By 
The working group, which includes cloud and technology providers, will tackle security and classification issues first
Banks, technology companies and cloud providers are working together to define best practices for how financial institutions move their data to the cloud and keep it safe from hackers.
Morgan Stanley and financial-data company Refinitiv Holdings Ltd. are co-chairing a working group that includes Citigroup Inc., Deutsche Bank AG , Standard Chartered PLC, Toronto-Dominion Bank Group, Lloyds Banking Group PLC and Société Générale SA, among others.
“Cloud technology has outstanding potential, but we must ensure that the right data controls and infrastructure are in place,” said Richard Perris, an executive director at Morgan Stanley.
To date, individual cloud customers are largely on their own to handle these activities. The banks say there are methods that can be standardized and even automated, such as ensuring compliance with regulatory requirements and encrypting data.
Developing a set of standards that companies can use to measure their progress and ensure security will allow them to move to the cloud faster, without being bogged down by the need to develop features themselves, Mr. Perris said.
The initial focus of the group will be to assess and classify what data is stored on cloud services and to protect it appropriately, said Oli Bage, global head of business and data architecture at Refinitiv, which provides data and technology to banks.
“Regardless of the size of your cloud platform, you need to know what data you’re putting onto it and how sensitive that data is to protect it properly,” he said.
Leading cloud providers, including Amazon.com Inc.’s AWS, Alphabet Inc.’s Google Cloud Platform, Microsoft Corp. and International Business Machines Corp., are participating in the project, and plan to integrate the working group’s standards within their cloud services. The Capital Markets Co., a London-based consulting firm, will provide project management services.
The cloud companies hope that a standardized approach to these problems will lead to the adoption of further cloud technologies, said Evren Eryurek, director of product management at Google Cloud.
“It’s unusual to get them all to agree to be in a room together collaborating, but from a small start, they’ve grown to sending a large number of their engineering teams to participate in the discussions,” Mr. Bage said. He added that the group will publish work as it is completed.
The group plans to deliver the first set of best practices around these areas in August, he said. Elements of the best practices can quickly be added to the cloud platforms by the providers.
The working group is the latest move by companies to assert control over how their data is used and stored in cloud environments, partly motivated by a series of cybersecurity incidents across industries that have stemmed from poorly secured or open data stores on cloud services.
The Open Networking User Group, which includes representatives from FedEx Corp. and Cigna Corp., for instance, said in May that it would press cloud providers to standardize how they disseminate security information to clients.
While the Morgan Stanley-led group has started with financial services firms, technology providers and consultancies, Mr. Perris said that the framework, which will be available free online, can apply to other industries.
The framework is based on the Data Management Capability Assessment Model, maintained by the Enterprise Data Management Council, a nonprofit trade association participating in the group.
The model allows banks, regulators and others to systematically assess how their data management practices are performing and where improvements need to be made.
Developing this framework will also assist with navigating international privacy laws, such as Europe’s General Data Protection Regulation, said John Bottega, the EDM Council’s president.
“Many of those acts require you not only to protect sensitive data but in many instances also house that data in-country,” he said. “Typically, cloud providers haven’t had to worry about that, but now it’s becoming a regulatory requirement, not just for financial, but all industries.”
He expects the first full version of the framework to be complete within nine months.
Write to James Rundle at james.rundle@wsj.com
Comments