On July 22nd, 2020 IBM announced their IBM Cloud for Financial Services – what is this, why have IBM taken this step, and what does this announcement mean?
Financial Services Compliance Challenges
One recurring challenge for all organizations is complying with the ever-increasing number of laws and regulations. When IT services are delivered on-premises organizations often believe that this ensures the oversight, control and visibility needed to ensure and prove compliance. This is not the case with cloud-delivered services where there is a shared responsibility model and less visibility of the CSP controls. However, digital transformation initiatives are adopting cloud services to provide speed and agility, and this is leading to tensions between the organization's functions for digital transformation and those responsible for risk and compliance. Nowhere is this more apparent than in financial services.
The hyperscale CSPs such as AWS, Azure and IBM provide easy access to the capabilities needed by development teams to accelerate the creation of critical new business applications. While the major cloud service providers go to great lengths to secure the infrastructure of their environments it is up to the customer to secure their use and to prove compliance. This is often outside the skills of DevOps teams or is overlooked and can lead to the existence of critical vulnerabilities that can be exploited by cyber adversaries.
Compliance is not enough – you need to prove you are compliant
Another challenge is that even where a cloud service is well secured and is being used in a compliant manner, the customer must prove that this is the case to regulators. CSPs often approach this by publishing long lists or the laws and regulations with which their service is compliant. However, this is not sufficient to solve the customers’ compliance challenges.
From the customer’s perspective, there is a need to show how the controls that they have in place contribute to meeting their regulatory obligations. These obligations vary from customer to customer as do the risks and so each customer will have an individual mapping between risks, controls, and obligations. This mapping is complex and must include all IT services involved irrespective of how they are delivered. This means including how the controls within the service are governed as well as how they are used and there must be adequate proof the controls not only exist and are effective but also how they map to obligations and risks. In effect, this is a specialized form of cloud security posture management described in a previous blog.
IBM Policy Framework for Financial Services
It is in this area that IBM have taken action for Financial Services.
In collaboration with Bank of America, and using the knowledge from the IBM Promontory, IBM has created the IBM Policy Framework for Financial Services. This is intended to deliver the benefits and flexibility of a public cloud in a secure environment, to enable financial institutions, ISVs and SaaS providers to host apps and workloads in the cloud with confidence and trust.
IBM has established an Industry Cloud Advisory Council in support of the IBM Policy Framework for Financial Services. This will support this effort and advise on its ongoing advancement. Chief Technology Officer Tony Kerrison will represent Bank of America on the Council, which will be led by Howard Boville, SVP, IBM Cloud. The Council will be focused on bringing major financial institutions together to help drive the strategic evolution of cloud security in this highly regulated sector.
This Policy framework defines a set of controls based on financial services needs mapped into specific controls on the IBM Cloud. For example, the obligation to protect data end to end is supported by a wide range of IBM Cloud features and controls. These include IBM Cloud™ Hyper Protect Crypto Services which is a key management and cloud hardware security module (HSM) and puts controls of keys into clients’ hands to meet obligations for key management and data protection.
The Policy Framework is based on:
- IBM public cloud controls aligned with NIST that are relevant to financial services’ needs.
- Implementation and deployment practices to guide ISV and SaaS providers with cloud services architectures.
- Implementation and evidence guidance for ISV and SaaS providers to complete and evidence compliance to the Policy Framework.
In support of this IBM have also announced their Financial Services Compliance Centre which is based on their OpenPages GRC tool augmented by assets acquired through their recent acquisition of Spanugo.
My Opinion
This is an interesting development in the cloud space. It addresses the compliance challenges that are faced by financial services organizations and which according to IBM are limiting their adoption of public cloud services. It illustrates the difficulties faced by all organizations where the hybrid IT delivery model driven by digital transformation has added to the complexities of matching controls to risks and demonstrating compliance in a consistent manner. This approach is likely to become important in other regulated industries.
For more information see KuppingerCole research and sign up for one of our upcoming Virtual Events.
Related research:
Advisory Note: GRC Reference Architecture
Advisory Note: Security Organization Governance and the Cloud