In early June, Europe’s financial markets watchdog issued draft guidelines for those outsourcing part of their technology infrastructure to cloud service providers. While acknowledging the benefits of cloud computing – “reduced costs and enhanced operational efficiency and flexibility” – the European Securities and Market Authority cautioned against over reliance.
According to the report, cloud “raises challenges in terms of data protection and information security. Concentration risk can also arise, as a result of many firms using the same large cloud service providers, with potential negative outcomes for financial stability.” Not just a concentration risk, the report explicitly called out the “lock-in risk”.
Banks, insurance firms and other financial services organizations, take note.
Compliance and risk management have never been more complex. Not only are regulators more activist in nature, the regulations introduced in the last few years are making new demands of financial services. For example, the 2018 EU General Data Protection Regulation (GDPR) didn’t simply seek greater protection for personally identifiable information, it mandated the transfer and removal of data on request. This in turn required a degree of agility that many organizations found challenging. Similarly, the second Payment Services Directive (PSDII) necessitated data portability at a scale that would pave the way to open banking.
For banks habituated to taking ultimate control over their data – think the non-returnable disk – these changes have been game changing; not just a case of adapting to new technology solutions and business processes but invoking a new organizational culture, too.
There is another reason for added complexity and that’s the increasingly diverse make-up of most organizations’ IT estate. Today, cloud is just one part of a hybrid infrastructure.
None of this is insurmountable. Nor should it deter firms from adopting cloud. It does, however, require a fresh look at the people, processes and technology fuelling access, management, and control of the data you hold. To that end, it is worth looking at compliance and risk management through the following three dimensions:
- Flexibility and agility. How easy is it to move data, workloads, and applications between different parts of your estate?
- Compliance in the cloud. To what extent does the oversight of data sets held in – or passing through – the cloud meet regulatory demands and your own business continuity needs?
- Protection and encryption. What systems do you have in place to ensure sensitive data is safeguarded?
Let’s explore each in turn.
Flexibility and agility
From a compliance point of view, the cloud is just another data centre. Regardless of platform, regulators are looking for demonstrations of transparency and resilience. They want to know that you have an exit strategy, that you are able to move data seamlessly from one hyperscaler to another, and between on-premise and cloud. To this end, organizations need a framework that simplifies and integrates data management. That’s why at NetApp, we are champions of data fabric, an architecture and set of data services that provide consistent capabilities across a choice of endpoints. Paradoxically, data fabric is both flexible and rigid. Like an electricity network which ingests energy from a variety of sources but delivers power uniformly, a data fabric properly implemented supports a variety of technologies and platforms but administers data uniformly. The result? Seamless data management and portability. An exit strategy, in other words.
Compliance in the cloud
Beyond demonstrating flexibility and agility, regulators want to know that you are in control of data usage, such that it applies to relevant privacy, retention, and sovereignty directives.
Applying a policy-based compliance layer on top of the data so that when someone tries to access or extract data, they are bound by the rules applied to the particular data set, workload, or user-based permissions is the approach we have implemented at NetApp with our Cloud Compliance Module/ Engine
Protection and encryption
Finally, regulators are looking for best endeavours when it comes to protecting the data you hold. Organizations need to demonstrate that the data they manage cannot easily be accessed by bad actors or disgruntled employees, and if it is accessed that it can’t be tampered with or otherwise manipulated.
This means protecting the integrity of data through devices such as write-once, read-many (WORM) file locking, creating non-rewritable, non-erasable data on hard disk drives and flash media. It’s no coincidence that our own SnapLock solution was born out of engagement with financial services.
The second piece of the data integrity puzzle is encryption, not just encoding data sets but providing the keys that allow the right people, at the right time, to unlock the data.
The introduction of cloud-based computing has increased the surface area for banks and other financial services. At a stroke this has increased the potential responsiveness of IT infrastructure while adding management complexity and amplifying the attention of the regulator. Only those that implement consistency and control to their data management will prosper.