The use of Cloud Computing by Financial Institutions - TECHNICAL PAPER - 4 JUNE 2020
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
4 JUNE 2020
m g
Fo n d
ru kin
The use of
Ba lou
C
Cloud Computing
by Financial
Institutions
TECHNICAL PAPER
www.ebf.eu
1
CONTENTS
Abbreviations 3
Chapters
1 Introduction 4
2 Overview of cloud services 6
2.1 Cloud composition 6
2.2 Different cloud service models 7
2.3 Industry experience with cloud 8
3 Why European banks use cloud services 9
4 Understanding of cloud computing 13
4.1 Cloud-specific considerations under a risk-based approach 14
4.2 Categorizing the associated control demand of a cloud offering 14
4.3 Different roles of banks and Cloud Service Providers 18
4.4 Careful consideration of cloud migration 20
5 Conclusion 24
Glossary 26
Annex
Annex 1 Use case: IoT 29
Annex 2 Use case: Online Collaboration 31
Annex 3-5 Data Use cases preliminary remarks 33
Annex 3 Use case: Data Lake Processing 34
Annex 4 Use case: Data Discovery Lab 35
Annex 5 Use case: Data analysis and regulatory reporting 36
Annex 6 Use case: Transformational Technologies 37
Annex 7 Use Case: Early Warning System (EWS) 38
2
ABBREVIATIONS
AD Active directory
ADFS Active Directory Federation Services
AI Artificial intelligence
BARE METAL Base IT infrastructure enabling cloud computing
CAPEX Capital Expenditure
COBIT Control Objectives for Information and Related Technologies
(by the Systems Audit and Control Association)
CSC Cloud Service Customer
CSP Cloud Service Provider
FI Financial Institution
GDPR General Data Protection Regulation
IoT Internet of things
ITIL Set of detailed practices for IT service management
(formerly Information Technology Infrastructure Library)
ML Machine learning
NCA National Competent Authority
OPEX Operational Expenditure
SDLC Solution Delivery Lifecycle
SLA Service Level Agreements
VSI Virtual Server Infrastructure
3
CHAPTER
ONE
1 Introduction
other traditional IT paradigms when it comes to
safeguarding integrity and availability. Cloud
services embody redundancy, high availability
Over the recent years, cloud computing has and resiliency thanks to their distributed nature.
become a significant technological enabler for Public cloud gives the ability to scale at a more
innovative service development. Cloud allows significant level than financial institutions would be
industries to tap into new service models, utilising able to achieve on their own. Resilience, speed and
its technological advancement for new and better security are the building blocks of cloud
services to customers, improving productivity, offerings and the core business of any Cloud
cost-efficiency and flexibility of internal business Service Provider (CSPs). In most cases, CSPs have
processes. Ultimately, cloud computing can provide stronger security than most individual companies
a foundation for the digital transformation of the can maintain and manage on-site. Moreover, the
industry in question. big cloud providers have large teams of security
engineers and, given that cloud is (one of) their
The financial sector is in the process of adopting core businesses, they are continuously investing in
cloud computing to take advantage of the meeting the strictest and newest security standards
aforementioned benefits. New opportunities for that constantly adapt to managing evolving threat
service delivery to customers, serving their needs vectors and threat actors.
and expectations, are as relevant as improving
security, reducing costs and improving flexibility However, cloud adoption by the financial industry
in the conduct of business. Cloud can also open has to consider the highly regulated nature of
new markets and enable mature financial services the sector and pay special attention to stability
institutions to find new ways of competing with and safety. European banks operate within a
FinTech market entrants. framework of financial rules aimed at ensuring
proper governance and control of risks (internal
The cloud security framework matured fast and governance guidelines), especially in those
heavily. Nowadays, cloud computing seems to be situations where third parties are involved in the
as well-placed as (if not better than) operation of ICT systems1. These rules set
1
EBA Guidelines on ICT and security risk management (under development):
https://eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-ict-and-security-risk-management.
4the framework for supervisory engagement with Ultimately, banks would be able to provide more
European banks throughout the entire life of the innovative services to their customers across Europe,
cloud relationship in the EU’s financial sector. allowing FIs to focus on their core businesses,
Mindful of possible risks triggered by cloud while leveraging the specialty of CSPs to provide
technology, thorough assessments are conducted secure, scalable, reliable, and fast networks and
on the potential impact of cloud on financial computing.
institutions’ operational risk, to be assessed
against the operational risk posture of the current This paper aims to support the necessary
IT environment. Hence, understanding of the understanding of cloud use by financial institutions.
technology and its implications for operational Mindful of the complexity of both the technology
processes is critical. itself and banks careful implementation of it within
their business processes, not all relevant aspects
of cloud can be addressed comprehensively in
This paper aims to support financial institutions this single document. Instead, additional technical
and competent authorities’ understanding of papers of the EBF Cloud Banking Forum will target,
the advantages and particularities of cloud at a later stage, specific issues of relevance. This
computing in areas such as security, risk is the reason why issues such as cybersecurity,
mitigation and regulatory compliance. though highly important for the adoption of cloud
technology across all industry sectors, will not be
developed in detail in the following chapters.
Significant features of cloud technology in
“ Cloud solutions
financial services require special attention and
consideration. Looking at the fast-evolving cloud
service environment as well as the close interaction
of European banks with their supervisors in different
Member States, a harmonised approach to the
considerations presented by national competent offer banks
authorities (NCAs) will be essential. Cloud
computing’s potential for agility and flexibility goes the flexibility to
tailor the scaling
beyond the framework of a single jurisdiction.
