Cross-cloud and cross-border business revolution
National data protection
With the latest announcement from China requiring high-tech companies to store data within its borders, global businesses have more rules to observe. Data protection increases when financial services companies expand operations to support regions outside of their traditional strongholds. While adhering to national data protection rules, serving customers across the globe is a job tailor-made for sovereign financial services cloud.1
Aren’t all banks doing that already?
Unfortunately, not all banks are utilizing the sovereign cloud. While the FinServ industry has been a leader in digital technology adoption, it lags in public cloud adoption. Nearly 43% of FinServ companies plan to run more applications in private clouds than other industries. On the positive side, FinServ organizations plan to increase their hybrid cloud use to 54%, up from 15% today.2 The apparent disconnect between FinServ leading investments in technology and security and the state of public cloud adoption makes good sense for many reasons:
- Heavy regulatory compliance: The financial sector is heavily regulated and must meet countless global, regional, local, and industry requirements and associated audits. Listing the various compliance requirements is beyond the scope of this article, but one could find a good listing here.
- The need for airtight security: FinServ’s needs go beyond what other businesses require. The FinServ industry is the top target of cyberattacks that expose more sensitive files than any industry. Nearly 26% of surveyed FinServ institutions admitted suffering a destructive cyberattack.3
- The maturing public clouds: The public cloud offers excellent benefits to most businesses, including FinServ companies. Many provide a well-formed model of shared responsibility to help define how and where security controls start and stop. However, the sector continues to look for a hardened version of the major public clouds serving numerous companies in the industry in many capacities.
What is a sovereign cloud?
In the context of this article, a sovereign cloud is a public cloud built to serve the needs of a specific industry and enable companies to conduct business across clouds and national borders safely. The primary value of a sovereign cloud is that it ensures appropriate data residency and sovereignty—as the name implies—across geographies and clouds.
Data residency is the geographic location where customers’ data is stored and processed. On the other hand, data sovereignty refers to the nation’s privacy laws and governance structure where the data is collected, processed, stored, and served. The number of countries requiring information about their citizens to be held within their borders is rising.
Financial services operations and transactions are global and traverse networks that span many national borders. Growing business moving forward entails meeting requirements for data residency and data sovereignty. Financial services dedicated sovereign clouds offering multi-cloud instances enable FinServ organizations to conduct business with reliable protection and continuous auditable compliance. When meeting both residency and sovereignty requirements, the clouds provide companies valuable benefits:
- Security, trust, and compliance with privacy laws governing data storage and handling. For example, a bank can use a financial services cloud to observe relevant rules and regulations.
- Business growth with confidence within and across countries and clouds. As data moves across borders, sovereign clouds ensure that data movement is consistent with applicable rules and regulations.
- Faster time to market with agility to innovate faster and deploy cloud instances without worrying about the underlying infrastructure and operations.
Making of a FinServ sovereign cloud
To attract FinServ organizations, sovereign clouds must be hardened to meet the industry’s stringent requirements. The cloud must support relevant global, regional, local, and industry compliance requirements on the compliance side. The controls and compliance support need to be continuous and auditable with appropriate reporting. Risk management and compliance must satisfy the needs of all stakeholders.
The cloud must offer a complete security posture covering protection for the cloud and in the cloud on the protection side. A comprehensive security posture will also provide robust access management tools and mechanisms in addition to data protection throughout its lifecycle when stored at rest, traversing the network, and in use by apps. Furthermore, the security posture must provide complete visibility of the environment for better monitoring, threat detection, rapid recovery, and thorough response. As it is no longer possible to effectively identify severe threats using only human resources, organizations must consider using artificial intelligence (AI) and machine learning (ML) to provide in-depth insights.
Another critical area that warrants further exploration is encryption. Encrypting data is easy, but managing and securing the encryption keys is another story. All cloud service providers provide a multi-tenant encryption model known as Bring Your Own Keys (BYOK). However, the FinServ industry needs a single-tenant Keep Your Own Keys (KYOK) encryption model, which means that you are the only party controlling your data. With KYOK, not even the cloud service provider or bad actors can see your data. Offering KYOK requires a dedicated Hardware Security Model (HSM) per tenant.
While the security and compliance areas require the most attention, the essential elements of a sovereign cloud must also be supported, including data sovereignty, operational sovereignty, and workload sovereignty. These three parts protect data and keep operators away from your workloads that you can run wherever you need, free from vendor lock-in.
What is next?
When considering the merits of a sovereign cloud, start by examining the capabilities of your public cloud provider then contrast that to what a FinServ sovereign cloud can offer. Always ensure that your current business requirements and growth needs are satisfied without compromising any critical aspects of your operations.
- TWSJ June 12, 2021. “China’s New Power Play: More Control of Tech companies’ Troves of Data.”
- Nutanix 2020. Third Annual Nutanix Enterprise Cloud Index, How the Financial Services Sector Compares.”
- VMware 2020. “VMware Releases Cybersecurity Threat Survey Report.”