Clearing the Haze Around Financial Services Cloud Computing
Cloud computing in its various iterations of SaaS, PaaS, IaaS and others creates new and exciting opportunities for companies in a wide range of industries. These include achieving significant cost savings, improving operational efficiencies, offering ready access to systems, applications and data, enabling better back up and facilitating system upgrades.
Klaus Brandstaetter, HOB
As a result of this functionality, demand for cloud computing has increased dramatically. Several IT industry reports note the likelihood of a continued migration away from traditional computing platforms and infrastructure and move to Internet-based services as a solution for hardware, software and infrastructure needs.
Financial service firms, including banks, brokerages, securities firms and others, are among the types of organizations that can benefit from cloud computing architecture. Many have made the move to cloud solutions and many others are examining such a move. However, for highly regulated firms, such as banks, investment banks and money managers, there are significant legal and regulatory challenges that IT teams must navigate before moving to a cloud architecture. These teams must determine whether cloud computing has matured to the point that they can successfully and cost effectively overcome these challenges.
Public, Private Or Hybrid?
Cloud computing covers several business and IT processes. The issues financial firms may encounter will be affected by the nature and scope of cloud computing activities under consideration. With a cloud architecture, financial institutions can effectively outsource all or part of their IT architecture, operating systems and platforms, and/or software applications. They may choose from multiple methods in which to have these services delivered, such as the public cloud, where IT services are delivered using non-customized processes; private clouds, where services are highly customized for one or a small number of customers; and hybrids, which include a combination of public and private clouds.
Because there are so many "flavors" of cloud computing, the challenges and solutions financial institutions encounter will vary tremendously. A small U.S. community bank eager to outsource its IT infrastructure, systems and applications to a third-party web services host will face challenges that can in many significant ways be quite different than those faced by a global financial firm that is considering loading core customer or financial management systems into a private cloud.
Among the key concerns financial institutions face are those related to data privacy, data and systems security, business continuity and disaster recovery, and liability/risk management concerns. Indeed, regulatory requirements can be so pervasive that many IT teams have complained they focus much more on regulatory compliance than they do achieving cloud computing best practices.
Federal regulatory bodies, such as the Office of the Comptroller of the Currency (OCC); the Federal Reserve Board (The Fed); and the FDIC (Federal Deposit Insurance Corp.) have been clear about requirements when a financial services organization decides to outsource technology services to a third party. These regulations focus on a few key areas:
- Effective oversight and risk management of outsourced IT functions -- Regulators expect financial institutions to establish and comply with risk-based policies that govern the IT outsourcing process. These must be robust enough to cover all types of significant transactions and communications made by the institution.
- Risk assessment and requirements -- Regulators will require financial institutions to assess the risks of outsourcing, organize written policies and use these policies to manage the outsourcing process.
- Service provider selection -- Financial institutions must implement appropriate due diligence when interviewing and selecting outsourcing service providers.
- Contract issues -- Financial institutions must sign written agreements that define the institution and service provider's responsibilities, identify appropriate service levels in an SLA or similar document, is properly priced and is reviewed by legal counsel.
- Ongoing monitoring -- Regulators will require financial institutions to monitor the performance of the service provider, taking into account changing needs of the institution over time.
To move forward with a cloud computing engagement, financial institutions should consider the following as they move forward.
It is important to understand the information risks of moving to a cloud-based environment. These include, but are certainly not limited to, privacy of financial institution communications, privacy of customer data, security of cloud-based data, business continuity and disaster recovery. These are similar concerns when creating any IT network for a financial institution. However, since cloud computing is a different architecture, it's important for IT teams to understand the specific technical features, advantages and drawbacks of cloud-based technology platforms and the risks associated with these services.
What has most likely slowed the implementation of cloud computing at financial institutions are concerns about regulatory compliance regarding the protection of customer information.
It is also important for the financial institution to understand and strategically select the type of cloud infrastructure it will use. A public (multi-tenant) cloud service has advantages in terms of cost and resources, but may lack the flexibility and security needs of the institution.
Regulators will want to examine and audit the financial institution's network and cloud architecture. This is mandated by FINRA (Financial Industry Regulatory Authority) and other regulations.
IT teams should test and test again their systems to ensure any cloud systems that touch customer or critical institution information both meets the performance needs of the institution, is 100 percent protected against cyber threats, and meets all regulatory requirements.
Security Begins with Remote Access
A critical component of any cloud solution is a sophisticated, secure and easy-to-use remote access solution. The remote access solution should be software based and therefore able to be deployed on any server. It should support all operating systems and not require installation or administrator rights on the user side. Reliable SSL-encryption ensures a high level of security and supports numerous authentication mechanisms as well as Kerberos Single Sign-On.
The remote access solution should also provide extra features tailored for the unique needs of each institution. For example, for institutions concerned about load balancing, the remote access solution should ensure optimal availability. If the network includes UNIX/Linux servers, the remote access solution should facilitate connectivity to these. And, if the network includes Windows Server with Remote Desktop Services (RDS), the remote access solution should connect to these as well.
The popularity of cloud services continues to grow, as companies in most industries recognize the cost and performance benefits. Financial institutions stand to gain from the adoption of cloud services as well, but face a significantly higher bar in terms of performance and security needs, dictated by multiple regulatory bodies. To achieve both regulatory compliance and cloud architecture best practices, financial institution IT teams must identify and work with vendors and service providers that offer high-quality, flexible solutions that can meet both today's needs as well as anticipate future performance and regulatory requirements.
About The Author:
Klaus Brandstaetter, CEO of HOB
Klaus Brandstaetter studied electrical engineering at the Friedrich-Alexander University of Erlangen - Nuremberg in Germany. His studies were focused on IT, software and programming. With this knowledge, Mr. Brandstaetter set up the IT department at the company Geobra during his studies. He utilized Nixdorf Computers and IBM.