A fragmented understanding of cloud by NCAs
regarding key considerations can severely
hamper the systematic approach of European up of capacity
banks to cloud, whether they rely on one or
multiple providers in a multi-cloud environment. to meet their
By contrast, a harmonious understanding of cloud
across European borders will foster the adoption activity levels “
of public/hybrid cloud and multi- cloud use by
European banks in a more unified way.
5CHAPTER
TWO
2 Overview of
Computing resources are used solely by the one
single organisation, either physically in the
cloud services company’s on-site data centre(s) (“on-premises”)
or externally with the third-party provider
In order to gain a deeper understanding of (“hosted private cloud”).
the advantages and specifics of cloud computing,
it is necessary first to take a look at existing cloud A hybrid cloud solution is an integrated cloud
compositions and service models. service, using both private and public clouds
to perform distinct functions within the same
2.1 Cloud composition organisation. Hybrid cloud adoption reflects a
macro trend common to all financial institutions
Cloud computing deployment can be and is viewed as a key enabler for next generation
distinguished according to three categories: technologies, free movement of data and
integration into the ecosystem.
Public Cloud is a cloud computing environment
where cloud solutions are located outside the
bank’s perimeter. Therefore, within a public cloud
setup, not all controls will be operated by the Hybrid Cloud for the purpose of this paper is
institution itself. This does not change accountability defined as a cloud computing environment that
of Cloud Service Customers (CSCs) according to uses a combination of private cloud (where most
the applicable legal framework. Logical access financial institutions started their cloud journey) and
control functions are provided to the company public cloud services that may include third party
using publicly hosted cloud services (e.g. through service offerings such as Platform as a Service
authentication mechanisms), any other company (Paas), Infrastructure as a Service (IaaS) and
can subscribe to the same services, available over SaaS (Software as a Service). These platforms
the internet. are connected through automation and
orchestration tools.
Private cloud solutions are located inside the
banks’ own perimeter and therefore leverage all the
established controls of the respective bank.
6service models which will further evolve in the
2.2 Different cloud service models
future.
Cloud services know multiple facets of service
design, each with effects on the role of CSP and When looking at these cloud solutions – especially
CSCs. It is important to recognise that cloud’s from a risk-based approach – distinctions must
potential is not limited to the simple external data be made between different models, triggered by
storage, but rather consists of fast-developing technological differences.
TABLE 1
Infrastructure as a Service Platform as a Service Container as a Service Software as a Service
(IaaS) (PaaS) (CaaS) (SaaS)
Supplies customers with IT Supplies customers with an Offering for container- Allows customers to connect
infrastructure, provided and on-demand environment based virtualisation in to and use cloud-based
managed over the internet on for developing, testing, which CSPs offer a complete application over the internet
a pay-as-you-use basis, delivering and managing framework to customers for on a subscription basis e.g. an
e.g. servers and storage. software applications over deploying and managing online collaboration tool. The
The two common models of the internet. The financial containers, applications entire stack is managed by
delivery for IaaS are ‘bare institution manages its data and clusters. CaaS offers a the service provider.
metal’ and Virtual Server and applications. completely enabled container
Infrastructure (VSI). In the case deployment service with
of bare metal the financial security and governance
institution or their designee control for IT management.
manages the servers,
storage, virtualisation, OS,
middleware, runtime, data
and applications. In the VSI
model the financial
institution manages the OS,
middleware, runtime, data
and applications.
Within the CSP market, many engagement models deploy these services to market, for example captive models,
fixed-term contracts, open models, pay per use. Considering these different cloud service models, please take
note of the following overview for IT functions in a hybrid cloud environment (example).
FIGURE 2
Hybrid Cloud
Enterprise GUI CI/CD Toolchain
PaaS PS App
Application CaaS App
App
Data SaaS
Middleware
IaaS
App Platform
PaaS Service
Runtime
CaaS
Operating System
Virtualization
IaaS
Server
Storage
Network Public Hybrid Private
72.3 Industry experience with cloud According to Eurostat, cloud computing usage
by EU enterprises grew rapidly over the last few
Today, the use of cloud – though innovative and
years. While in 2014 it still stood at 19%, in 2016
constantly evolving at a technological level – is
the number increased to 21%2. In 2018, 26% of
generally known to European enterprises. SaaS
EU enterprises with at least 10 persons employed
models have been adopted over the recent years,
purchased cloud computing services3.
familiarising enterprises with subscriptions to
software hosted at CSP facilities.
FIGURE 3
Use of cloud computing services and high level dependence on the cloud, 2018 (% of enterprises)
70
60
50
40
30
20
10
0
EU-28
Finland
Sweden
Denmark
Netherlands
Ireland
United Kingdom
Belgium
Malta
Estonia
Croatia
Cyprus
Czechia
Slovenia
Portugal
Luxembourg
Austria
Lithuania
Italy
Germany
Spain
Slovakia
France
Hungary
Latvia
Greece
Poland
Romania
Bulgaria
Norway
Montenegro
Serbia
Turkey
bosnia and herz
Use cloud computing High level
FIGURE 4
Use of cloud computing services in enterprises, by purpose, 2014, 2016 and 2018 (% of enterprises using the cloud)
80
69 68
70 65 66
62
60
53 53
50 48
44
41
40 39 38
34
32 31
30 29
27
23 21
21
20 17
10
0
E-mail Storage of Office Hosting the Financial or CRM Computing
files Software enterprise’s accounting software power for
database(s) software applications enterprise’s
applications own software
Source: Eurostat (online data code: isoc_cicce_use) 2018 2016 2014
2
Eurostat, https://ec.europa.eu/eurostat/documents/2995521/9447642/9-13122018-BP-EN.pdf/731844ac-86ad-4095-b188-e03f9f713235.
