Outsourcing IT infrastructure to public cloud is on the rise for Financial Service Institutions (FSI) and in most cases, enterprises will work with the Cloud Service Provider (CSP) of their choice to plan and manage workloads and software services. A lot of the early cloud strategy and decision-making can be influenced by what that initial CSP prescribes. Similarly, the CSP can dictate what products customers can consume within an established scope.
FSIs are relying more heavily on CSPs. The role the CSP plays in supporting their operations has increased certain risks while also creating new ones. Although CSPs have a “Shared Responsibility” model related to security and data protection, FSI regulators including the Federal Financial Institutions Examination Council in the United States, Financial Conduct Authority, European Banking Authority in the European Union, and Monetary Authority of Singapore have all issued guidance for firms outsourcing to cloud services.
FSIs will not only need to understand and comply with different global regulations but should also expect to be examined for compliance as regulators have a heightened expectation for increased risk management compliance and enhanced cloud controls. Ultimately, responsibility lies with the FSI to safeguard customer data.
Regulators have also begun to look to FSIs for a multi-cloud strategy including cloud exit planning to safeguard against catastrophic cloud failures and prolonged outages.
With increased global regulatory attention and oversight of cloud computing, regulators are now observing how FSIs review their risk management and operational resilience practices relating to usage of the cloud in the areas of:
Below, we highlight five key areas of risk considerations recognized by regulators as examples that are important to cloud adoption. FSI risk management framework should encompass these as a minimum.
|Risk Management Considerations
|– Establish a cross-functional group with representation from technology, risk management, and compliance to provide the required subject-matter-expertise to develop the appropriate structure and approach tailored to the organization’s use of cloud computing
|Cloud Security Management
||– Complete due diligence with CSPs to provide evidence of controls and compliance prior to engaging in a relationship
– Develop responsibility matrices formalizing expectations and responsibilities that are not clearly outlined in the contract
– Utilize assurance reports or require the “right to audit” as a part of the contracts and Service Level Agreements (SLAs)
| Change Management
|– Consider dedicated cloud-specific testing resources with knowledge of cloud computing, risk, and security requirements
– Provide specific reference to the use of micro-services architecture and the implementation of which least exposes firms to surface area attacks
|Resilience and Recovery
|– Include various “stress test” scenarios in business continuity plans which may impact the CSPs’ ability to continue operations or its speed in recovering, including pandemic forcing operations to be performed remotely
|Audit and Controls
|– Conduct recurring background checks on CSP employees who support critical FSI cloud-based processes
– Highlight specific CSP-related regulations and requirements with which the FSI must comply and request additional evidence of compliance from the CSP
– Adopt a controls framework to incorporate specific requirements of cloud services, including cyber resilience, data management, and any additional monitoring technology that is needed to support
Most FSIs will have adequate risk management framework specific to their organization. Some FSIs are rely too heavily on CSPs for risk management and data protection. They believe the CSPs will do everything for them, including compliance with regulatory bodies including FIPS, HIPAA, Feds, PCI, etc.
It is also recommended that FSIs establish an approach to proactively monitor and oversee the CSPs’ performance in executing on their responsibilities and ability to successfully manage risk.
Secure Multi-Cloud Networking
Focusing solely on secure cloud networking, native constructs, and capabilities of public cloud and/or container environments may fall short in providing advanced security for production workload segmentation, data path encryption, and traffic inspection. Unfortunately, these gaps are not always addressed by CSPs.
These gaps have allowed for “born in the cloud” multi-cloud network companies to emerge with advanced capabilities and APIs that integrate seamlessly with the CSP native constructs. FSIs and other enterprises have the optionality to benefit from advanced security and networking services, helping to manage their cloud networking and security risks while reducing overhead.
For more information check out these resources: