Financial Services – Regulation & Risk Management for Cloud Services
Targeted audience for FSI business decision makers, CIO’s, CTO’s & Cloud Architects responsible for driving strategy
As the former Global Head of Network Engineering at one of the top five global financial institutions, I regularly worked with different country Financial Service regulators to ensure infrastructure is architected properly and customer data is safeguarded and in compliance with local and global regulations.
I was also part of movement to public cloud and would like to share learnings both from a customer and vendor view including learnings with many FSI discussions at Aviatrix.
Cloud Journey Starts with the CSP
Outsourcing to public cloud is on the rise and in majority of the cases an enterprise will work with a Cloud Service Provider (CSP) of their choice to plan and manage their workloads as well as software services.
If the enterprise is new to cloud, then most of the early strategy and decision making can be influenced by what CSP prescribes. Similarly, they dictate what products customers can consume within an established scope.
Financial services institutions (FSI) are also now relying more on CSPs. The role the CSP plays in supporting their operations has increased certain risks and created new risk across people, processes and of course technology.
This article seeks to provide a brief overview to help guide FSI adopters of cloud services to apply a robust risk-based framework as recognised by global financial regulators.
Compliance with FSI Regulations
Although CSPs have a “Shared Responsibility” model, FSI regulators including but not limited to the Federal Financial Institutions Examination Council in the United States, the UK Financial Conduct Authority, the European Banking Authority in the European Union, the Monetary Authority of Singapore, have all issued guidance for firms outsourcing to cloud services.
FSIs will not only need to understand and comply with different global regulations including the EU General Data Protection Regulation aka GDPR but should expect to be examined for compliance as regulators have a heightened expectation for increased risk management compliance and enhanced cloud controls.
Ultimately responsibility lies with the FSI, particularly to safeguard its customer information, countries and/or regions it operates in.
Regulators are also now looking to FSIs for a multi cloud strategy including cloud exit planning to safeguard against cloud catastrophic failures and/or prolonged outages.
Risk Management & Operational Resilience Practice
With an increased global regulatory attention and oversight of cloud computing, regulators are now observing how FSIs review their risk management and operational resilience practices as it relates to usage of the cloud particularly in the areas of:
- Information Security
- Business Continuity Planning
- Third Party Risk Management
- Privacy & Data Protection
- Record Retention Practice
Areas of Considerations
The below five key areas of risk considerations are recognised by the banking regulators as examples it believes are important to cloud adoption. FSIs should have a risk management framework that encompasses these considerations as a minimum.
Most FSIs will have adequate risk management framework specific to their organisation. Some FSIs are yet relying too much on CSPs for their risk management and data protection. They believe the CSPs will do everything for them, including compliance with regulatory bodies such as but not limited to FIPS, HIPAA, Feds, PCI etc.
Ultimately responsibility lies with the FSI, particularly to safeguard customer information, countries and/or regions it operates in.
It is also highly recommended that FSIs establish an approach to proactively monitor and oversee the CSP’s performance in executing on their responsibilities and their ability to successfully manage risk.
FSIs and enterprises could benefit from using modern cloud technologies with automated controls. Also engaging with specialist partner/s may help FSIs to simplify and manage cloud risks and reduce overhead. As an example:
Cloud Native Shortfalls
Focusing on cloud native networking particularly for FSIs, the native networking capabilities of public cloud providers and/or container environments are insufficient in key areas for some production enterprise workloads such as feature depth, scalability, visibility and operations/management.
For data protection there is also a distinct lack of advanced security for production workload segmentation, advanced network routing, data path encryption, data inspection, anomaly detection, and much more.
Unfortunately, these shortfalls are not always addressed by CSPs and therefore cloud native networking leaders such as Aviatrix have emerged with advanced solutions to address the CSP capabilities gaps.
Cloud Native + Aviatrix Enhancements for FSIs
Aviatrix has deep in-cloud networking and security knowledge. Aviatrix Multi Cloud Network Architecture (MCNA) has a track record amongst FSIs and enterprises to greatly improve customer risk posture, helping FSIs to align and comply with global regulations and customer data protection.
MCNA provides consistent and advanced networking functionality and management (including APIs) for the different CSP environments. This helps to simplify onboarding of workloads into multiple public clouds whilst using
consistency to help scale and secure cloud deployments beyond simple usage scenarios.
Architecturally, the solution can either orchestrate the underlying
cloud provider’s native capabilities or replace them. Integration with Terraform and the native provider’s automation capability (i.e., AWS CloudFormation) is strongly recommended.
Because Aviatrix understands the cloud networking API constructs, it leverages them whenever required in order to guide the traffic towards Aviatrix data plane. This data plane (overlay) offers many advanced networking and security services. Moreover, the experience is common and unified across all the CSPs (by abstracting from the native constructs).
Apart from connectivity, Aviatrix ensures that customer data and workloads are safe and protected using consistent security policies across multiple CSP cloud environments. This is also proven via MCNA solution artifacts and can be used as evidential data for regulatory compliance, thus helping FSIs to demonstrate a safe and sound operation whilst being in full control.
Aviatrix Solution Mapping
The list above is not exhaustive and there are many more services built into the MCNA platform which are of value to the FSI/enterprises.
Other Important Considerations
Please also use the links below to see how Aviatrix can help you align with the five key areas of risk considerations recognised by the global banking regulators:
Cloud Security Management - https://community.aviatrix.com/t/m1hf2ak/aviatrix-platform-for-anti-ransomware
Change Management - https://community.aviatrix.com/t/x2hlqwq/
Resilience & Recovery - https://community.aviatrix.com/t/m1hz7cj
Audit & Controls - https://aviatrix.com/cloud-network-platform/#operational-visibilit
FSIs are moving to cloud, they tend to start off in single CSP before going multi cloud, but even then, there are blind spots and capability gaps. More and more regulation for consumer data protection is being introduced whilst getting more complicated and unique for individual countries requirements.
I have tried to provide high-level insight into FSI regulatory best practices for risk management considerations and framework and how intelligent use of technology and specialist vendors can help to address the blind spots.
Specifically, how the Aviatrix platform can be used to help FSIs manage and mitigate some of the inherent risks and regulatory concerns.
Please reach out to me or if you’ve had similar experience, I would welcome a conversation on my podcast.
About the author