3
Ibid.
8CHAPTER
THREE
3 Why European
third parties that provide new – sometimes
tailor-made – general-purpose services.
banks use cloud Cloud also creates opportunities for increasing
services
specialisation. Banks can dedicate their top talent
to business problems while leveraging CSPs for
non-core capabilities like management of
Banks require intensive use of technology for
infrastructure.
operation. Traditionally this has been solved by
on-premises systems, deployed locally on the
Recent mergers and acquisitions in the market
company’s own computer infrastructure. However,
reflect strategic considerations of market players
the progress of technology has accelerated
in terms of promising IT tools for future business
dramatically, requiring banks to embrace this
operation. Market developments show that the
development in the financial market. They do so
majority of IT tools needed to serve customers’
consciously and strategically.
needs will run ‘cloud first strategies’ in the future.
Consequently, slowing down a financial institution’s
Cloud has become a key technology to develop
path to cloud adoption might limit the institution’s
new financial services and to innovate, to
competitiveness compared to FinTechs and Big
collaborate with third parties and to compete in
Techs in particular. Today, banks face an overall
the digital context. The market dictates the speed
trend in the IT industry, that can be expected to
of change. Flexibility and time to market are
further increase over time.
imperative for banks and cloud computing is the
technology with the greatest potential to meet both
A driver for this trend is the opportunity to use cloud
needs. Banks need cloud technology to compete
for access to transformational technologies. This
with other non-regulated players entering the
possibility complements the general benefit of cloud
marketplace on a level playing field. Innovative,
to access vast and increasing volumes of data in
fast-evolving cloud technologies allow banks to
a cloud-ecosystem. Transformation technologies
take advantage of the best-suited technology for
are fundamentally and rapidly changing the way
customers and business processes at each moment.
we think about business today. They are driving
Nowadays customers demand immediacy and
a shift of investment from legacy technology and
personalisation. This can require banks to rely on
9business strategy to investment in more innovative their legacy counterparts. They support increased
business models, supported by the new innovative connectivity demands from clients and stakeholders
technologies, and they are essential to undertakings who increasingly expect rapid access to data and
to remain competitive, viable and potentially services.
more secure. For example, Distributed Ledger
Technology promises to transform the speed, These cloud business relationships and operational
efficiency and trust of transaction processing. cooperation with CSPs help to introduce innovative
Analytics and “Big Data” technologies promise to service solutions, providing hitherto unknown
provide many benefits, including advanced insights potential for banks’ business processes.
into complex data sets, driving new business
opportunities, reducing fraud and significantly One of the big challenges in banking IT is to deal
improving cyber security intelligence. Likewise, AI with peaks in computing demand. They may be
enables increasingly complex interactions between caused by the typical day cycle (day trading, night
entities, e.g. helping end users with problem processing) or by extraordinary events (e.g. major
solving. These transformation technologies may financial market news, price changes, marketing
be rapidly integrated into businesses as part of events). Banks dedicate themselves to the provisions
increasingly complex and dynamic ecosystems, of stable, reliable and trusted services for their
which are often more transparent and resilient than customers. Financial stability is a prerogative.
The migration from on-premises IT solutions to cloud is a conscious and careful journey for banks. It starts from
and evolves the existing IT structures and services of banks. Gradually, private cloud solutions can be built,
transformed into cloud model combinations and finally embraced in a diverse environment. This journey is not
a disruption, but an evolution:
FIGURE 5
Managed cloud addresses the management
of IT by a third party (specialist), regarding
IT as a commodity rather than a business Embrace
Transform
Build
Traditional
Managed Cloud
Public Cloud
Private Cloud
10Cloud adoption by European banks along this journey is being driven by several factors: the need for
increased agility/flexibility, reduced infrastructure, more transparent cost and security improvements.
TABLE 6
Traditional IT on-premises Cloud-based IT
Flexibility Very limited – flexible to grow, Very large
but costly and slower
Time to market Long Almost instantaneous
Cost management Not possible once the investment Dynamic, allowing for forecasting
is done
Impact on Capital ratio High Like any other profit & losses expense
Security Solutions for existing services, Dedicated CSP cloud security
based on inhouse-resources and offerings as part of their core
external support business. Allows for in-built service
security solutions and dynamic
large-scale inclusion of leading
tech (e.g. artificial intelligence).
Looking at IT capabilities, and guaranteeing stable An example of improved agility can be the move of
operations of the financial system require spare selected front-end systems, such as broker-dealer
capacity to be available in case of need. Having systems, by some financial institutions into the cloud.
this capacity available in the banks’ inherited This allows them to scale up a moment’s notice,
model creates a significant cost footprint and while interfacing, either to their own trusted in-house
necessity to maintain infrastructure that may (only) back-end system or to innovative cloud-based
be needed on rare but significant occasions. services, e.g. using distributed ledger technology
Cloud computing provides for an excellent such as trade settlement and accounting. In
technical solution to computing demand peaks. addition, non-core banking functions such as
It allows service providers to make resources Human Resources and customer relationship
available via an accessible network where multiple management could leverage state of the art cloud
clients can share the same resources. service offerings.
