4

Financial Services – Regulation & Risk Management for Cloud Services

Targeted audience for FSI business decision makers, CIO’s, CTO’s & Cloud Architects responsible for driving strategy

Introduction

As the former Global Head of Network Engineering at one of the top five global financial institutions, I regularly worked with different country Financial Service regulators to ensure infrastructure is architected properly and customer data is safeguarded and in compliance with local and global regulations.

I was also part of movement to public cloud and would like to share learnings both from a customer and vendor view including learnings with many FSI discussions at Aviatrix.

Cloud Journey Starts with the CSP

Outsourcing to public cloud is on the rise and in majority of the cases an enterprise will work with a Cloud Service Provider (CSP) of their choice to plan and manage their workloads as well as software services.

If the enterprise is new to cloud, then most of the early strategy and decision making can be influenced by what CSP prescribes. Similarly, they dictate what products customers can consume within an established scope.

Financial services institutions (FSI) are also now relying more on CSPs. The role the CSP plays in supporting their operations has increased certain risks and created new risk across people, processes and of course technology.

This article seeks to provide a brief overview to help guide FSI adopters of cloud services to apply a robust risk-based framework as recognised by global financial regulators.

Compliance with FSI Regulations

Although CSPs have a “Shared Responsibility” model, FSI regulators including but not limited to the  Federal Financial Institutions Examination Council in the United States, the UK Financial Conduct Authority, the European Banking Authority in the European Union, the Monetary Authority of Singapore, have all issued guidance for firms outsourcing to cloud services.

FSIs will not only need to understand and comply with different global regulations including the EU General Data Protection Regulation aka GDPR but should expect to be examined for compliance as regulators have a heightened expectation for increased risk management compliance and enhanced cloud controls.

Ultimately responsibility lies with the FSI, particularly to safeguard its customer information, countries and/or regions it operates in.

Regulators are also now looking to FSIs for a multi cloud strategy including cloud exit planning to safeguard against cloud catastrophic failures and/or prolonged outages.

Risk Management & Operational Resilience Practice

With an increased global regulatory attention and oversight of cloud computing, regulators are now observing how FSIs review their risk management and operational resilience practices as it relates to usage of the cloud particularly in the areas of:

-      Information Security

-      Business Continuity Planning

-      Third Party Risk Management

-      Privacy & Data Protection

-      Record Retention Practice

Areas of Considerations

The below five key areas of risk considerations are recognised by the banking regulators as examples it believes are important to cloud adoption. FSIs should have a risk management framework that encompasses these considerations as a minimum.

 

Most FSIs will have adequate risk management framework specific to their organisation. Some FSIs are yet relying too much on CSPs for their risk management and data protection. They believe the CSPs will do everything for them, including compliance with regulatory bodies such as but not limited to FIPS, HIPAA, Feds, PCI etc.

Don’t Forget
Ultimately responsibility lies with the FSI, particularly to safeguard customer information, countries and/or regions it operates in.

It is also highly recommended that FSIs establish an approach to proactively monitor and oversee the CSP’s performance in executing on their responsibilities and their ability to successfully manage risk.

FSIs and enterprises could benefit from using modern cloud technologies with automated controls. Also engaging with specialist partner/s may help FSIs to simplify and manage cloud risks and reduce overhead. As an example:

Cloud Native Shortfalls
Focusing on cloud native networking particularly for FSIs, the native networking capabilities of public cloud providers and/or container environments are insufficient in key areas for some production enterprise workloads such as feature depth, scalability, visibility and operations/management. 
For data protection there is also a distinct lack of advanced security for production workload segmentation, advanced network routing, data path encryption, data inspection, anomaly detection, and much more.

Unfortunately, these shortfalls are not always addressed by CSPs and therefore cloud native networking leaders such as Aviatrix have emerged with advanced solutions to address the CSP capabilities gaps. 

Cloud Native + Aviatrix Enhancements for FSIs

Aviatrix has deep in-cloud networking and security knowledge. Aviatrix Multi Cloud Network Architecture (MCNA) has a track record amongst FSIs and enterprises to greatly improve customer risk posture, helping FSIs to align and comply with global regulations and customer data protection.

MCNA provides consistent and advanced networking functionality and management (including APIs) for the different CSP environments. This helps to simplify onboarding of workloads into multiple public clouds whilst using 
consistency to help scale and secure cloud deployments beyond simple usage scenarios. 

Architecturally, the solution can either orchestrate the underlying
cloud provider’s native capabilities or replace them. Integration with Terraform and the native provider’s automation capability (i.e., AWS CloudFormation) is strongly recommended.

Because Aviatrix understands the cloud networking API constructs, it leverages them whenever required in order to guide the traffic towards Aviatrix data plane. This data plane (overlay) offers many advanced networking and security services. Moreover, the experience is common and unified across all the CSPs (by abstracting from the native constructs). 

Apart from connectivity, Aviatrix ensures that customer data and workloads are safe and protected using consistent security policies across multiple CSP cloud environments. This is also proven via MCNA solution artifacts and can be used as evidential data for regulatory compliance, thus helping FSIs to demonstrate a safe and sound operation whilst being in full control.

Aviatrix Solution Mapping

 

  

The list above is not exhaustive and there are many more services built into the MCNA platform which are of value to the FSI/enterprises.

Other Important Considerations

Please also use the links below to see how Aviatrix can help you align with the five key areas of risk considerations recognised by the global banking regulators:

Governance - https://aviatrix.com/ensuring-compliance-and-alignment-with-regulators-when-data-is-moved-or-consumed-in-and-out-of-public-cloud/

Cloud Security Management - https://community.aviatrix.com/t/m1hf2ak/aviatrix-platform-for-anti-ransomware

Change Management - https://community.aviatrix.com/t/x2hlqwq/

Resilience & Recovery - https://community.aviatrix.com/t/m1hz7cj

Audit & Controls - https://aviatrix.com/cloud-network-platform/#operational-visibilit

 

Conclusion

FSIs are moving to cloud, they tend to start off in single CSP before going multi cloud, but even then, there are blind spots and capability gaps. More and more regulation for consumer data protection is being introduced whilst getting more complicated and unique for individual countries requirements.

I have tried to provide high-level insight into FSI regulatory best practices for risk management considerations and framework and how intelligent use of technology and specialist vendors can help to address the blind spots.

Specifically, how the Aviatrix platform can be used to help FSIs manage and mitigate some of the inherent risks and regulatory concerns.

Please reach out to me or if you’ve had similar experience, I would welcome a conversation on my podcast.

If you would like to find out more, please visit www.aviatrix.com or contact John Gonsalves at jgonsalves@aviatrix.com

About the author

John Gonsalves

 

email: jgonsalves@aviatrix.com
https://www.linkedin.com/in/johngonsalves22/

2replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Nicely written and thought provoking insights for decisions makers 

    Like
  • Very informative, John. This amount of relevant information only comes from the wealth of experience you have garnered in this industry. Thank you for sharing.  

    Like
Like4 Follow
  • 4 Likes
  • 2 wk agoLast active
  • 2Replies
  • 57Views
  • 3 Following