Long reads

Cloud migration: What is the best and most secure route to take?

Madhvi Mavadiya

Madhvi Mavadiya

Head of Content, Finextra

Now that the financial services industry acknowledges that cloud migration is crucial to the success of innovative initiatives, industry voices share the view that clarity around the best and most secure route to take needs to be provided.

While a phased approach where tests are conducted and security settings are validated is one route to reaping the rewards of cloud migration, organisations can also learn from approaches taken by their peers - whether they have fully migrated or are in the final stages of the process.

It cannot be pinpointed where and when reluctance towards cloud migration waned. However, it is evident that there was a concerted effort between financial institutions and cloud service providers to ensure security and compliance best practices were part of the design principles for new products.

Finextra spoke to Eyal Worthalter, vice president - global solutions sales, MYHSM; Ronit Ghose, global head, banking, fintech and digital assets - Citi Global Insights; and Ian Haynes, head of global cloud services at HSBC about how the infrastructure around cloud security has matured and progressed over time as well as ensuring resilience, scalability, and agility.

Was success inevitable for early adopters of the cloud?

Is there such a thing as first mover advantage when it comes to cloud? Worthalter highlighted that while success was not inevitable, many early adopters of cloud did so to reduce costs by outsourcing management of an operating storage or compute infrastructure.

“It was not until very recently adopters rapidly realised that the cloud provided the flexibility and the agility to develop and bring new programmes, products, applications and services into the market.”

Considering the market, he also added that “emerging challenger banks that are cloud-native were able to capture customers all over the world because they were faster to provision a mobile application or improve on an existing service.”

Worthalter added that although there are “horror stories” of banks moving applications to data centres on cloud, this is because of “poor planning around legacy applications that were not designed to be moved to the cloud.”

Ghose opined that while cloud has been around for many years, banks are in fact relatively late movers. “Banks are generally a little conservative when it comes to adopting new technology, including the cloud. And there’s this push and pull between banks at a very senior level, where they want to be digitally native and digitally competitive.”

Ghose added that this inherent conservatism has emerged from regulators being cautious about moving to new technology and secondly, simply because of the complexity of the journey. He continued to say that while it may be easy to set up a new, cloud-native, digital bank, cloud migration is a cumbersome process.

“With huge amounts of interconnections between data and applications moving to the cloud, if one of these interconnections break, it can have a significant waterfall impact on applications further down.”

Haynes echoed this sentiment and said: “As public cloud services have become more robust, more secure and more functionally advanced, it has become more and more difficult for even large companies to maintain the investment required to keep up with the demands of the market and our customers. At HSBC, we use cloud to give us speed, scale, and agility that we couldn’t achieve alone.

“Cloud providers also have more experience working with banks now, and more understanding of the unique regulatory and security environment in which we must operate. Regulators too are becoming more mature in their relationship with cloud, something which HSBC has been pro-active in evolving in parallel,” Haynes explored.

How have cloud providers built up security over time?

Given perceived risks, as Haynes believes, the security benefits of moving to a cloud-based system were often overlooked, with some organisations believing that cloud deployments will result in more overall risk than traditional systems. It's also important to understand that these benefits won't be fully realised if organisations adopt a 'lift and shift’ approach; migration will need to be configured to take advantage of the benefits that a cloud-first approach can bring.

The more a bank takes the time to understand the cloud services available, the bigger the benefits will be. Today, when selecting a cloud service, banks must ensure it meets needs and secures data. The cloud is inherently secure; if a financial institution chooses a good cloud service, in line with cloud security standards, it is probably more secure than whatever it has replaced.

Worthalter highlighted that one of the most valuable actions public cloud vendors took was to have security and privacy as part of their design principles. While security must never be an afterthought, Worthalter stated that cloud providers were able to consider the trade-off between security and convenience and strike the right balance.