Clearly, this requires security considerations. In a rapidly changing environment, leaner
A major concern from a risk and compliance operating models and a focus on business value
perspective is the network perimeter. CSPs can are crucial for financial institutions to succeed.
offer advanced capabilities to individual financial Cloud services are not only a technological trend
institutions in this area, considering their focus of which providing ICT solutions with a never-seen-
business and experience in the market. before agility/flexibility. They can also have a
11significant and positive impact on the financial purposes. OPEX allows a formerly fixed cost to be
institutions balance sheets. Traditional on-premises transformed into a variable state. This helps to
IT infrastructure and developments require an improve competitiveness, to increase reaction times
upfront Capital Expenditure (CAPEX), incurred of institutions to relevant developments and to
by a business to create future benefits such as the focus on use case implementation more effectively.
acquisition of assets, which, necessarily, have to Ultimately, it creates business value.
be designed according to the maximum workload.
The system will not be available until the end of More specifically, this ‘CAPEX to OPEX’
the project, and usually requires large payments transformation provides an added value to
in advance. In contrast, cloud-based technology financial institutions in terms of capital ratio.
allows financial institutions to add new resources or Today, the current prudential treatment of software
remove them instantly, as required. discourages the investment that financial institutions
make in software assets due to the obligation
This allows IT resources to scale up and down to deduct them fully from Common Equity Tier 1
according to the business’ needs and facilitates capital4. There is a need to raise additional CET1
flexibility by a pay-per-use model. Therefore, IT funds to offset deductions. Using cloud services
operations can move from CAPEX to Operational provided by CSPs can ease this tension, leading
Expenditure (OPEX), incurred for the day to day thereby to a reduction of required capital when
functioning of a business. CAPEX and OPEX are deploying new services.
treated very differently for tax and accounting
TABLE 7
Traditional approach to financial services The target state for financial services
On-premises and community Hybrid Cloud
5
Supports banks’ need to: Supports new generation of banking services:
seamlessly connect with people, emerging ecosystems for financial services.
organisations, systems and processes reduced time to market, increased
across the globe. agility and scalability by enabling more
rapidly process, and reliably and safely rapid adjustment of IT services to support
store and retrieve large and variable business operations.
volumes of data. conversion of fixed-asset product-based
adapt to the changing needs of clients overheads to variable service-based assets
through offering trusted, high quality and (CAPEX to OPEX).
competitive services. “Immersion” of banking services into
share common innovative technologies client systems becomes more feasible,
with other financial services to customers clients can get the business services they
and to create new markets. need on demand triggered by the ability to
simultaneously use common "services".
4
Amendments introduced in the final text of the CRD/ CRR Review (published 7 June) allows to exempt certain investments in software assets from this deduction.
However, this exemption only applies to those software assets that meet certain conditions (as specified by the EBA in regulatory technical standards to be developed) and only
applies two years after the entry into force of the Regulation, see Article 36 (1) (b), Article 36 (4).
5
See “The NIST Definition of Cloud Computing”, Special Publication 800-145, Sep 2011: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
12CHAPTER
FOUR
4 Understanding of
Four important basics regarding data ownership
and management shall be postulated upfront,
cloud computing unaffected by raising cloud adaption:
The views of cloud computing by regulators, ONE
technologists and service users are different. Banks continue to own their data.
Although not conflicting, they need to be balanced
to enable the most effective use of cloud technology TWO
in financial services. Banks will choose the geographic location(s) in
which to manage their data.
To attain a higher level of maturity, a mutual
understanding and agreement needs to be fostered THREE
through coordination and communication between Banks can download or delete their data
regulators, technologists and service users. The whenever they need to.
specifics of cloud technology and its control
demand need to be understood and reflected FOUR
upon carefully. Banks should consider the sensitivity of their data
“All cloud computing
and decide how to protect it or make it available,
i.e. by using suitable cryptographic services for
encryption and authentication.
Based on these statements, this paper aims to
risks need to be present different cloud service models, elaborate on
evaluated prior to
the necessary risk-based approach, help the
categorisation of the control demands in a cloud
any planned cloud “ environment, show the banks’ respective awareness
and highlight their careful migration to cloud.
migration
13Factors that must be taken into consideration
4.1 Cloud-specific considerations are:
under a risk-based approach
the cloud service models (e.g. SaaS, PaaS
As required by the applicable regulation, both
and IaaS), aligned to traditional computing
banks and NCAs assess the cloud computing
control areas, where the level of risk relates to
adoption – regarding a specific use case – with a
the cloud service model selected. In these
risk-based approach.
models, risk management and the operation
of IT activities are shared between cloud
However, this makes a common understanding
service providers and cloud service customers.
of cloud computing risks and available controls
The “balance” of responsibility for IT control
fundamental. As any transformation of complex
management shifts from cloud service provider
services may suggest, the journey to a well-
to service user as we move from the top of the
controlled cloud adoption requires careful
stack, e.g. SaaS, to the bottom of the stack, e.g.
assessment and mitigation of potential risks.
IaaS.
A common understanding enables:
The cloud deployment model (e.g. internal,
public, and hybrid), where routine
a common “language” or framework for accountability remains primarily with CSCs
understanding, assessing and communicating who selected the model for their business, and
relevant and beneficial cloud computing where their data subject needs to be supportive
principles and control objectives. and informed about data management,
data location and network management.
a consistent means to prioritise the most
significant risk management activities related The specific characteristics of cloud computing
to cloud adoption and use. (e.g. self-service, accessibility across networks,
resource pooling, rapid elasticity, metered
a unified position between the EBA/NCAs services), where governance controls are
and banks, to send clear signals to cloud necessary to provide timely management
service providers and technology innovators information and escalation/response in case
about specific financial services requirements. defined thresholds are breached.
