The notion that ‘freedom lies on the other side of fear’ holds true not only in human psychology but also in the context of financial business. In the FinTech world, cloud technology is freeing banks and financial institutions into greater flexibility, resilience and, prudently done, profitability. To achieve this, they have to conquer fears about security and regulatory compliance.
Barriers to migration
Not too long ago it was considered a highly risky proposition to store, manage and process sensitive financial and customer data in the cloud. In addition, the onus for compliance rested squarely on banks’ shoulders. Relinquishing control of their environment while remaining responsible for their own security policies and procedures felt like too much of a risk.
Nevertheless, to have any competitive relevance, banks and other financial institutions must be able to innovate, streamline their operation, scale up or down, and ensure the highest levels of quality, performance, and customer service, all with the greatest agility and adaptability, and without compromising security.
In recognition, specialist financial infrastructure providers are dedicated to facilitating not only operational efficiency but also secure and compliant governance up and down the supply chain.
Oscar Neill, Chief Information and Security Officer for Beeks Group comments: “A dedicated financial services cloud provider understands the needs and pain-points of its client’s business as well as the controls, frameworks and compliance demands incumbent upon it. It keeps abreast of new regulations, forges security-focused partnerships, and ensures its own security accreditations and quality standards are as current, auditable and dynamic as possible.”
Consequently, the preparedness of Managed Service Providers (MSPs) to shoulder much of the compliance burden on behalf of their customers is beginning to influence the increasing level of comfort and trust among banks in cloud migrations.
Here are a few key examples of how financial MSPs are doing this:
Integrated pillars of security
Describing how cloud security capabilities are key pillars of his company’s flexible architecture, Neill says: “Our capital markets dedicated private and hybrid Infrastructure as a Service (IaaS) solutions have integrated market leading malware protection and vulnerability scanning capabilities to ensure secure configurations for our customers’ infrastructure. Zero Trust access management, firewalling, intrusion detection and prevention, and Security Information and Event Management (SIEM) are all baked into our solutions from day one. Unlike public cloud infrastructure sharing, Beeks’ private cloud provision puts us in complete control of our clients’ environment security, giving us the confidence that there is end-to-end protection.”
ISO 27001 and SOC 2 are important complementary frameworks for cloud service providers to follow.
ISO 27001 is the international standard for information security management, governing how overall security is defined, implemented, operated, controlled, and improved within an organisation. It is an ISO certification that is audited annually and recertified every three years.
SOC 2 defines criteria for managing customer data based on five ‘Trust Service Principles’ (TSC), Security, Availability, Processing Integrity, Confidentiality and Privacy. It differs from ISO 27001 in that it evaluates the effectiveness of an organisation’s security controls and processes over a specific period of time. Commenting on Beeks’ accreditation status Neill says: “Beeks achieved ISO accreditation in 2020 and is aiming to receive our first SOC 2 report in February 2024.
SOC 2’s transparent and independent audit process gives clients and prospects compelling evidence about how our security controls actually work and operate. This gives clients more dynamic, detailed, and timely operational information to review for their own compliance.” he explains.
Defence in Depth
Highlighting Beeks’ trusted partnerships and multi-layered approach to security controls Neill explains: “We’ve partnered with US-based Managed Detection and Response (MDR) specialist BlueVoyant to complement our threat-detection capabilities. Their team of security analysts each has at least 10 years’ experience in security operations for government and private sector environments and were named Global Microsoft MSSP partner of the year in 2023.”
Offering rapid threat detection and response for incidents involving credential theft, anomalous behaviours, and malware propagation, BlueVoyant gives Beeks a head start in threat intelligence sharing, which is of increasing importance in ensuring robust and resilient infrastructures across supply chains.
Early adoption of the Digital Operational Resilience Act (DORA)
DORA is an EU financial regulation which comes into full force in January 2025. According to the wording of the Act itself it will define rules on the five key pillars; financial ICT risk-management, incident reporting, operational resilience testing, ICT third-party risk monitoring and information and intelligence sharing, to safeguard the soundness of the entire financial system.
“DORA will put further pressure on providers and suppliers to align their products and services with the necessary controls to comply with the regulation,” says Neill. “Beeks is already getting ahead on this by aligning our solutions to ease the sales journey and reassure banks procurement teams. We’re already doing much of the incident reporting, business continuity and operational resilience testing. Our most recent large-scale Exchange Cloud implementation for Johannesburg Stock Exchange is a good security case study to highlight these capabilities. However, we are not resting on our laurels and have engaged an independent audit firm to conduct gap analyses to assess our DORA readiness.”
Dedicated services vs Public Cloud
“Of course, public cloud hyperscalers will also offer highly accredited solutions to tier 1 participants,” comments Neill, “but not necessarily with the correct scope of understanding of secure and resilient ultra-low latency and high-performance environments. For example, AWS might advertise fully redundant availability zones, but if their customers are not deploying across multiple availability zones, they will not have access to the redundancy. Dedicated MSPs can guide banks away from these misleading risks, and actually stipulate redundant architectures.”
Neill concludes: “We are arriving in an age where banks are realising that not only can cloud technology provide them with a level of flexibility, security, and resilience difficult to achieve with legacy on-premises solutions, but that generic cloud tech doesn’t go the extra mile that their infrastructure needs. Beeks is Ready to fill that gap.”