De-risking Cloud Consumption: IBM Cloud for Financial Services
By Charles King, Pund-IT®
noun: a situation involving exposure to danger
verb: to expose (someone or something valued) to danger, harm, or loss.
One of the odder points about cloud computing is the ongoing contentiousness over technical infrastructure. Debating the quality and benefits of various system designs, silicon developments and aaS models has its place but is analogous to arguing over who builds the best turbines for hydroelectric plants. More important concerns include how electrical services are being put to use and how well vendors are addressing customers’ business-critical requirements.
In the case of cloud, that is especially important when it comes to organizations that require far more than support for simple business processes or general-purpose compute, such as those in heavily regulated industries like banks, insurers and other financial institutions. IBM Cloud for Financial Services offers a good example of how an innovative vendor can blend deep technical expertise, decades of industry experience and valuable strategic partnerships into compelling new services and solutions.
Risky business: Financial services and real-world threats
It’s an urban myth that legendary bank robber Willie Sutton said he targeted financial institutions “Because that’s where the money is,” but the truth in that statement remains: Whether it involves gaming ATMs or credit card terminals, engaging credulous consumers in online phishing expeditions or targeting banks and credit unions with ransomware attacks, financial institutions and their clients are increasingly being placed at risk by sophisticated cybercriminals.
Just as importantly, the evolution of financial services has tended to increase risk exposure rather than curtail it. Financial organizations are among the most proactive adopters of new technologies, partly because they are sensitive to their businesses being disrupted by emerging offerings. As a result, computing innovations have massively improved financial processes, especially in mid-office and back-office processes, substantially growing business and commercial opportunities. However, digitized processes have also vastly expanded targets and attack surfaces for fraudulent activities.
Not surprisingly, like other enterprises, those in financial services are considering how cloud can help them transform into ever more modern businesses. But security issues, which have long been a deterrent for public cloud adoption, leave many financial organizations concerned and uncertain.
What applications and workloads are well-suited for cloud deployments? Which public clouds deliver the best support for risk-averse businesses? What do myriad regulators, including those in the dozens of global markets where financial services companies do business, make of banking in the cloud?
IBM’s history in financial services
IBM’s efforts this area began before November 2019, when it announced the world’s first financial services-ready public cloud which had been designed specifically to address key risk issues, and that Bank of America was its first committed collaborator and customer. The following May, IBM revealed that Howard Boville, whose 25 years of financial services experience included eight years as Bank of America’s CTO, had been named as SVP of IBM Cloud. In April 2021, the company announced the general availability of IBM Cloud for Financial Services, including support for Red Hat OpenShift and other cloud-native technologies.
These are all key points in IBM’s evolution of its financial services solutions, but where do they fit into IBM’s broader efforts in financial services? Consider that this new portfolio (built on IBM Cloud) is just the latest offering in the company’s decades of serving and collaborating with financial services customers.
IBM has been a central strategic partner and supplier for banks and financial organizations since the days when its “business machines” referred to sophisticated mechanical calculators through decades of mainframe transaction processing development. Today, IBM Z is the only platform offering Hyper Protect Data Controller which supports end-to-end, data-centric encryption and privacy, securing data wherever it resides, and “keep your own key” (KYOK) encryption capabilities based on FIPS 140-2 Level 4 certification, the highest level of data security, including detecting and responding to unauthorized attempts at physical access, providing customers with exclusive control over their data. Not even IBM can access it.
In other words, IBM maximally secures business data and applications against external and internal attacks. Is it any wonder IBM Z is the platform of choice for 44 of the world’s top 50 banks and that 86% of all credit card transactions run through IBM Z systems? Also, is there a better or more experienced vendor than IBM for delivering mid- and back-office solutions that address the key challenges facing cloud-bound financial services companies?
The compliance equation
However, foundational IBM hardware technologies and related software, middleware, consulting services and research investments from the company and its strategic partners are simply pieces of the much larger and wider effort that resulted in the IBM Cloud for Financial Services. For IBM, the ultimate goal was to fundamentally “de-risk” cloud services, so they meet customers’ essential security and privacy needs, as well as the robust compliance requirements of global financial industry and government regulators.
How did IBM approach this complex task? By systematically solving what might be called the “compliance equation” through three essential steps:
- Collaboration/Consensus—IBM contacted key financial customers and partners, including Bank of America and BNP Paribas, both among the Top 10 largest banks in the world by total assets, to discuss their approach to and frameworks for ensuring digital security and regulatory compliance. The company also reached out to strategic ISV, SaaS and developer partners focused on financial services, as well as industry and global regulatory authorities. Working together, IBM and its customers and partners reached a consensus on what was needed to effectively reduce risk in cloud-based services and transactions.
