Leveraging best practice to maximise the benefits of cloud technology
Large financial institutions have leveraged private data centres to host and operate core platforms and systems for decades.
But now, enterprises across the globe – from new fintech start-ups to established regulated market participants, and infrastructure entities to government agencies and regulatory authorities — are increasingly outsourcing corporate and business applications to a public cloud service provider (CSP) using a shared, multi-tenant hosting infrastructure.
However, moving to the cloud requires careful consideration across a number of areas. A primary area of focus must be on the shared responsibility model with CSPs.
While the CSP provides the hosting services in the form of Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) along with infrastructure security capabilities, it is the responsibility of the financial institution using the CSP to implement and monitor those capabilities and ensure regulatory compliance.
As a result, to promote the safe adoption of the cloud, financial institutions should undertake a robust risk assessment while considering audit functions, management processes and accountability within all levels of an organisation.
The use of cloud in the financial services industry has exploded over the last few years as firms seek to take advantage of its benefits.
For fintechs, the cloud removed a significant barrier to entry. For established financial institutions, the scale and processing power offered by CSPs cannot be matched, even by the largest enterprise data centres.
In addition, cloud services are increasingly being used by regulators and government agencies, including the policymaking community. At the same time, regulators across jurisdictions continue to assess the impact of cloud adoption across the industry as the use of cloud services expands.
Best practice starts with these four themes
Through this continued adoption, firms have learned from hands-on experience, and a number of best practices have been established in order to realise the full value of cloud technology while ensuring the proper controls and management capabilities are in place to mitigate risks.
These practices can be categorised into four broad themes:
Meeting regulatory obligations
First, firms must ensure they continue to meet their regulatory obligations. Although outsourcing any operational or technology function may relocate the activity to third-party providers, a regulated entity cannot outsource its regulatory responsibilities.
As a result, the entity should put the appropriate policies, governance structures and control regimes in place prior to outsourcing any regulated function.
The regulated entity also has an obligation to its stakeholders to confirm that the technology used for any business process is appropriate for the regulatory and functional requirements of that process.
In addition, partnership across key teams, including IT, Compliance, Legal and Risk groups, is essential to ensuring successful adoption of cloud and on-going oversight of CSPs.
Second, firms should ensure that the chosen cloud application programming interface (API) has sufficient foundational technology capabilities in terms of architecture, automation, on-premise capabilities and the ability to “lift and shift” all or parts of workloads to the cloud.
Before cloud technology, deploying a new application required a lengthy physical infrastructure acquisition process. Cloud technology changed that model overnight and provisioning infrastructure resources is now just an API call away.
This provides tremendous power to application developers, but also creates risks that cloud resources could be created without adhering to a firm’s required policies and requirements.
Cloud APIs should be included in approved architectures and enabled through standard designs and tools to ensure they are used according to a firm’s policies.
Third, it is critical that firms place a continued emphasis on the further expansion of resilience capabilities, even as more workloads are shifted to cloud hosting.
The past few years have placed a heightened focus on building and enhancing the resiliency of the financial markets due to the increased interconnectedness of the financial ecosystem and the evolution of the cybersecurity threat landscape including increasingly sophisticated attacks.
Financial institutions have business continuity requirements that must be maintained regardless of whether services are provided in-house or outsourced, and must therefore work with CSPs to ensure that the necessary resiliency measures and disaster recovery are in place.
Managing and monitoring contractor obligations
Finally, firms must ensure that CSP vendor contracts include obligations in a number of key areas including security considerations, evidence of available capacity and data localisation and privacy.
Vendor risk is a critical consideration. Proper governance of third-party vendors, and particularly CSPs, is becoming increasingly important as more capabilities are moved out of traditional data centres to cloud providers.
By leveraging cloud services and engaging with CSPs, industry participants can benefit from a more flexible environment, efficiently scaling technology to respond to fluctuating business volumes and demands at a compelling cost.
However, in doing so, firms must continue to assess and refine their cloud adoption strategy to ensure regulatory compliance, carefully adopt APIs, propel resiliency and effectively manage third-party vendor risk.
This will allow firms to take full advantage of the benefits of cloud technology while meeting the highest levels of resiliency and security as well as meeting compliance obligations.
About the author
David Chayer is managing director, cloud, IT product management and infrastructure delivery at The Depository Trust and Clearing Corporation (DTCC).
He also serves as the co-chair of the IT Innovation Council and was previously executive director of IT, enterprise infrastructure and operations at Omgeo.