Overcoming the cloudy concerns: Recommendations for banks
In my previous blog, I had posited that banks should not let their concerns deter them from leveraging and reaping cloud computing's immense benefits. That said, banks need to adopt a structured approach towards their cloud implementation. In my view, there are four essential ingredients of a well thought-out cloud adoption approach:
1.Choose the cloud model judiciously: No single cloud model (public, private) can meet all of a bank's requirements. Hence, while choosing the cloud models, banks should consider the regulatory, security, cost efficiency, operational agility, and scalability aspects of the model. In the initial implementation stages, banks can plan to have a federated ecosystem comprising a combination of cloud-based and on-premise application portfolio mix. Such a federated ecosystem will allow banks to have myriad cloud models (private, public and hybrid) implementation and flexible capacity for incremental adoption.
Depending upon their business needs, banks can opt for large-scale hybrid cloud model which comprises a combination of public and private cloud features. In this, the computing resources and capabilities are owned by both the bank and the cloud service provider. It allows banks to reap the benefits of optimization offered by cloud, and also ensures high-level of data confidentiality and security. Public cloud capabilities of the hybrid model could be used for general computing, while sensitive data and functions could be enabled in the private cloud. Similarly, for core banking aspects, and also for cases where regulations prohibit processing and storing customer data outside the country, private cloud could be leveraged. An example of private cloud adoption of Westpac New Zealand which recently opted for IBM's private cloud technology to become the country's leading digital bank. The bank will migrate some of its business-critical applications to IBM's Auckland based datacentre.
2.Avoid the big-bang approach: Banks should develop a business case for their cloud adoption and take an evolutionary adoption approach. A mid to long-term roadmap for cloud migration is crucial. Starting with small and less mission-critical legacy applications that have already been architected for meeting external integration and security challenges is the way to go. Also, the relative data importance vis-a-vis the regulatory requirements of data privacy and residency should govern the adoption prioritization. Cloud migration strategy should take into consideration the systems' integration (batch, real-time, etc.) and performance requirements. Business domain wise, lower risk projects such as ECM, CRM, collaboration and workspace are good candidates to begin with. Payments and corporate banking functions such as credit risk simulations, payment settlement, corporate actions, etc. are also well suited for the cloud. In collaboration and workspace, cloud (public or hybrid) can be leveraged for back-office and horizontal processes such as email, internal collaboration, knowledge sharing, etc. UBS has leveraged Oracle's cloud-based Fusion HCM to support its HR function. Similarly, BBVA's entire workforce is enabled through the cloud email and collaboration suite (Google Apps). In content management, Barclays' private cloud-based service named "Cloud It" provides a cloud-based document management system for customers to store their personal documents.
3.Focus on security: Banks should clearly understand and comply with cloud related data confidentiality and regulatory requirements. For instance, regulators such as FINRA may want to audit the bank's cloud architecture. Depending upon the local regulatory needs, many banks may have to keep sensitive data (e.g., customer details) within firewalls and in private cloud. Amazon Web Services has launched AWS GovCloud to allow the U.S. government agencies and contractors to move their sensitive workloads into the cloud by taking care of their specific compliance and regulatory requirements. IT teams should thoroughly test all systems to be enabled on cloud for strong data and application security, performance, regulatory, business continuity, disaster recovery and risk management aspects. Cloud security should integrate well with the bank's existing security processes and platforms. A secure, sophisticated and easy-to-use remote access management solution for cloud which can support all operating systems is desirable.
4.Engage in partnership: Banks should engage a leading cloud solution provider to gain expertise and ensure compliance. Cloud service providers can also be engaged to educate regulators on cloud capabilities concerning data security, residency and privacy. Chosen cloud services providers should have clearly defined strategy, demonstrable ROI and proven capabilities. Banks should get all key information from the providers upfront; including the costs and other implications of migrating the existing infrastructure and applications to the cloud. Banks should also examine the service providers' external security and audits certifications before engaging them. Service providers' performance vis-à-vis transaction volumes, reliability, availability and quality of the services should be scrutinized closely. Stringent SLAs with guarantees and remedies / penalties should be enforced. Banks should have the service provider work with their risk, security, and legal teams and aid in developing cloud migration plan. Where multiple providers are engaged, ensuring that the applications and data can be moved throughout the cloud environments, as appropriate is important. A good example of a third-party cloud solution is the Infosys' Cloud Ecosystem Hub. It is a first-of-its-kind solution helping enterprises build and manage unified hybrid cloud environment. The solution helps to rapidly create, adopt, and govern the cloud services across the clients' ecosystem.
In your view, what are the other key aspects banks should consider during their cloud deployment? I am interested in knowing your views.