Over the last few years, Cloud Infrastructure-as-a-Service (IaaS) solutions have become a highly popular approach for IT outsourcing in many industries. The advantages of IaaS are obvious: flexibility, speed and no capital expenditures.
Banks have slowly started to use public cloud services in particular for those parts of their business which depend on speed and flexibility. However, while many industries can easily transfer workloads into the cloud, the financial services industry faces special challenges when it comes to compliance. Banks are confronted with very demanding regulatory requirements related to security and data confidentiality, in particular when CID (client identifying data) is involved. Financial regulators will always hold a bank responsible for compliance of their IT infrastructure and IT operations even when these have been outsourced. Hence, banks need cloud providers who understand these requirements and can build and help operate banking IT workloads in a regulatory compliant cloud environment. As a new breed of specialised Cloud IaaS providers emerge, banks can now count on compliant cloud infrastructures as well as services delivered by cloud professionals who have experience with the strict regulatory environment under which banks operate.
The bank and the cloud provider have to ensure compliance at three separate levels.
The first level covers the bank’s operating country legal framework where data is stored as well as the physical security of their data centres. Adequate data privacy can only be ensured when the country’s legal framework offers sufficient data protection. In addition, data centres in which the cloud provider operates its cloud have to be compliant with the stringent security policies that are required for bank outsourcing.
The second level covers compliance of the cloud provider and its cloud infrastructure, which includes the cloud provider’s processes as well as its contractual framework, i.e. customer and employee contracts. The cloud provider must be able to provide proof of the relevant certifications and compliance audit confirmations such as compliance with ISO 27018 – “Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors”. The cloud infrastructure must be corporate grade. This means it must conform to typical IT architectures of banks. IT architectures of banks regularly include different security zones and security features like multiple routers and firewalls which are deployed sequentially. Such designs enable the bank to differentiate between zones with a maximum of protection and accessibility only for a restricted group of persons and other zones with less restrictive access rules. The cloud provider must understand how banks use these architectural designs to operate their specific IT workloads and must be able to provide the technical security features. Another corporate grade element is the requirement of multi-redundancy, allowing e.g. for disaster recovery setups across different geo redundant data centre locations.
The third level covers the ability of the cloud provider to support the bank with the relevant know how enabling them to set up and operate compliant IT workloads in a cloud environment. This means that not only does the cloud provider have to be compliant with his own infrastructure, governance and processes but the whole bank IT workload which has been outsourced needs to be compliant too. It includes the initial architecture and its respective security design elements as well as compliant governance and processes under which bank employees and/or employees of the cloud provider access and operate this workload. The cloud provider has to understand the implications of such setups and its employees have to be trained accordingly.
Where cloud providers typically help banks on their way into the cloud
To make a bank’s cloud project a success it is vital that the cloud provider supports the bank from the beginning on when considering transferring an IT workload into the cloud. This starts with getting a thorough understanding of the bank’s workload. Typically banks want to test certain aspects of their workload before starting an implementation project. Performance tests is just one possibility.
When the cloud provider gets a full understanding of the bank’s IT workload he will be able to deliver a sound quote which realistically reflects the workload’s initial cost implications. Cloud IaaS offers typically follow some form of pay-as-you-go model so a common understanding of the initial resources requirements is crucial to get this figure right.
As a next step the cloud provider will support the bank with architectural design options in the cloud. The cloud provider can further support the bank when they intend to pursue due diligence activities. This is a regular requirement in particular when business relationships are new. A cloud provider’s expertise and experience in such processes can significantly speed up the process. Such activities can comprise detailed questionnaires, additional performance tests and on-site visits of the cloud provider’s data centers. The same goes for the availability of corporate grade contracts and SLAs which have to be in line with the requirement for banking organisations.
If all these steps are successfully completed, the IT environment can be set up in the cloud. Already during the finalisation of the infrastructure setup, testing of separate modules can be initiated until service readiness will be fully achieved. This means that the testing phase has been successfully completed and the bank gives its approval to start using the cloud environment productively.
Having the right partner is key
For banks and other financial services companies it is essential to fully understand how compliance can be achieved when outsourcing certain workloads into the cloud. Having the right partner who understands a bank’s compliance requirements in the cloud is key. For the cloud provider is not sufficient to just provide the plain cloud infrastructure. The cloud provider’s organisation has to fulfil strict compliance standards and its employees need the know-how to support the implementation and operations of such workloads into the cloud. This enables the bank to achieve significant gains from higher flexibility and lower costs, while still remaining compliant with the regulatory framework it operates in.
Once banks and other financial services firms have overcome these hurdles, the rate of adoption of cloud solutions by them will significantly increase.
By David Mote, COO of Safe Swiss Cloud.