Originally published in . Link.
Gartner forecasts end-user spending on public cloud services to reach $396 billion in 2021 and grow 21.7% to reach $482 billion in 2022. Additionally, by 2026, Gartner predicts public cloud spending will exceed 45% of all enterprise IT spending, up from less than 17% in 2021. The report focuses on building trusted cloud capabilities as a competitive advantage.
Gartner forecasts end-user spending on public cloud services to reach $396 billion in 2021 and grow 21.7% to reach $482 billion in 2022. Additionally, by 2026, Gartner predicts public cloud spending will exceed 45% of all enterprise IT spending, up from less than 17% in 2021. The report focuses on building trusted cloud capabilities as a competitive advantage.
However, cloud platforms in the banking sector are special for a few reasons:
1. The platform is predominantly built on hybrid multi-clouds, as I explained in a recent article.
2. Finance fabric is where business applications run — and where data analytics happen — hence a prerequisite for cost-effective security implementation.
3. Security in banking cloud goes far beyond data protection and privacy — it needs to enforce security controls for hardware, networking, data storage and edge computing.
In the banking industry, cloud computing is taking center stage as open banking gains traction and businesses migrate applications, data and analytics onto cloud platforms. Cloud security, however, is a major concern due to risks and regulatory challenges as well as the cost and complexity of implementation.
Here are the two fundamental questions banks need to answer:
1. Can the cloud journey sustain and accelerate growth with the proper security controls?
2. How can banks minimize cost, maximize operational resilience and increase the bottom line?
To solve these challenges, my organization generally recommends the “TOTAL” security strategy:
• Trust: Build trust with all stakeholders.
• Orchestrated: Banks must take ownership of and manage all aspects of security.
• Tools Automated Locking: Build up the cloud technology stack with an optimized security RACI matrix.
The TOTAL Security Strategy for Banking Cloud
Embracing AI, machine learning and robotics is a rapidly growing trend. For banks, however, all algorithm-based computing must be explainable, auditable, trustworthy and unbiased.
While “zero trust” is a popular and useful cybersecurity strategy these days, banks must also think about how to build trust when it comes to cybersecurity in the cloud. Banks must comply with regulatory requirements and operate the entire customer-centric business to compete and grow. When trust — internally or externally — is broken, risks will surge.
The TOTAL security strategy helps develop a road map that aligns enterprise strategies and achieves buy-in from all parties, helping to build trust. All parties work together, but the banks must themselves orchestrate everything and assume total ownership.
”Beyond the shared responsibility model, the TOTAL security strategy recognizes that security issues can arise from seemingly insignificant yet highly vulnerable points.
When it does, it won’t matter who is responsible for implementation or operation. Banks will ultimately be the ones who suffer the loss of trust and potential regulatory risks. Financial penalties and negative PR may follow. Banking executives and key players in programs that caused security problems can face professional disciplinary action and sometimes even prison terms. The gravity of the accountability demands banks orchestrate all parties who share responsibility of security transformation in order to build trust.
Building trust with banking cloud is not a concept but a comprehensive engineering practice. The Matrix Security Model is at the heart of the TOTAL security strategy. In a nutshell, the model is a table of roles and responsibilities:
1. Security domains – The horizontal header or columns titles of the table, for example: data protection, identity access management and encryption of sensitive information on cloud.
2. Technology and tools – The vertical layers — the OSI Model, for example — of the cloud technology stack.
3. “Keys to locking” – The content goes into each cell or intersection. The vendors or partners will be responsible for the “locking,” which is the implementation or operation of the security controls enforcement. The bank will hold the “keys” — orchestrate, build trust, take ownership and, ultimately, be accountable.
With the TOTAL security strategy, banks do not solely rely on technology. They must implement guidelines, policies and security controls through training and cultural changes starting with a security by design approach.
The TOTAL Security Road Map
An evidence-based, step-by-step approach is critical for successful implementation of the TOTAL security road map. In broad terms, banks must first comply with all relevant security laws and regulations. Next, they should consider the following steps in order to develop a successful road map:
1. Evaluate and rationalize the current security matrix and identify existing security domains.
2. Add required security domains and propose a future security matrix when building the technology stack.
3. Develop security-by-design, cloud-native architecture for applications, data, analytics and AI.
4. Build security business architecture to enforce roles, responsibility, policy and guidelines.
5. Implement and operationalize security controls to all delivery pipelines and business processes.
Finally, consider the risk-based approach as a comprehensive transformation toward TOTAL security.
Indicators Of Successful Security Management
To supplement the strategy, a tools-based security heatmap might be able to help monitor potential security areas. It should have a real-time dashboard that streams data collected about security risk, issue, action and status, which collectively reflects the overall security posture qualitatively as well as quantitatively:
• Qualitative measures include compliance with the new cloud security architecture patterns, governance frameworks and operational models.
• Quantitative indicators include cost per incident, mean time to detect, alarm time to triage, mean time to investigate and mean time to resolve.
Conclusion
The TOTAL security strategy has been developed in consultation with our clients, mostly banks, specifically for cloud transformation. By emphasizing trust, banks are accountable to evaluate their current state and develop a road map toward a future cloud-native open banking ecosystem where many parties collaborate.
With this strategy, banks assume total ownership and embrace intelligent automation to orchestrate multiple parties with shared responsibility.