Key risk areas for cloud computing must be
understood in the context of cloud computing’s 4.2 Categorising the associated
technological features and service design. control demand of a cloud
Operational risks relate both to the adoption of offering
cloud computing and to the operation of cloud
services. As in any other service relationship, all The risk of the different cloud service models needs
cloud computing risks need to be evaluated prior to to be identified, assessed and managed by banks.
any planned cloud migration, and managed, This requires understanding of how risk in cloud
when performing operations in the cloud. Therefore, services can be distinguished and rated, creating
the already existing IT control processes of banks, the respective control demand.
based on standards such as COBIT or ITIL, need to
be reviewed in light of cloud specifics.
14European banks are well aware of the attention Going up the stack, the implication of the
that such control demand deserves. Operational partner in the activity will increase. Using PaaS,
and financial stability are core concerns prior and workload distribution will be controlled
during the usage of cloud services. Consequently, by the partner. With SaaS, the application
the selection of services and their migration to cloud management, including changes (content and
are conducted consciously. timing) will not be handled by the institution
anymore. However, not all services are equal,
Cloud operates on the shared ‘responsibility’ and, for instance, there are IaaS services like
model. This means that depending on how the Grid IaaS where some additional components
financial institution is consuming cloud both the will be managed by the CSP, while in other
CSP and financial institution must understand their SaaS implementation processes, such as the
areas of responsibility with regard to the control identity and access control, these can remain
landscape. under control of the CSC. Ultimately, a
specific control assessment will be needed
This is not to be misunderstood for the concept of for each cloud service. It is important to note
accountability. Accountability remains fixed with that IT general controls remain relevant
the financial institution regardless of what services regardless of where they are operated.
are being obtained from the cloud. ‘Responsibility’
for the purpose of this paper should be understood Ownership of the control framework
as a term allowing for clear definitions of who is The framework includes relevant network
operating specific controls (the CSP or financial perimeter control, access management and
institution) and what level of visibility the financial internal enforcement of rules. Using a
institution has into how those controls work. There visual: the network perimeter can be
are several ways this can be accomplished by compared to a city wall. The wall itself and
having a well-defined approach with the CSP. everything inside follows internal rules. Access
is granted at the gate under control of the “city
Different from other IT paradigms, cloud computing council”. This means for cloud solutions, that
inherits technological dimensions and features that in a bank’s private cloud the network perimeter
can have a positive effect on the control demand. control and access management are still with
the institution, whereas in a public cloud
In order to be fully aware of the evolving service this control leverages the features implemented
characteristics, five major dimensions need to be
and offered by the bank’s partner (the CSP)
considered regarding the control demand of a
outside the “city wall”.
particular cloud offering.
The legal and regulatory context
The layer of abstraction sourced, Depending on the jurisdiction applying to the
e.g. the selected cloud service model and cloud service contract, the activity supported
use case. In general, in IaaS the CSC is using by the cloud usage or the location of the data/
an IT infrastructure deployed and managed compute, different levels of data access
by the CSP, but all processes and activities and control may be needed. Laws and
implemented on this infrastructure remain regulations may specify requirements for
under the full control of the institution (e.g. regulatory notification and approval for the
workload distribution, Solution Delivery use of cloud computing for regulated activities
Lifecycle, application changes). and reporting of material incidents.
15Criticality of data Criticality of function
Different categories of data can be drawn, This dimension outlines how dependent the day
according to their sensibility and the data to day operation is on the function sourced
subject. Thus, customer's sensitive personal through a cloud service. The criticality is
data requires higher protection than public effected by the impact of the function when not
data used for intra-day risk computing. performed properly. For example, while an
institution’s business processes could run without
an HR system for a short period of time, this is
not true for the core banking system, which
would bring the institution to halt when failing.
To provide for a better visualisation of the risk dimensions, please consider the following rating grid. Each
dimension is assigned a numerical value according to the described features:
TABLE 8
Dimension/ 1 2 3 4 5
rating
Layer IaaS IaaS plus PaaS PaaS with vendor SaaS
Based on market Vendor specific Based on market specific additions
standards additions standards
Control Private setup Hybrid, within Hybrid, within Hybrid, with Public setup
network perimeter network perimeter partial public setup
framework
all accesses are accesses are outside of network
controlled by partially controlled perimeter control
institution
Legal and Only an EU home Only EU country Mainly EU Mainly non- Regulation of
country regulation regulation regulation EU regulation “non-recognised”
regulatory
applicable applicable (but applicable but also applicable but from third countries
context of more than one “recognised” third “recognised” third applicable
Member State) countries regulation countries
involved
Criticality Public data Internal “low- Internal relevant Internal relevant Internal relevant
of data relevance” non- non-identifiable identifiable data identifiable
identifiable data data sensitive data
Criticality Replaceable and not Replaceable but Necessary for Part of core process, Unavoidable part
relevant part of core necessary for external processing necessary for full of core process
of function
processes internal processes function, recovery
target in disaster
recovery up to 48h
16European banks consider these control dimensions To provide for an example, the spider chart
carefully for the identification of cloud-related risks below contains the intra-day risk computation
and their management. Weighing the dimensions’ for a trading operation6. This example case is:
interactions and connecting its numerical value,
running on hardware which is hosted in the
the following spider chart shall give an indication
bank’s home country (legal context),
on how to support awareness visually and how to
guide attention within the risk assessment by banks utilising vendor specific additions to an IaaS
for individual cloud service constellations. cloud service (layer).
