Security and Operational Controls for a Public Cloud Service in a Financial Institution
Copyright (c) 2025 Oláh István, Magyar Sándor
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Abstract
Today, cloud computing services are growing very fast. One of the main reasons for this is the increasing competition and innovation in the market, the increased demand for resources in IT systems and the demand for more complex knowledge-based solutions. Deploying a server and performing the associated tasks on your own infrastructure can often take weeks or months, while the same process takes only a few minutes with a cloud service provider. The use of cloud services has become commonplace for anyone using mobile devices, and for financial institutions, this technology is becoming inevitable in the short term. If an organisation carefully selects a service provider on the basis of legal, technical and information security criteria, and then monitors its operations on an ongoing basis, there is no reason why a financial institution should not use public cloud services, according to the criteria examined. It is important to stress, however, that our analysis did not cover all possible risk factors.
Keywords:
How to Cite
References
European Union Agency for Cybersecurity (ENISA) (2021): Cloud Security for Healthcare Services. Online: https://www.enisa.europa.eu/sites/default/files/publications/ENISA%20Report%20-%20Cloud%20Security%20for%20Healthcare%20Services.pdf
Gartner (2021): The Cloud Strategy Cookbook, https://www.gartner.com/smarterwithgartner/the-cloud-strategy-cookbook
MELL, Peter – GRANCE, Tim (2011): NIST SP 800-145, The NIST Definition of Cloud Computing. Gaithersburg, MD, USA: National Institute of Standards and Technology. Online: https://doi.org/10.6028/NIST.SP.800-145
NAYDENOV, Rossen – LIVERI, Dimitra – DUPRE, Lionel – CHALVATZI, Eftychia (2015): Secure Use of Cloud Computing in the Finance Sector. ENISA. Online: https://doi.org/10.2824/199301
NIST Computer Security Resource Center (2020): NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations. Online: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
Recommendation No. 4/2019 (IV. 1.) of the National Bank of Hungary on the use of community and public cloud services. Online: https://www.mnb.hu/letoltes/4-2019-felho.pdf
Legal sources
Act CLXVI of 2012 on the Identification, Designation and Protection of Critical Systems and Facilities
Act L of 2013 on the Information Security of State and Municipal Bodies
Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises
Act XXIII of 2023 on Cybersecurity Certification and Cybersecurity Supervision
Act CIII of 2023 on the Digital State and Certain Rules for the Provision of Digital Services
Decree No. 7 of 2024 (VI. 24.) of the Cabinet Office of the Prime Minister on the requirements for security classification and the specific security measures to be applied for each security class
Government Decree 42/2015 (III. 12.) on the protection of IT systems of financial institutions, insurance and reinsurance undertakings, investment ventures and commodity exchange service providers
Directive (EU) 2022/2555 OF the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC
Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011
Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)