BANKS are finally moving to the cloud — a sign that the finance industry could at long last be turning the corner. The cloud corner, that is.
For years, banks and financial institutions have been nervous about working in the cloud, where they will need to move their processes, services and sensitive information from their typical onsite data centres to the omnipresent Internet. Banks would cite security concerns and risks associated with migrating from their localised data storage structure.
Today, banks no longer fear this concept of the cloud as they did in the past. A big motivation behind that is that banks, in a bid to beat disruption and launch new products, are increasingly partnering with Fintech startups, and the latter’s products and solutions are mostly hosted on the cloud.
Banks are also starting to embrace the benefits that cloud-based offerings can deliver, such as cost reduction and efficiency. As banks are increasingly forced to adopt new ways of delivering services to a generation of users that expect instant access to services online, they are beginning to grasp that they no longer can afford to resist cloud technologies like they used to.
These technologies, in brief, allow organisations to store and access data, processes, programmes and services on any device with an Internet connection. This enables greater convenience and efficiency, and the quick delivery of services and solutions both internally and externally to customers and partners.
Yet, the adoption of the cloud poses a huge challenge to banks. They have, after all, had in the past centuries only been using the same legacy systems and security methods that have been tried and tested to death. Given those limitations, banks could find moving to the cloud a demanding task.
How then can banks adopt cloud technology, and effectively manage the risks — which do exist — in these technology solutions? As a simple guide, here are five key areas that a bank’s chief technology officer or IT manager should look out for when selecting Fintech and cloud solutions partners.
Cloud Provider Compliance
The first is cloud infrastructure certification and compliance. Every country’s banking industry and regulators have laid out clear instructions on the reporting of associated controls and how infrastructure has to be managed. Most managed cloud providers, such as Amazon Web Services, Alibaba Cloud and Microsoft’s Azure, come with a list of infrastructure certifications corresponding to these controls. In addition, it is crucial for banks to check on the certified standards and compliance controls on the partner’s product that will be hosted on the cloud, giving them a jumpstart to any engagements. Some of the standard certifications include the SOC 1, SOC 2 and SOC 3 with country-specific certifications such as Technology Risk Management and Outsourced Service Provider’s Audit Report (OSPAR) in Singapore. Depending on the industry, banks might also have to consider activity-related compliance laws such as the Payment Card Industry Data Security Standard, an information security standard for organisations that handle branded credit cards from the major card schemes.
Impact on Software Development Lifecycle
Some of the key advantages of a cloud-based environment on the software development lifecycle would be a lower cost of experimentation, smaller and more frequent release cycles, and ease of creating sandboxes for testing. However, these advantages which could mitigate the risks and dependencies for successful integration, are typically not noticed in the higher project management view. Banks should seek to understand from their Fintech partner the specific benefits that they could utilize, such as the provision of a sandbox environment for the bank’s tech team to test and understand the software.
Data-loss Prevention
Cloud Infrastructures are typically shared in a multi-tenant architecture. This requires the bank to acquire a deeper understanding of the virtual layers and how they are managed and secured.
Data-loss prevention controls, where sensitive information has been compromised due to theft, human error or viruses, has to be reviewed and fully understood by the banks, along with change and incident management processes. A key approach to mitigating risks in this cloud environment is to emphasize on encryption requirements for data-at-rest and data-in-motion. Security shouldn’t be an afterthought and confined to penetration testing and vulnerability assessments, the vendor should demonstrate controls in each and every phase of the software development lifecycle. Just last year, due to a bug, passwords to twitter accounts were written to an internal log without encryption. This would have devastating effects if exploited exposing potentially 300+ million users to a security incident.
Incident Management
The fourth area is incident management, which is a key aspect of all cloud services. DDoS and cyber attacks are significantly more frequent with an 84% increase of attacks according to Kaspersky DDoS Protection Q1 2019 statistics. This would mean an average of 18 million cyber-attacks occurring daily, something that all banks would have to recognize and be prepared for when moving to the cloud.
Managed cloud services differ from traditional data centres as the bank would have less control of the environment, requiring the cloud providers to be proactive with monitoring, detection and escalation of security threats and incidents. A clear understanding of the responsibility between cloud vendor and solutions provider would enable a swift and collaborative effort to address the threats. Additionally, the cloud has the ability to offer increased capability on demand, unlike traditional data centres. As a result, when a DDoS (distributed denial-of-service) attack occurs, for instance, banks would be able to mitigate the attacks by allowing both attackers and regular users access to their services while the security team responds to threat. Being regulated, it is hence crucial for the bank to understand these escalation process, support coverage and SLA from their cloud vendors for effective reporting to regulators.
Business Continuity and Disaster Recovery
Disaster Recovery or BCP in industry-speak are rare incidents which occur in comparison to availability and security incidents. The increased globalization and accessibility allows vendors to be physically located away from the bank. This, however, would lead to key risks in BCP should the vendor be affected. Banks would need to be familiar with the vendor’s BCP SLA as well as the cloud providers backup and recovery services. Most of which are usually fully automated and accessible in a few clicks. Backups can be encrypted, stored in multiple virtual locations or even stored periodically on-premise.
There is, therefore, no need for any physical activity, which can include having a support engineer physically arrive at a disaster recovery centre, or having to move any disks or recovery procedures. Cloud infrastructure dramatically cuts disaster recovery time, sometimes from as much as four hours to just a few minutes.
Clearly, the cloud can deliver a myriad of benefits to organisations. While banks and financial institutions have been late(r) to the game in adopting cloud technology, the latter is dynamically evolving. What is clear is that the potential for greater productivity and innovation in the banking industry — as powered by the cloud — is enormous and definitely one to watch.
Originally published at https://medium.com on July 23, 2019.