- If the bank’s workload exceeds certain
The higher the assigned number for each risk
thresholds beyond the on-site compute
dimension, the more attention to control is likely to
capacity, additional capacity in a public cloud
be required by the bank. Visualising the dimensions
will be leveraged (burst to public cloud). For the
altogether, figure 9 allows for a graphical
purpose of this example, the trading operation
understanding of the need for attention to cloud-
in question is considered low with regard to
particularities (according to the growing size of the
criticality of function, using non-critical data.
encircled area). It can be used to trigger respective
risk management attention: the bigger the area, the - However, the public cloud is not within the
more attention to control should be dedicated to the bank’s network perimeter (control framework).
service from a risk management perspective.
FIGURE 9
Layer
5
4
3
Criticality Layer 2
2 Control
Function Framework
1 Control Framework 5
0 Legal Context 1
Criticality Data 1
Criticality Function 2
Criticality Legal
Data Context
Once the control demand has been understood, a by the risk exposure. The ability of the institution
balanced approach can be applied. For example: to control the risk can be directly derived from the
In the given case in figure 9, data is considered combination of the level control tool provided by
non-sensitive and public (transaction execution the CSP and implemented by the bank – allowing
on a regulated market). As a result, no advanced a more accurate expression of the level of exposure
controls for data protection have to be added. The due to cloud computing – and the exposure itself.
extent of necessary controls will be directly driven
6
For more examples, please consider the Annex.
17“ Cloud computing
4.3 Different roles of banks and
Cloud Service Providers
The visual tools under 4.2 helps to understand and offers a more
nuanced controls
assess the potential impact of cloud adoption on
the operational risk of institutions. Central to such
assessment is an understanding of what controls are
in place and what party is in charge of them. It is landscape than
important to recognise that cloud computing offers
a more nuanced controls landscape than traditional traditional
IT services. In turn, the responsibilities within this
landscape require an understanding of how CSPs IT services “
and financial institutions in their role as CSCs work
together.
This in no way implies that financial institutions are Where a CSP supports hosting, and a CSC supports
not living up to the responsibilities placed upon the management of its computer controls, this needs
them by financial regulation as the basis of to be viewed as a combined responsibility. Where
continuous financial supervision. The accountability both hosting and management are supported
of banks remains unquestioned7. European banks by the CSP alone, this is more akin to traditional
take risk control and financial stability very seriously outsourcing.
not only for reasons of regulatory compliance but to
deliver the best service possible for their customers. IaaS and PaaS cloud computing customers are
building systems on top of cloud infrastructure.
Nevertheless, cloud computing is shaping different Although the CSC is always accountable and
roles for the parties involved. Traditionally, when required to supervise and monitor any process
third parties are involved in the provision of a affecting its activities, the “low level” security and
service, customers specify to them their service compliance responsibilities are usually divided
demand, followed by the supplier building a between the CSP and financial institutions as CSCs.
solution to meet the customer’s requirements. The latter control how they create the architecture
Afterwards, the supplier manages and operates the and secure their applications and data put on
solution on behalf of the customer. In the case of the infrastructure. The CSPs on the other hand are
cloud solutions, the CSC does not always fully responsible for providing services in a highly secure
delegate these functions to the CSP, but the business and controlled environment as well as providing
model is based on the CSP having product offerings a wide array of additional security features. A
that the customer can use on a consumption basis. generic compliance structure for CSPs facilitates the
The CSC itself is responsible for building and understanding of the control environment and risk
configuring his services in the cloud as he sees mitigation implemented by the service, supporting a
fit and the CSC remains responsible for the high level of transparency. The level of information
management and operation of the service. provided by the CSP shall be sufficient to ensure
the financial institution can make informed security
Service hosting controls and service management decisions instead of decisions based on a notional
controls are distinct from one another. perception of security.
7
See above Chapter 4.2
18Consequently, banks and CSPs operate with the help of a nuanced controls landscape, as indicated by this
exemplary orientation:
8
FIGURE 10
Enterprise IT * Infrastructure Platform Software
(Legacy IT) (as a Service) (as a Service) (as a Service)
Applications Applications Applications Applications
Customer Managed
Customer Managed
Customer Managed
Security Security Security Security
Databases Databases Databases Databases
Customer Managed
Operating System Operating System Operating System Operating System
Provider Managed
Provider Managed
Virtualization Virtualization Virtualization Virtualization
Servers Servers Servers Servers
Storage Storage Provider Managed Storage Storage
Networking Networking Networking Networking
Data Centers Data Centers Data Centers Data Centers
*If operated by the own entity
The technological nature of cloud, paired with are invited to consider figure 10 carefully when
distinct roles for both CSPs and CSCs, requires a assessing the management of relevant risks by
close look at the division of controls for a cloud banks according to applicable financial regulation.
service in question. In order to reflect this evolving The cloud service models PaaS and SaaS show a
controls landscape in banking supervision, NCAs visible difference to other IT paradigms.
To reflect the cooperative nature of the controls landscape, please consider the following controls origin:
FIGURE 11
Controls "inherited" from the cloud service provider
Managed by CSP E.g. Physical & Environmental
Common controls
E.g. Patch & config management: cyber security;
Managed separately by both CSPs and CSCs
employee training & awareness; employee screening
Controls specific to cloud service customers
E.g. Service & communications' protection; sensitive
Managed by CSCs
data protection; data location; data deletion/porting
8
Based on the figure at: https://mycloudblog7.wordpress.com/2013/06/19/who-manages-cloud-iaas-paas-and-saas-services . While innovative cloud services constantly evolve,
thereby preventing an exhaustive and static overview, this simplified visual will help to understand the distinction between management features according to cloud services in question.
