Banks: 3 Recommendations for Secure Cloud Migration

cloud banking swiss

SECURITY, TECHNICAL

In Switzerland, the risk of cybercrime has particularly slowed the adoption and deployment of the cloud within the financial sphere.

Martin Hess, Head of Economics and Digitalisation for the Swiss Bankers Association (or SwissBanking), is well aware of this obstacle:

« Even though the advantages of the cloud are obvious, banking secrecy and legal uncertainties have limited banks’ room for manoeuvre, as they cannot afford to let their customers’ data out of Switzerland. »

Martin Hess

For this reason, in March 2019 the SBA published a guide for banks using cloud services. Goal: Secure and simplify the migration of banking data to the cloud.

Net4All provides its interpretation and summary of this 43-page document here.

The Advantages of the Cloud

Although there are regulatory uncertainties, banking and financial institutions are well aware of the benefits of the cloud. Indeed, the use of this technology offers many advantages in terms of:

  • innovation, through access to advanced services such as Artificial Intelligence, Machine Learning, etc.
  • agility, through the rapid implementation of labs or ‘Proof of Concept’ in order to develop new products or services based on the philosophy of ‘fail fast’.
  • access to expertise, when it comes to strengthening security or maintaining its environments in operational conditions.

In addition to these benefits, a cloud-based approach enables costs to be optimised by implementing a tailor-made infrastructure capable of adapting to changing business conditions. Here again, access to specific skills can be very useful, even indispensable.

Cloud Support: The Choice of Partner

A secure cloud operator offers solutions and measures adapted to meet the various categories of uncertainty presented in the guide:

Management and Monitoring (Governance)

The selection of a partner is particularly crucial. Indeed, in the case of outsourcing essential functions or services, an assessment of the risks and opportunities is required. The objective is to move towards a provider with the professional capacity in addition to the human and financial resources to fulfil its contractual obligations.

The choice will also be based on the provider’s willingness to commit itself in an appropriate manner to the implementation of various measures to ensure compliance with customary regulations, obligations resulting from the law applicable in the context, or data protection laws.

This can be verified through the application of framework and good practices, through the implementation of specific procedures or on the basis of the chosen partner’s certifications.

In addition, it is important to ensure that outsourced services are clearly identified and that their repatriation is agreed upon at the beginning of the relationship. In order to be able to guarantee the possibility of realigning its technological choices and/or partners, it is imperative to provide an exit option in the form of a reversibility clause in the contract.

Data processing

An approach to projects from a data perspective, meaning one that takes into account data sensitivity and the need for security, can prove relevant when designing an architecture that meets business challenges in terms of performance, while guaranteeing the confidentiality, integrity and availability of information.

In order to implement the technical and organisational measures that meet the specific requirements of the Data Protection Act, your secure cloud operator can offer you a Security Assurance Plan (SAP). The SAP is an appendix that defines the methods, organisation and specific safety assurance activities during the life cycle of the contract.

Its objectives are to provide a common reference for all stakeholders, to set out the rights, duties and responsibilities of each party, and to clarify the procedures to be followed, the tools to be used and the standards to be respected.

A regular review of the SAP will make it possible to control its correct application and its adequacy with regard to the normative and legislative evolutions.

Audit

Trust and transparency are key elements in any relationship. Even if each party retains its own scope of action, it is sometimes necessary to provide visibility, particularly when it comes to ensuring that obligations are properly met. As such, it is essential to agree on the modalities of cooperation.

The identification of the persons involved, the notice period, the required accesses, the audit plan describing the expected elements, the form of the audit report as well as the associated financial conditions, are all elements of the process that it is advisable to evaluate.

Cloud Computing and Security, a viable duo

Each project is unique: each requirement has its own solution!

The cloud offers solutions that are difficult to match. It is therefore entirely justifiable to consider this option when defining an IT strategy.

Although the level of security can be progressive according to the maturity of the hosted platform, the very large perimeter offered by public clouds requires cross-functional integration of security to ensure minimum requirements in terms of encryption, access federation, etc. Serious experience in this type of environment means being able to provide exhaustive coverage which takes into account all of the risks involved.

Though often peripheral, thanks in particular to certification, or on the technological side, through the implementation of technical layers, the use of experts with the ability to offer support across the security project is essential.

Finally… a controlled transition to the cloud opens up new horizons based on technological developments. Everyone must define the extent to which Cloud computing can meet their current and future needs!

To discuss your Cloud Banking project, contact Net4All!