- Control—As a result of those discussions, the company worked with Promontory Financial Group – an IBM Consulting business unit focused on strategic risk and compliance advisory services. The result was the IBM Cloud Framework for Financial Services, a unified set of pre-configured security and compliance controls built specifically for the industry. Designed to enable real-time monitoring and continuous compliance via IBM Cloud tools and solutions, the Framework also helps customers lower the risk, cost and complexity of staying current with regulatory changes. IBM also continuously validates these controls with industry councils for global chief information security officers (CISOs), chief technology officers (CTOs) and chief information officers (CIOs) from major banks, insurance providers and regulatory agencies.
- Consistency—The IBM Cloud Framework for Financial Services does not simply aim to ensure that customers comply with industry and government regulations. It is a comprehensive control set that also spans access management, configuration management, cybersecurity and data safeguarding. Plus, IBM provides detailed documentation/templates designed to guide/automate customers through reference architecture and control implementation processes. As a result, banks can ensure that cloud-based services and solutions consistently meet their security and regulatory goals while also providing a solid foundation for consistently developing and deploying secure new solutions and services.
The result? Collaboration/consensus + control + consistency = compliance.
One of the most interesting points about IBM’s Cloud for Financial Services is how the company’s collaborative strategy will also enable it to proactively evolve to address future market shifts, unexpected regulatory changes, and new business opportunities.
Central to these efforts is IBM’s Financial Services Cloud Council, a collaborative organization represented by CIOs, CTOs, CISOs and compliance and risk officers from global financial services organizations. The group focuses on bringing together major financial institutions to help guide the development of cloud services for mission critical financial workloads.
Additionally, IBM maintains open dialogues with industry regulatory authorities in North America, the United Kingdom, Europe, Asia Pacific and Australia to ensure that the IBM Cloud Framework for Financial Services enables comprehensive compliance with regional and local regulatory rules and guidelines. The company is also working closely with over 100 ISVs, SaaS providers and other vendors to validate solutions for the Cloud for Financial Services, adding an additional layer of trust for risk-averse customers.
It should be noted that like all other IBM Cloud solutions, the Cloud for Financial Services supports the open, hybrid cloud and multi-cloud deployments that enterprises overwhelmingly prefer. Along with offerings based on Red Hat OpenShift and other cloud-native technologies, IBM Cloud Satellite offers clients a secured, unifying layer supporting cloud services across environments, regardless of where their data resides. In essence, IBM Cloud customers can use Cloud Satellite to write applications once, then run them in any environment, from on-premises data centers to the edge to other public clouds, including AWS, Azure, Google Cloud and Alibaba.
The company also maps IBM Cloud for Financial Services to over 1,000 National Institute of Standards and Technology (NIST) controls for cybersecurity and other functions. NIST provides a sort of “Rosetta Stone” that enables IBM to map solutions to existing and emerging control frameworks, including ISO (International Organization for Standardization), C5 in Germany, ISMAP in Japan and others. As a result, customers utilizing IBM Cloud for Financial Services can choose and map their applications to whichever NIST standards best address their compliance and security needs.
Finally, IBM works with other financial services-focused vendors and groups with similar missions, like the Cloud Security Alliance, to achieve consistency and accord on control frameworks.
IBM is well-known and regarded for its success in helping enterprises drive and achieve technological transformations across a wide range of commercial applications and use cases. To be sure, the foundation of IBM Cloud for Financial Services is deeply embedded in core IBM Public Cloud and open technologies. In fact, while the new services can be deployed in hybrid and multi-cloud environments, customers will find their deepest functions and levels of integration on IBM Cloud due to unique solutions, like the Hyper Protect Data Controller and KYOK encryption.
However, while IBM Cloud for Financial Services clearly reflects the company’s considerable technological depth, it is simply the foundation for solutions designed to address key business challenges. This underscores the vital importance of IBM’s decades of serving financial institutions, and the insights into mid- and back-office processes that resulted from those tens of thousands of client engagements.
Beyond those points, why should financial services organizations and their customers pay attention to the considerable effort the company and its strategic partners are putting into the IBM Cloud for Financial Services? After all, IBM is hardly the only vendor developing and delivering such offerings, including cloud-based services.
In a recent briefing, IBM Cloud SVP Howard Boville said, “The reason there is such an enthusiastic uptake for IBM Cloud for Financial Services solutions with recent customers, including CaixaBank, Luminor Bank and financial institutions across Africa is the understanding that cloud is not properly managed with the right consistent set of controls. What do I mean by that? That there are mission-critical business processes that banks do—payments, capital market interactions, trade, financial transfers and so on—that the world economy runs upon. Should any IT operational, cybersecurity, or data privacy issues impact the supply chain that underpins those processes, that will introduce systemic risk into the global financial system.”
The fundamental issue is not why any banks, insurers, credit card issuers and other financial organizations should care about IBM’s efforts to de-risk cloud computing for mission-critical workloads or employ IBM Cloud for Financial Services. It is why any would not.
© 2021 Pund-IT®. All rights reserved.