Financial Institutions and the complexity of Public Cloud Done-Right

FIs inhabit a state of natural (enforced) cautiousness. It is essential that regulators such as De Nederlandse Bank (DNB), the European Banking Authority (EBA) or the British Financial Conduct Authority (FCA) can see that they are acting in compliance and that the rules that the FIs are tested against are enforced with rigour.

The fact is, that many FIs have the impression, perhaps rightly, that many problems are being dumped on them. Privacy, security, anti-money laundering (AML), anti-terrorism and customer identification (KYC) have expanded and have become tasks that have equal importance, and are perhaps even more expensive to maintain, than the traditional banking work of monitoring of balance sheets and the stability of the payment system. FIs therefore have many more complex and unique requirements for CSPs than many other businesses. These requirements are not always coherently described and FIs struggle to find the services that they need at broad-based CSPs such as AWS and Microsoft Azure. This is because even though FIs are big and powerful, for Cloud Service Providers they are just one of the many parties they serve.

To facilitate shaping a joint position that embraces their needs as a highly regulated industry with the need for extensive cloud space, European FIs have jointly established the 'ECUC': the European Cloud User Coalition. The ECUC is an interest group of FIs because future cloud use is almost inevitable and after all, a collective voice carries more weight. And when compared to the cloud giants or the EU 'regulatory entities', even the biggest banks are small. In the Benelux, large FIs such as ING and KBC Bank are affiliated with the ECUC. The coalition works on best practices within the applicable standards, but also consciously 'takes a position' by means of a 'position paper'.

In May 2021 the ECUC published version 1.0 of their position paper. Along with establishing positions on new legislation such as the European DORA (Digital Operations Resilience Act, a proposal on regulation for FIs), the ECUC also takes a position vis-à-vis the Cloud Solution Providers (CSPs) that speaks to Microsoft, Amazon, Google, and players such as Digital Ocean. Standardisation is essential to make running on Public Cloud infrastructure manageable for FIs, and CSPs have to provide essential functional frameworks in their cloud environments. The ECUC brings FIs together in collaboration, to ensure that there is much more of a direct connection between what FIs want, and how the CSPs can (and will) offer that. It is the FIs' aim to be able to influence the cloud giants’ sympathies towards the highly regulated context in which they operate.

The Morgan Lewis blog, an industry-leading opinion platform, summarised the core of the ECUC Position Paper effectively in three points, the "main challenges" for cloud use by Financial Institutions:

1. Overall Public Cloud adoption for financial services institutions is challenging due to the specifics of cloud computing being regarded as outsourcing.

2. Legislation such as the proposed EU Digital Operational Resilience Act (DORA) and rulings such as Schrems II currently make it difficult for financial services institutions to adopt Public Cloud services.

3. When FIs engage CSPs individually it inevitably leads to additional administrative labour and takes time which is an unwelcome misdirection of priorities.

As a partner of many FIs in the development of platforms, apps, and online services, iO aspires to take care of as many of these concerns as we can. Many FIs only have time to focus on their core business with their own IT development teams. They want to outsource the design, development, hosting & cloud infrastructure for other projects to specialists like iO.

This means that indirectly, the ECUC Position Paper is also important to iO, because the solutions we design for FIs usually find their home in the Public Cloud of AWS or Microsoft Azure. We are happy to adopt the standards and guidelines that are mentioned in the ECUC Position Paper in order to retain clarity in the total 'landscape' of 'controls' on the software we develop for FIs.

This empowers the Chief Information Security Officers (CISOs) and Cloud Operations Teams of the Financial Institutions we serve, who are weathering a constant storm of audits and other regulatory burdens from the regulators. If our connection to and engagement with the ECUC guidelines makes life easier in those departments, that is a substantial gain.

We predict that in the future we will not just be asked the following questions:

• Is your software safe?

• Do you work according to OWASP?

• Can you provide an ISO27001 certificate?

• What is your SSDLC and how do you deal with Dependencies?

