ways financial institutions (FIs) and consumers can benefit when FIs use cloud services, including “reduced costs, ability to rapidly deploy new information technology (IT) assets, shorter time to develop new products and services, and enhanced capabilities for security and resilience.”
The report also calls for continued evolution on important topics in cloud adoption including operational risk, transparency, international regulatory fragmentation, and training. AWS is committed to working with the UST and financial services regulators to strengthen the security and resilience of the financial services industry. In this post we outline how AWS supports customers to build and operate on AWS in a secure, resilient, and compliant manner.
Meeting the most stringent security requirements
Security is our top priority, and AWS is vigilant about our customers’ privacy and protecting their content. We are committed to providing all customers, including governmental agencies and financial services customers who trust us with their most sensitive content, with the most extensive set of security services and features. This ensures customers retain complete control of their content, including the ability to encrypt it, protect it, move it, and delete it in alignment with their organization’s security policies.
The UST report cites enhanced security and resilience capabilities as motivations for cloud adoption among FIs and the UST alike, and AWS is architected to be the most flexible and secure cloud computing environment available today. Our core infrastructure is built to satisfy the security requirements for the military, global banks, and other high-sensitivity organizations. It is backed by a deep set of cloud security tools, with over 300 security, compliance, and governance services and features that benefit financial services customers of all sizes—from Fintech startups to the largest banks, broker-dealers, insurers, and market centers in the world.
In addition, AWS supports 143 security standards and compliance certifications, including: PCI-DSS, CSA STAR Level 2, ISO 22301, 27001, 27017, 27018, 27701, GDPR, FIPS 140-2, and NIST 800-53 and Cybersecurity Framework (CSF), helping our financial services customers satisfy compliance requirements for virtually every regulatory agency around the globe.
Architecting for resiliency
Cloud adoption reduces risks faced by the financial services industry as it modernizes and moves away from legacy technology that, in some instances, is many decades old. AWS is helping the global financial services industry improve resilience and reduce risk overall by helping individual financial services organizations decrease their operational risk.
There are differing perspectives on how best to build for resiliency. We agree with the UST report that a multi-region architecture in AWS is a far more practical approach to resilience than building for seamless portability across CSPs. Our global infrastructure, consisting of 31 Regions and 99 Availability Zones, is designed to be highly secure and reliable. We strive to minimize operational incidents, but when large scale events do occur, we deliver post-incident communications through tools including Security Bulletins and Post Event Summaries.
To provide scalable and thorough assurance to our global customers, AWS has multiple independent third-party auditors conduct extensive audits of our security controls. These auditors evaluate the breadth and depth of our secure environment to provide a high level of transparency with regard to the design and operation of our controls.
Customers can audit their own AWS environment, and AWS provides a wide range of services, including AWS CloudTrail, AWS CloudWatch, and AWS GuardDuty, that can provide customers visibility into account activity along with real-time monitoring, detection scanning, and automatic remediation of anomalies or misconfigurations. To help identify and address incidents, customers also have access to four different levels of support based on the scale of workloads they have in the cloud. Though service degradations or disruptions are rare, our AWS Health Dashboard service provides both a public and an account-specific view that helps customers monitor their environment.
We support customer due diligence requirements by making detailed controls information available publicly through our Consensus Assessment Initiative Questionnaire (CAIQ) and our System and Organization Controls (SOC) reports. We are committed to supporting customer audits when required as part of regulatory compliance, and to making the audit process more efficient for all parties involved.
International regulatory coordination
AWS engages with financial regulators and policy makers around the world on current and emerging regulatory requirements. We also help them build their mastery and understanding of AWS services and of how the cloud helps reduce certain risks within the global financial system.
We support financial services regulatory coordination and harmonization across jurisdictions in order to promote a level playing field for customers and to avoid market fragmentation. AWS responds to questions from regulators on a variety of topics, including security, resiliency, and concentration risk, through our contributions to policy discussions, industry consultation on regulatory reforms, or our regular regulatory summits. We provide insights into how financial institutions can use AWS services with confidence and in compliance with their regulatory obligations.
We also support regulatory collaboration through national and international bodies, including the Financial Stability Board (FSB), and their efforts to advance a coherent cross-border regulatory framework that will support financial services customers who want to adopt cloud. Establishing consistent regulations across global sectors and regions could reduce costs for consumers, financial institutions, CSPs, and examining authorities by avoiding overlapping and duplicative regulatory driven assessments.
Cloud skills training and enablement
AWS offers financial services customers and partners education, training, and certification resources, including hundreds of courses at no cost, through AWS Training and Certification. Our commitment to help 29 million people globally grow their technical skills with free cloud computing skills training, and to comprehensive enablement programs like AWS Skills Guild, helps customers develop the skills they need to build on AWS in a secure and resilient manner. AWS also regularly creates and publishes technical content, including our Prescriptive Guidance and AWS Security Reference Architecture, with the goal of helping customers more easily configure and use cloud services to help address their business needs and challenges.
Our Security, Compliance, and Audit teams work with our financial services customers to support the execution of operational excellence, security, reliability, and performance best practices. We also offer customers tools to support architecting highly secure and resilient workloads, including the Well-Architected Framework and a deep library of blogs, whitepapers, and sample architectures.
Additionally, we created the AWS Customer Incident Response Team (CIRT) to provide training and tools to help customers prepare for how to respond should they have an event in their environment. In December 2022, CIRT released five publicly available security event simulation workshops to help customers learn the tools and procedures that AWS CIRT uses on a daily basis to detect, investigate, and respond to security events.
Working with the United States Department of the Treasury
It’s exciting to watch our customers in the financial services industry innovate on AWS in unique ways, across all geographies and use cases. Regulations continue to evolve within the financial services sector, and we’re working hard to help customers proactively respond to new rules and guidelines.
AWS looks forward to collaborating with UST and the Cloud Executive Steering Group as they pursue the next steps outlined in the report, including conducting tabletop incident management exercises with the industry, reviewing sector-wide incident proposals, and fostering effective risk management practices in the financial services sector.
Customers interested in learning more about security, compliance, and resiliency can find additional resources here:
- AWS’ Approach to Operational Resilience in the Financial Sector and Beyond
- AWS Well Architected Framework – Financial Services Lens
- Building Mission-Critical Financial Services Applications on AWS