One example that Worthalter pointed out was the role of cloud security in identity and access management. By implementing an IAM system, a bank can guarantee the security of identities and attributes of cloud users by ensuring that the right persons are allowed in the cloud systems. IAM systems also help to manage access rights by checking the right person with the right privileges is accessing information that is stored in cloud systems.

Can legacy applications benefit from the scalability of the cloud?

For Worthalter, the answer is yes. “Absolutely. The main value gained from flexibility and scalability of the cloud is time to market. Whenever there is a new trend, a new requirement, or a feature enhancement that customers want, with secure cloud, financial institutions are able to adapt faster.”

He added: “From an infrastructure point of view, if there is an unexpected change in the market or in a customer base that requires firepower – the transaction rates or processing power – banks are able to scale up and down much faster than if the application was on-premises.” Although based on assumptions, provisioning for unexpected events is possible with the cloud and provides companies that are struggling to keep pace with a boost regarding redundancy performance purity.

When shifting from on-premises to the cloud, banks also need to consider changing the way in which tools and training is offered to their developers. Instead of educating developers at the end of the migration project, Worthalter advised learning in parallel, which in turn, creates an agile culture. For HSBC, there will always be a need for on premise services and Haynes highlights that developers should only move services to the cloud “where it makes financial and commercial sense to do so.”

“Migration to cloud is not about shrinking our data centre footprint, rather it’s about allowing an expansion of services in the most secure, resilient, sustainable and cost-effective manner possible. In parallel with our cloud expansion, we also see it as crucial to invest in maintaining our data centres to the best-in-class standards that our business demands.”

What are the benefits of colocation and renting power?

Colocation - a hosting option where businesses can obtain features of a large IT department without the capital investment and expand infrastructure capacity without undertaking costly construction – has a multitude of advantages for banks.

Colocation provides:

  • Increased connectivity
  • Improved network security
  • Redundant power supply,
  • Bursting capability, and
  • Room to expand

Worthalter explored how renting space and power from third parties is becoming more and more common and depending on the colo provider, can deliver additional benefits. “Colo vendors are not only experts at building world-class data centres; they have also been on a path to deliver more value-added services that differentiate them from just ‘space and power’ hosting providers.

“On the networking and connectivity side, colo vendors offer near-cloud or direct-cloud connections by having their data centre close to the hyperscalers’ point-of-presence (sometimes in the same building) and by being able to offer low latency connections for banks and the ecosystem players.

“On the infrastructure side, colo vendors are trying to differentiate themselves by adding capabilities like bare-metal as-a-service (BMaaS). All of this means that any banking and financial services organisation, small and large can find value in the colo providers offering whenever they are reluctant to move to the public cloud. So, in general, colo is a great option for continuing the journey to cloud in a hybrid approach.”

The advantages of operating cloud infrastructure on the bank’s behalf

Migrating from on-premises to cloud has a number of benefits. In conclusion, Ghose elucidated on the point that the catalyst for adoption of the technology was in order to be competitive. “Being on the cloud enhances your competitiveness and it does so by making product development and delivery faster, agile, cost-efficient and scalable.”

Worthalter summarised: “Think and plan for cloud migration. And whenever you stumble upon a particular application because of security or compliance requirements and it is difficult to migrate to the cloud, consider the possibility of outsourcing to a specialised provider. Only then can you continue to focus on your core business and deliver value to your customers.”

Comments: (1)

Andrew Smith
Andrew Smith - RTGS & ClearBank - London 08 October, 2021, 16:291 like 1 like

The immediate success story is identification of smaller aspecits of your business that can be re-built from the ground up. Effectively built as cloud-native. That way you get to learn about the cloud, cloud architecture, the benefits it can bring and you have a product that you can move forward with great pace and be agile enough to move with customer demands.

Many though go for identification of lift and shift, and while this makes sense, it more than likely results in doubling of infrastructure costs - expensive consultants and the end result doesnt do much, it doesnt open the way to new ways of working because essentialy, you now have a non cloud-native solution, it just lives in the cloud....