19Projecting the understanding of the different roles in The responsibility over the management and
the controls landscape to the cloud service models operation of IT controls may be shared with CSPs.
available, please consider figure 12. CSCs remain The degree of control allocation depends largely
accountable for computing, although with cloud on the cloud service model, with more controls
computing they no longer operate all the IT controls managed and operated by CSCs in IaaS than in
in the cloud computing infrastructure themselves. SaaS.
FIGURE 12
IaaS
SaaS
The environment of cloud services provided to Cloud solutions provide for technological
financial institutions is continuously developing. opportunities to lift an application or landscape
Based on the understanding of control demand, out of its current hosting environment and shift it to
control origin and shared responsibility, the another. For example, lift-and-shift of on-premises
institutions can engage with CSPs on a new hosting to the public cloud. This would include a
operational process that may be required to migration of three top layers: application, database
manage the relationship and the shared obligations and OS layer. Besides the speed of such migration,
for management effectively. advantages can include cost-effectiveness, reduced
disruption and quick return on investment.
4.4 Careful consideration of cloud
migration However, such technical solutions for rapid
migration does not automatically imply financial
Business users of cloud services need to consider institutions seeking out cloud solutions in a
various issues before moving their own activity into less secure – because rapid – way. Quite the
cloud service productivity tools. European banks opposite, “lift-and-shift” solutions are weighed
choose a strategic and carefully planned approach by financial institutions in the light of responsibility
to using cloud computing9, which has a positive and regulatory framework. While companies
effect on the identification and management of may choose to “lift and shift” in terms of moving
risks10. applications in their current state, meaning no
9
See Chapter 3 for the banks journey to cloud.
10
See Chapter 4.2 for support tool regarding risk awareness.
20modernisation or other changes, they still re- A careful adoption of cloud in the financial
evaluate the control landscape. Careful planning industry should consider general assumptions:
and agreements are necessary not only regarding
controls, but the operational processes that will - Appropriate standardisation of technology
be required to manage effectively the relationship components and services, interfaces and
between the CSP and CSC. This can include controls can enable universally understood,
organisational steps such as monthly Service Level seamless and secure interconnectivity and
Agreements (SLA) and risk reporting meetings, appropriate isolation between cloud-ready
periodic reporting to executive management and/ networks.
or board as well as other actions – depending
on workload and data criticality. Consequently, - A gradual cloud adoption uses commonly
financial institutions consider a transformative understood service models and use-case
development towards cloud on basis of a carefully scenarios, driving towards the highest possible
established cloud migration strategy. This strategy level of abstraction from technology resources.
clearly defines the business outcomes the financial
institution is seeking and the timeframe to achieve Figure 13 shows the typical landscape of a
predefined goals. financial institution’s services, ranging from highly
FIGURE 13
Target Technology Framework
Overview – Technology Areas
INTERNAL NETWORK A EXTERNAL NETWORK
Consumer & Client, Private and Business Clients, Internal Hub, Branch, Employee, Systems like PoS, ATM. Connect by internal and external Network 1
Security, Client, Data, and System protection for all areas. Functional federation to the areas, but central data analysis 2
Management & Control, Service Mgmt, Resource placement, utilisation, monitoring and commercial management. Functional federation to the areas 3
4 B
Software as a Service Software as a Service
Use cases with compliance requirements to stay internal incl. Use cases incl. security / access governance,
security / access governance, commercial and technology interface commercial and technology interface
Start with highest level of abstraction
5
Private Cloud (IaaS, CaaS and PaaS) Private Virtual Cloud – Data (IaaS, CaaS and PaaS)
Platform for Platform for
Virtualized environments, Container technologies, Hybrid Virtualized environments, Container technologies,
Databases as a service, etc.. Databases as a service, etc..
Specialised Infrastructure Shared Infrastructure Shared Infrastructure 6 Specialised Infrastructure 7
Physical Hardware / Consolidation on shared Consolidation on shared Physical Hardware /
Appliances supporting hardware where systems Lift / hardware where systems Appliances supporting
revenue generation, don’t move to platforms Shift don’t move to platforms revenue generation,
competitive advantage for technical or economical for technical or economical competitive advantage
scenarios reasons reasons scenarios
IaaS, CaaS, PaaS, SaaS = Infrastructure-, Container-, Platform- and Software- as a Service, VM = Virtual Machine, example of a common abstraction layer
FOR INTERNAL USE ONLY
21customised platforms (lower left corner) to highly FOUR - internal and external SaaS to be
generic software as a service offering (upper right considered if the function is standardised across
corner, box labelled No. 4). markets.
For the banks to leverage cloud technologies, an FIVE - compatible, interoperable Hybrid Cloud
educated decision must be taken on whether cloud Compute Platform.
service and deployment models will best suit the
banking service needs according to efficiency, SIX - use available IaaS where it is not
efforts to migrate, security, complexity and economically viable to transform to the Hybrid
interoperability and which models these are. Cloud.
This can be achieved by mapping the status quo SEVEN - use specific infrastructure only if needed
and the future needs for the cloud service layers e.g. for latency aspects; keep overall footprint low.
as part of the above mentioned cloud migration
strategy:
Following these steps, banks can achieve a fit-for-
ONE - consistent interface layer for all consumers. purpose adoption of cloud services. Combined
with the sound awareness for the controls
TWO - federated and requirements-based demand11 , a well-controlled cloud environment
implementation of security. for financial services can be established.
