Is a change of approach required to benefit from cloud services as critical infrastructure?
Financial Institutions have traditionally utilised highly customised, on premise technology and infrastructure with large data centres that are typically expensive to implement and not able to support rapid transformation and innovation. IT support and development teams get caught up working on updates and upgrades to legacy systems and innovative new solutions and applications can take years to integrate into the existing IT infrastructure, meaning the financial services sector has in some areas struggled to keep pace with other sectors.
However, the “on-demand” nature of cloud services enables quicker adoption of applications and software critical to running the front end of a business without large upfront investment costs, giving more agility to businesses and therefore an opportunity to get ahead of their competitors.
The almost instant elasticity of cloud services ensures fluctuations in demand can be met and scalability can be achieved with ease and businesses don’t need to endure the cost of large IT teams to manage and support an entire IT infrastructure.
Nevertheless, for financial institutions to effectively utilise cloud services as part of their critical infrastructure there must be an acceptance that it presents a different business model and with that must come a different way of operating and engaging with cloud service providers.
Financial institutions that are utilising a shared public cloud service, whether that’s through Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS), for critical infrastructure will inevitably forego some of the control they have typically had when managing their own on premise IT environment. This might be in the way that performance issues or defects are resolved, what security features or access controls are utilised or ultimately the way that the service is delivered.
This doesn’t mean that an organisation should not retain responsibility for its own security and delivery of its own services but that its way of assessing and evaluating risk must change. Instead of dictating these granular internal requirements relating to the cloud service, it needs to focus on its internal strategy and risk analysis which leads it to outsource a function in the first place and its assessment of the supplier to which it outsources.
Instead of imposing its own access controls and detailed security requirements, focus should be on establishing key security principles that must be met and minimum security requirements that a financial institution evaluates a suppliers own security against.
Regulation in this area, including the EBA Guidelines, focuses on operational resilience and key areas such as business continuity, availability, security and continued oversight of the cloud service provider are inevitably areas of focus for the regulator when assessing this. However, the focus of all parties must be in obtaining a thorough understanding of how the cloud service provider is resilient and this is where we often see a conflict between what is requested by a financial institution and what can be achieved by a cloud service provider trying to streamline its processes and delivery across all customers to enable it to benefit from shared cloud resources.
There currently exists a fine balancing exercise of facilitating and encouraging innovation and adoption of cloud integrated services, ensuring financial institutions which underpin our economy remain accountable for overall operational resilience, even when utilising outsourced providers and adhering to the regulatory framework in this area. As cloud integrated services become more common, I believe the sector as a whole will need to re-consider how standards and minimum requirements are streamlined so cloud providers can operate effectively with shared cloud resources with certainty that they are operating within the regulatory parameters that financial institutions are required to meet.
For now, fintech providers should engage early on with key customers in their sector to ensure they have defined best security practices, business continuity and resolution processes that customers will be able to engage with and accept and acknowledging that its customers are highly mature organisations who can help shape best practices.
Financial institutions, on the other hand, must focus on evaluating and assessing a cloud providers existing processes and technology and supporting them in identifying any gaps as opposed to arbitrarily imposing their own processes and requirements on them.
Financial institutions make informed decisions to outsource critical functions and utilise cloud services where such services offer greater security and resilience than their own infrastructure might otherwise provide. Dictating the internal operations of that supplier risks undermining the benefit of utilising cloud infrastructure. Instead, both parties must focus on defining governance processes, regular communications and detailed dialogue to ensure effective oversight of the outsourced function to enable financial institutions to remain accountable and not become empty shells while giving enough flexibility to cloud providers to streamline their processes and deliver the most benefit from cloud IaaS.