Cloud computing in the financial sector
- 28.10.2022
- 7 min
The migration of companies and institutions to the cloud is in full swing, with over 64% of Polish enterprises already using this type of solution and a further 26% planning to do so in the near future. Meanwhile, although not new, cloud computing in the financial sector is still not used to its full potential. Why is this the case?
What exactly is a Cloud?
According to NIST (the US National Institute of Standards and Technology), cloud computing is "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.". For financial institutions, subject to various restrictions and regulations, both internationally and nationally, cloud adoption has not been easy so far.
According to the 'Digital Transformation of Companies 2020' study, conducted by EY Poland, most Polish companies are already using cloud solutions to varying degrees. The most frequently quoted advantages are the desire to improve communication and team collaboration (54%), reduce costs (34%) or increase data security (29%). At the same time, a survey conducted by PWC among companies in the financial industry shows that as many as 65% of companies in this sector assess the cloud maturity of their institution as low.
Meanwhile, the cloud can mean tangible benefits for financial institutions. It is not only the increased security of resources (those which regulations allow being placed in the cloud) and their increased availability, e.g. for field staff, or the reduction of costs thanks to automation. It is also an increase in predictability and resilience to unpredictable events (such as natural or construction disasters) and, perhaps most importantly, from a financial perspective, the ability to significantly expand the field of operations and easily build an entire ecosystem of partners through Embedded Finance solutions as well.
At the same time, it is worth to mention that this industry is one of the most vulnerable to cyber-attacks. According to the report by the Union of Polish Banks (ZBP) on the impact of the COVID-19 pandemic on banking in Poland in Q2 2020, the number of users actively using electronic banking exceeded 19 million in total. A sector with such developed online channels for customers, which are simultaneously so highly vulnerable, can be a tasty morsel for cybercriminals. Appropriate requirements and guidance from regulators are therefore needed and expected. Below, we will briefly discuss how the situation is currently shaping up, using the example of solutions in Poland.
Cloud computing regulation in the financial sector on the example of Poland
The rules, concerning the cloud, are set at the European Union level and by national regulators. One such authority is the Financial Supervisory Commission (KNF), which oversees the banking sector, insurance, capital and investment markets; it is also responsible for regulating markets related to electronic payments, electronic money institutions or cooperative credit unions.
This wide range of areas under the control of the KNF has clearly defined rules of operation – from the business layer, operational risks, as well as those relating to IT systems, project implementation and the security of these systems. As part of its mandate, the regulator makes a number of recommendations to help ensure the secure use of the cloud by the sector.
This type of document is the so-called Recommendation D, concerning the "management of information technology and security areas of the information and communication environment in banks". It consists of two main parts: a list of recommendations and chapters describing in detail the implementation recommendations from the list presented. The document is intended to indicate supervisory expectations, i.e. it conveys the good practices expected by the authority supervising financial institutions.
The main assumptions from the recommendations are that each of the banking systems and each of the institutions in the sector should have formalised procedures for the management of IT systems, cooperation with suppliers, implementation of IT projects or a detailed and documented architecture of the systems. The recommendations also indicate that system security principles should be described, systems classified according to risk, and information security activity should be related to threat identification, control, counteraction, monitoring and risk reporting.
The entire list of recommendations is completed by the latest Recommendation 22, which indicates that the area of information technology and security of the ICT environment should be subject to independent, systematic audits - which in practice can be understood as outsourcing such audits to external companies specialising in this area. Banks and financial institutions should therefore have their own security policies and checklists for their IT implementations and projects.
Reference model for cloud implementation in finance
The recommendations and guidelines provided by the KNF allow both the financial industry and solution providers for this service sector to carry out a risk assessment and classification of the use and processing of information in a structured manner. Although Recommendation D itself was issued in 2013, its recommendations have been re-examined and, in early 2020, the KNF published a specific communication regarding the processing of information by supervised entities in public or hybrid cloud computing. In it, the FSC distinguishes five core areas of the reference model, specifying:
- application guidelines,
- guidelines for the classification and evaluation of information,
- guidelines for risk assessment,
- minimum requirements for information processing in cloud computing,
- rules for informing KNF of the intention to process or handle information in cloud computing.
The chapter describing the application guidelines thus clearly defines the necessity of using the reference model; from the preparation stage through implementation to the end of information processing in cloud computing.
This is extremely important for financial institutions. The guidance enforces that the appropriate steps must be taken, including the time before the project itself begins. The requirements must be met even before cloud computing starts in a production environment. Please note, however, that it does not apply to test and development environments. It is also worth reading about the requirements, depending on the type of cloud computing used. The different types defined by the KNF, can be found in the document. In general it can be stated that according to it:
- a public cloud is an environment owned or directly managed by a cloud computing provider,
- a private cloud is owned or directly managed by a supervised entity (i.e. a financial institution),
- a hybrid cloud is an environment consisting of different types of cloud computing that, using appropriate technologies, remain jointly integrated and information processing activities occur between them.
The direct regulations only apply to public and hybrid (part public) cloud environments. The above requirement clearly indicates, in case of a hybrid cloud development, the need to develop clear separation of the stored data and the way it is processed already at the first stage of the project.
Advantages of implementing cloud computing in the finance sector
Implementing a cloud computing solution allows:
- easier scalability of the solution – the cloud allows the solution to be scaled horizontally and vertically on demand without expanding its own infrastructure,
- faster deployment of solutions – thanks to the availability of multiple solutions in platform (Paas), infrastructure (IaaS) or software-as-a-service (SaaS) models, it is possible to integrate multiple elements into a single working ecosystem quickly - thus allowing rapid deployment of the solution,
- savings associated with maintaining own infrastructure – by using the cloud, an organisation does not incur additional costs associated with maintaining its own infrastructure, dedicated teams to monitor and manage it, replacing hardware or servicing it,
- flexible billing models – cloud solutions allow the solution to be billed according to usage, the use of the system, so the organisation can pay for the solution according to actual usage,
- data security – cloud solutions provide high-end tools to ensure the security of stored data, from encryption and API keys, to ready-made SIEM class solutions (combined information and event security solutions), allowing accurate monitoring of incidents occurring in the system that are potential security risks.
Fintin's readiness for cloud computing
Fintin is designed to be deployed in any environment of choice, both on-premise, and hybrid or cloud-based models. Thanks to a flexible architecture prepared to meet the regulatory requirements and the experience of the implementation team, the solution is ready to be implemented in accordance with the requirements of the KNF, meeting the highest security standards.