Two new studies show the cloud is steadily creeping its way into financial services — a reflection of economic necessity, the growing proliferation of cloud technologies and the changing nature of IT management.

Yet as bank technology executives make decisions about what types of work they are willing to run in the cloud — in other words, in a third-party's servers connected through the Internet — their outlooks still range from warm embrace to full-on paranoia.

One study of 20 large financial firms, conducted by Skyhigh Networks, found that their use of cloud computing increased 11% between the third and fourth quarters of 2014 and 28% between 2013 and 2014.

To David Levin, director of information security at Western Union, the shift should be happening even quicker.

"We continue to go cloud-first," he said. "Obviously it starts with cost and time to deliver. Why build it when you can get it right away?"

For instance, Western Union uses some cloud-based human resources systems. "Cloud computing use continues to grow because it's easier, it's better and it requires a lot less heavy lifting," he said.

A second study outlined the industry's cautious transition and the concerns of the reluctant.

Cloud Security Alliance's review of 102 financial institutions around the world found that 7% had a strict no-cloud policy, 32% had a cloud usage policy, and 61% were working on developing a cloud policy.

Among those with the no-cloud stance, 86% said this was due to security concerns, and the same percentage also cited compliance concerns. Privacy was an issue for 79%, data retention and destruction for 79%, and data residency for 57%.

"We see across all industries pretty aggressive adoption of cloud computing," said Jim Reavis, the alliance's co-founder and chief executive as well as president of Reavis Consulting Group. "Financial services companies are more careful and likely do a better job on average than other enterprises."

LINE IN THE CLOUD

If you were to draw a bright line between the things banks find acceptable to do in the cloud and those they do not, core-account processing would be out of bounds, Reavis said. Ancillary software — for use in loan origination, wealth management and other tasks — are considered safer and cloud-ready.

"We see a lot of cloud services in the mortgage industry, where banks end up being a participant," Reavis said. "More and more account information does end up in cloud services that are complementary or adjacent to the core back end."

Some community bankers, however, want to be able to go down the hall, visit their own servers and know their data is safely tucked inside.

"The highest priority for me is knowing where our data is, knowing I can go put my hand on the data vault," said Johnny Cox, IT manager at 1st Franklin Financial in Toccoa, Ga. "I don't just say, 'Hey, it's on somebody's Internet server somewhere.' "

This attitude is understandable, especially given bank regulators' recent focus on vendor risk management and cloud security.

Yet Adrian Sanabria, senior security analyst at 451 Group, takes issue with the perception that the cloud is less secure than internal IT.

"The feeling that you can walk down the hall and lay hands on your servers doesn't tell you who's accessing those servers," he said. "If anybody says their data center is more secure than SoftLayer's or Amazon's or Microsoft's, I'd really doubt that kind of statement. It's [the cloud providers'] job to run data centers; that's all they do. So they probably do a better job of it than you do in your own data centers, with a few exceptions."

Resistance to the cloud is largely cultural, he said. "How you run things in the cloud is so different that we need different tools to do it, a different mindset and different approaches as well," Sanabria said. "There are a lot of hurdles there. Part of it is getting used to it and part of it is having the supporting tools and skill-sets necessary to make such a big leap."

And cloud services can actually make monitoring and auditing easier, Sanabria asserted. "If you look at [document-storage provider] Box, I think that's an excellent example where companies are actually directing employees to store their files on the cloud because the company has so much better visibility of what data is in those files and who they're sharing those files with, where those files are being copied or moved. All that capability they wouldn't have if it was sitting on a traditional file server in the company's data center."

LINGERING SECURITY WORRIES

Acutely conscious of bankers' qualms, cloud providers have been stepping up their use of encryption and their security certifications.

"The top-tier cloud providers provide better security than anybody else," Reavis said. "Below that there are different grades. Some have been upgrading their capabilities. I think the cloud is being held to a higher standard of security than people's own internal IT systems. ... When I hear stories of what even large companies are doing in their own internal IT systems, I really cringe. I don't hear as many of those horror stories among cloud providers. They have to have good security or they go out of business."

Some security experts argue that the never-ending onslaught of cyberattacks and fraud episodes have changed the game to make cloud-specific security concerns irrelevant.

Chief information security officers "will admit that they are already infected," said Rajiv Gupta, co-founder and CEO of Skyhigh Networks. "They all have malware and infections inside their organization. This notion of keeping the barbarians at the gate is a fallacy. Now the question is, can we detect when the barbarians might take stuff out?"

Levin doesn't quite agree that anybody can walk in the door of the typical company's networks. "But if you just stop at the gate, then you're not really doing a good job," he said. Many companies are turning to behavior analytics to catch errant data use — for instance, an employee who normally might download 10 account records suddenly obtaining 500.

"As big data continues to grow, security companies are looking at not only the threats but the individuals themselves — are their patterns changing?" Sanabria noted. "Do they typically log in from a different location? Why are they accessing files that maybe their profile never touched?"

The cloud is changing IT irrevocably, Levin said. "I'm a big believer in the [chief information officer] being an enabler of IT," he said. "If a cloud service is going to be the better fit for the business and you're going to be able to move faster and be nimble, then absolutely it's a good choice, as long as you do it with the right people involved, with the proper certification and the ability to exert the same controls that you have internally."