On their journey to the cloud, financial
THREE - orchestrated monitoring and control
institutions can consider – within their individual
information.
cloud migration strategy – certain helpful
elements for different steps of the way:
TABLE 14
Explore Envision Enable Execute
Understand Recognize the Define Adoption Rethink
the Cloud Case for Change Approach Enterprise Arch
Understand Drive Shared Select Cloud Design Solutions
Value Prop Vision Providers for the Cloud
Chart Cloud Analyze Cloud Upgrade the Implement and
Landscape Opportunities Organization Integrate Solutions
Build the Revamp Tools Operate in
Business Case and Processes the Cloud
Source: 'To the Cloud: Cloud Powering an Enterprise’12
11
See Chapter 4.2
12
Pankaj Arora, Raj Biyani, Salil Dave, ‘To the Cloud: Cloud Powering an Enterprise’, 2011, McGraw Hill.
22Untouched from the technological development ‘Service Broker’ function. It allows business
and the changes of IT architecture, European banks operation in a multi-cloud environment, utilising
serve their customers with service solutions covering service solutions from a multitude of CPSs. While
the full range of financial needs. However, cloud doing so, financial institutions stay alert to the
technology can assign a new dimension to the IT consequences for operational risk and the control
management that underpins financial services. capacities. Ultimately, attention by institutions and
Within the cloud environment, banks – utilising NCAs – based on a risk-based approach – should
cloud computing for the benefit of customers and focus on the successful management capabilities of
business processes – find themselves in the nexus banks for the indicated service brokerage. Applying
of this modern service operation. Additional to the the management function, European banks then
traditional infrastructure dimension, IT evolves into use the changed IT capacities for the execution of
the role of ‘Service Broker’. Management skills, e.g. traditional as well as innovative financial services.
regarding vendor relationships, become important.
European banks carefully design their journey to
cloud in accordance with such an envisaged
FIGURE 15
IT as Service Broker
AppDev End User Clients
Broker
Security
CMP
Bare Metal IaaS CaaS PaaS SaaS
Physical Virtual Private Cloud Public Cloud
23CHAPTER
FIVE
5 Conclusion
risks associated with new technology is often a
challenge. That is why it is important that the risks
perceived by banks are reconciled with those risks
The gradual adoption of cloud computing is a of greatest concern to regulators. Acknowledging
macro trend common to all industries, progressing the fast-developing cloud environment, European
at a measured pace as the industries, including the banks and CSPs aim to support this process. Based
financial sector, gain maturity in their understanding on a thorough awareness of risk dimensions, banks
of cloud and their capabilities increase. Used wisely carefully migrate services to cloud with attention
it can help to control cost in a more efficient way, to consistency, security and corresponding risk
improve the flexibility of the business model, allow management. The visualisation provided under
operational specialisation and improve resilience. Chapter 4.2, picked up further by examples in the
With cloud computing further evolving, more annex, aims to support this awareness. CSPs on the
advantages are expected to become apparent other hand actively engage with their customers to
in the future. As IT is the backbone for banking provide services in a highly secure and controlled
operations, associated efforts are a big contributor environment. Together, both parties operate in
to healthy and competitive financial institutions. the face of cloud-specific control demand and an
evolved controls landscape following the innovative
Cloud computing is a key enabler for a successful technological nature of cloud.
data economy and service delivery, as it can
seamlessly connect banks with other financial NCAs are invited to consider the aspects presented
institutions, customers and FinTech innovators. The in this paper when conducting their own assessment
pervasive and secure use of cloud – benefitting of institutions’ risk identification and management
customers and banks alike – supported and with regard to cloud services. This should reflect the
consistently governed through a risk-centric increasing ‘service brokerage’ role of institutions
approach by banks is in alignment with the already for their IT capacities, based on cloud solutions
existing risk management culture of banks. in a multi-cloud environment. Resting on the EBA
GL and following their own risk-based approach,
As much as cloud computing supports financial NCAs find themselves in a key position to
innovation, the understanding and quantification of contribute to a harmonised supervisory framework
24for cloud adoption in Europe. Without a common
understanding of cloud by regulators, European
banks and CSPs, different national approaches
“is Cloud computing
a key enabler for
could provide for regulatory fragmentation across
Europe, ultimately hampering cloud adoption by
financial institutions.
a successful data
This paper aims to contribute positively to the
economy and service
discussion on cloud, sharing fundamental delivery, as it can
information as a basis for current and future
supervisory engagement with European banks and connect banks with other
CSPs. A harmonised regulatory approach to
cloud will help to facilitate its innovative potential in
financial institutions,
finance, foster its adoption by the European banks
and aid the financial sector in further endeavours of
customers and FinTech
digital transformation. innovators seamlessly.“
25GLOSSARY
Back-end systems Systems which do backend processing of data which can be accessed
e.g. by front end systems (e.g. ledgers, booking).
CaaS Offering for container-based virtualisation in which CSPs offer a
complete framework to customers for deploying and managing
containers, applications and clusters. CaaS offers a completely enabled
container deployment service with security and governance control for
IT management.
CI/CD toolchain Continuous integration and continuous deployment of code changes
into existing instances at any time not being restricted by predefined
release cycles or change windows. To enable this, highly standardised
coding and testing principles are necessary as well as highly automated
test and deployment procedures to control the risk of change.
Cloud computing An innovation in computing that allows for the use of an online network
(‘cloud’) of hosting processors so as to increase the scale and flexibility
of computing capacity. Cloud allows industries to tap into new service
models, utilising its technological advancement for new and better
services to customers, improving productivity, cost-efficiency and
flexibility of internal business processes.
Cloud deployment model Defines rules and guidance on where workloads are deployed. For
example, highly critical workloads to be deployed on a private cloud.
Low criticality functions can be deployed on a public cloud.
Cloud service model Outlining the usage of cloud services with definition of IaaS, PaaS,
CaaS and SaaS.
26You can also read