We expect that we will also have to provide answers to these questions:

• Does your proposal follow the requirements of the ECUC for Public Clouds?

• Can you provide a setup like the ECUC outlines for my API or app project?

Only then will a carefree deployment of a project to AWS or Microsoft Azure be able to pass the 'checks and controls' in the future.

At Money2020 Europe, in September 2021, we listened carefully to the ECUC Position Paper. The most important aspects of this ECUS Position Paper are already influencing the market. Many guidelines of the ECUC are still provisional and the DORA regulations have not yet been carved in stone, but the contours are already emerging. It’s important to know, what does version 1.0 (May 2021) of the ECUC Position Paper contain? And how can we best support these positions as a digital partner for FIs?

The ECUC Position Paper describes expectations on five topics: privacy, security, governance & regulation, standard contractual clauses, and operational resilience.

Within these requirements, sub-areas have been defined, some of which are quite concrete. Other sub-areas focus more on laying down an abstract control framework. On topics such as the precise contract between an FI and a CSP, the FI's legal and procurement team usually has to work alone. Other sub-areas can easily be tackled in collaboration with a digital partner. Below we are highlighting some of the requirements of these sub-areas, which we think typically belong in the support that a digital partner like iO provides to an FI in a cloud project.

Governance & regulation

'Exit Strategy requirements' states that careful consideration must be given to how a solution can be removed from a Cloud Solution Provider. A possible answer to this is the use of cloud agnostic infrastructure-as-code frameworks. We think of Terraform for IaaS (Infra-as-a-Service) and The Serverless Framework for (i)PaaS and FaaS (integration platforms & functions-as-a-service). In the meantime, iO is constantly gathering valuable experience with such tooling for digital FI projects that are constantly developing, and we are already familiar with what an 'exit strategy' should look like in practice.

Security

'Encryption at rest' states that only certain HSM (Hardware Security Module)-based forms of key management, for example by means of 'Supply Your Own Key', are acceptable for ECUC members. This requires the necessary expertise with cryptography and the precise operation of cloud services such as the AWS Key Management Service or Azure Key Vault. The CSPs usually offer the right tooling, but the precise deployment and management around it should not be considered trivial.

Logging and monitoring

'Standardised monitoring interface' requires robust and complete audit logging, for both the CSP and the customer (FIs or the digital partner). This is a requirement for which the ECUC has ongoing discussions with the major cloud providers, because without their input it is difficult to determine exactly how a CSP provider logs. On the customer side, cloud-agnostic logging or an abstraction layer between the application and cloud platform can be implemented. At iO we support FIs in this area with a demonstrably complete setup of logging on both AWS and Microsoft Azure. Immutability (protection against changes) and the demonstrably secure storage of certain logs is usually essential.

Backup functionality

'High Availability and Disaster Recovery' discusses the desired functionality and minimum requirements for a CSP in this area. The major cloud providers have all this in order in terms of features. Here, too, it is mainly a matter of properly arranging and overseeing the total landscape that CSPs offer. Making the right choices is often complex, but once the design is in place, the total 'resilience' is usually excellent.

All in all, clearly the ECUC Position Paper mainly focuses on the relationship between FIs, like banks, with CSPs such as AWS and Azure. The topics described in the Position Paper and the way in which a CSP has a possible solution for an FI in every area is comprehensive, with a complex (technical) design as a result.

As digital partner to many FIs, at iO we believe it is essential to monitor and really understand developments, such as ECUC's Position Paper and legislation such as DORA. In that respect, it is comparable to a framework like PCI-DSS in the card payment industry. Because in the flexible space between the Financial Institutions, their own product teams, busy IT teams and the CSP, there is a lot of space to work for specialists like us. Work that is necessary for a project to land safely, reliably, but above all be fully 'compliant' on the Public Cloud.

We monitor all updates to the ECUC Position Paper, and other relevant communications and celebrate this incredible contribution to the future ironing out of the final issues before FIs can truly commit to being all-out cloud.