According to Citihub’s latest white paper, How to approach Regulatory Compliance with Public Cloud Services, the financial services industry is on the cusp of a global wave of cloud adoption. However, convincing regulators that cloud adoption does not comprise financial institutions ability to manage risks relating to information security is no easy task. bobsguide talks to Chris Alison, MD of Citihub in Hong Kong, to discuss the white paper and identify the regulatory challenges that financial institutions face when adopting cloud technologies.
Tell me about your white paper?
How to approach Regulatory Compliance with Public Cloud Services demonstrates a proof point for the maturity of cloud delivery models in servicing financial service industry requirements. The theoretical exercise stemmed from a client roundtable of around nine banks discussing the challenges they face when adopting public cloud in Asia and their ability to adopt different services in different jurisdictions. The roundtable concluded that many of the banks are unsure what criteria regulators expect them to meet when it comes to cloud adoption and highlighted their uncertainty about what they need to do in order to meet regulatory requirements.
It has been assumed that public cloud is not allowed in many jurisdictions, however, recently in Asia this attitude has changed. In 2013, the Monetary Authority of Singapore (MAS) told the Association of Banks in Singapore (ABS) not to assume that the answer to public cloud adoption is no and said that the banks should come and ask them.
At Citihub, we wanted to conduct some research into this situation, so we decided to map MAS’s Technology Risk Management Guidelines against the capabilities of a leading public cloud provider, Amazon Web Services (AWS). We took the technology risk management guidelines line by line and looked at how AWS can meet MAS’s requirements and what kind of controls financial institutions need to overlay on top of AWS’ capabilities.
The whitepaper summarises our research, providing our interpretation of AWS’ current capabilities and highlighting what we think the most contentious conversations with MAS will be. There are seven areas that we identified:
- Transparency: Do Financial Institutions have sufficient transparency into their cloud infrastructure? Regulators want businesses to take accountability for the technology systems that the business processes are running on and want these companies to show full visibility into how these systems are being managed. This includes audit rights and knowledge of physical DC locations.
- Data Co-Mingling: Financial Institutions will have to demonstrate to MAS that sufficient isolation is achieved. MAS specifically talks about co-mingling when it mentions cloud computing. Co-mingling means that your company’s data is held in the same data centre as another company or using the same hosts or storage discs. The question raised by MAS is what technology or process controls can be put in place to reduce interference by other parties. Regulators will require sensitive data (e.g. client data) in particular to feature application-level encryption.
- Portability: Regulators will want to see that financial institutions have sufficient system recovery scenarios in place when AWS services are not available.
- Governance: There are a lot of governance changes happening at board level within financial institutions, in particular concerning the protection of data in local environments. Local regulators within jurisdiction will want to see that local boards of directors understand the risks that they are taking with the data.
- Service Management Integration and Engagement: There is a lot of work that financial institutions have to do in regards to extending their processes into the cloud. MAS will want to see if financial institutions have effective operating models in place deal with the unique properties of a cloud model.
- Rapid Application Development: The cloud model lends itself to rapid prototyping which is the agile development team’s dream, which means a faster time to market and inevitably a faster time to risk. MAS will be keen to see that effective controls are placed around developers and DevOps groups operating in the cloud model.
- Concentration Risk: We live in world where, at the public cloud level Amazon is the clear leader in this field. However, if banks were to suddenly flood into Amazon and start running critical systems then there would be the worry of concentration risk and security threat. In the cloud there are extra measures that financial institutions have to take.
Citihub believes that AWS’s risk and security posture combined with the right IT governance and controls within a financial institution can help to eliminate regulatory concerns relating to adoption of cloud.
What are the biggest challenges for banks?
The challenge for international banks is that they usually have global systems and if part of the global system is moved to a public cloud provider then it becomes a multi-jurisdictional issue rather than a single regulator issue. Banks require all regulators to agree, otherwise they cannot move their systems to cloud. This is going to be a journey for banks and isn’t something that will happen overnight.
Where are banks leading the way?
A few large Australian banks have been very vocal in their support for cloud and I think banks in this region are feeling the pressure to change their systems.
Where do you see the future of cloud adoption?
The financial services industry is on the cusp of cloud adoption. Over the next 24 months I think that there will be a lot more cloud-based activities which will help banks get their operations sound and get used to running their operations in a cloud model. The next big step that banks have to take involves critical systems and sensitive data but I don’t think this will be done in the short-term.
By Nicole Miskelly, bobsguide Lead Journalist