Financial institutions have the opportunity to enhance traditional governance processes by building a well-structured cloud service assessment from the ground up, to help demonstrate regulatory compliance when moving to the cloud.
Optimising the structure and processes for cloud governance offers the advantage of increased automation and controls codification. These tools help financial institutions better understand enterprise risk and determine if control coverage is aligned with the organisation’s risk appetite, ultimately enabling or accelerating cloud migration.
Finextra Research spoke to Jennifer Code, principal technical program manager at Amazon Web Services, about why financial institutions must evolve their governance processes to incorporate the best elements of the traditional three lines of defence (3LoD) model, leveraging industry frameworks and self-assessment processes, while taking advantage of the possibilities in the cloud.
The processes and technology underpinning the traditional 3LoD model have been continuously refined and adapted for financial services over the years, but have fallen short in supporting the control assessment and governance of new technologies.
In order to realise the benefits of effective cloud governance, Code encourages firms to formalise cloud accountability, prioritise the assessment and development of platform controls, and build in continuous improvement mechanisms from the start. These three components combined will support governance maturity that cloud migration requires.
What are key principles of effective cloud governance?
As cloud migration continues its upward trend in financial services, governance has become a focus area due to the levels of security, data privacy, and network resiliency necessary in a highly regulated industry.
Given the significant cultural and technological shifts associated with cloud migration, processes that work to anchor and support cloud governance is key. “The most successful financial institutions I’ve worked with approach their cloud migration with focus on both the human and technical challenges that accompany significant change, and create a diverse, cross-functional team to manage through them.”
Code suggests three key characteristics of an effective cloud service assessment and governance framework:
- Formalised Governance Accountability: Assigning a C-level executive to take end-to-end accountability for cloud governance and control is critical, and will not only set the ‘tone from the top’ for the cultural change introduced by cloud migration, but oversee the processes to enable that change. As support, the involvement of cross-functional participants, including members of the internal audit, operational risk, and compliance teams and first-line technologists ensures robust risk and control perspective.
- Emphasis on Platform Controls: In shaping cloud assessment processes, making the distinction between cloud platform and business application functionality in the prioritisation and requirements is important.
- Built-In Continuous Improvement: Knowledge sharing and continuous improvement must be a stated priority from day one. The expectation for proactive transparency builds trust across all three lines of defence as controls are developed, assessed, and operationalised.
How should firms prioritise platform controls?
Code recommends making a distinction between cloud platform and business application functionality in the assessment prioritisation and control requirements. With the Shared Responsibility Model of cloud infrastructure, customers can have the confidence in a solid foundation for security and resiliency of the cloud environment.
Upon this foundation, financial institutions will further define platform-level controls for the applications they plan to deploy in the cloud, for example, access management to achieve least privilege, encryption management for data protection, and network security and controls for environment segregation. From there, customers can further tailor assessments based on application functionality, having the confidence of the inherited infrastructure and platform controls.
What does built-in continuous improvement look like?
Establishing robust cloud governance means embracing continuous improvement. “Well-controlled innovation is the end goal. What I have seen work best are financial institutions with defined business outcomes and an adaptive control framework where, once the foundation is set, additional controls are added based on factors such as data sensitivity, the environment, and business criticality,” says Code.
“Starting with a well-controlled foundation and continuing to refine it as the organisation becomes more experienced will allow the team to learn and mature their processes and controls over time.” If organisations can trust that the foundation is in place and that the level of control is accurately monitored, business units across the firm will be empowered to innovate and experiment within their development environment.
What are some practical steps to continually improve all aspects of cloud governance?
Proactive information sharing, frequent and critical assessment of controls, and swift root cause analysis for incidents and anomalies can promote trust across the organisation. “Continuous collaboration means constructive dialogue continues in such a way that the improvement process becomes engrained within the organisation’s governance structure. Trust encourages agility in governance, development, and operations.”
With frequent cross-functional collaboration, Code suggests that financial institutions can:
- Integrate risk controls into the development pipeline: Colloquially known as shifting left, this will enable engineers to address potential control issues during development, as well as ensure security and compliance validation prior to production deployment.
- Increase automation in production operation: Introducing enhanced monitoring capabilities and more frequent resiliency and disaster recovery testing will offer confidence in the ability to withstand unanticipated production issues.
- Actively engage with internal risk and audit functions, for proactive review and assessment of the control environment, both design of the controls and the operating effectiveness.
In conclusion, Code emphasises the value of strong governance in accelerating cloud migrations. With dedicated leadership, active engagement among risk, control, and audit functions, financial institutions can capitalise on the agility, scalability, and security of cloud infrastructure.
Download this eBook to learn how financial services customers have scaled and innovated while maintaining a secure environment in the AWS cloud.