Mitigating Risk With a Cloud Governance Strategy

2Mitigating Risk with a Cloud Governance Strategy

Table of contents

Summary

Research and insights

Limitations with existing systems

Architecture requirements

Solution

3Mitigating Risk with a Cloud Governance Strategy

MITIGATING RISK WITH A CLOUD GOVERNANCE STRATEGY

Governance is one of the top concerns for financial services firms in America. As software starts to eat the

world, and financial firms transform into technology businesses, cloud governance is a challenge that could

cause havoc if it’s ignored.

As cloud adoption soars to 96 percent in 2018, IT needs to take a greater governance role in advising on

which apps move to cloud, managing costs, policy-setting, and brokering cloud services.

In this whitepaper, you’ll learn all about three big challenges impacting the financial services industry, and

how limitations with existing systems, processes and permissions is putting many firms at risk.

But it’s not all doom and gloom. By following a cloud governance strategy you can mitigate your firm’s risk.

This whitepaper will review the architectural requirements and processes you need to follow to ensure your

compliant. Learn from a real world case study that highlights how a fortune 500 financial firm implemented

their cloud governance strategy.

Summary

4Mitigating Risk with a Cloud Governance Strategy

Start-ups and competitors from inside and outside the financial services industry

are using digital technologies to offer customers personalized products at lower

cost. Burdened by legacy systems and outmoded operating models, traditional

financial services firms run the risk of being bypassed by faster, more agile

competitors.

Research by Accenture found that financial services firms are using cloud to attain

three specific objectives:

Research and insights

The focus of this whitepaper is cloud governance. Learn how to identify ways you

can innovate faster and transform into a digital business while not putting your

firm at risk of a security or compliance breach.

Overcoming challenges

Financial services firms need to address regulatory and security issues related to

full cloud adoption. They need to develop an architecture and approach to cloud

that meets all requirements, sets appropriate policies, formalizes governance

structures and processes, and creates an architecture to support these initiatives.

Firms that take a comprehensive, enterprise-wide approach to cloud governance

can mitigate their risk and position themselves to take full advantage of the cloud..

1. Bypass legacy systems or developing new products.

2. Transform into a digital business.

3. Strengthen enterprise security and compliance.

BYPASS

TRANSFORM

STRENGTHEN

5Mitigating Risk with a Cloud Governance Strategy

Due to ever increasing concerns regarding security and government regulatory compliance, it is no longer a

viable option to let disparate teams provision and define infrastructure outside of central governance. The

risk is too high and the complexity of audits is too time consuming. In today’s business environment, it has

become imperative that all IT governance concerns flow through a central gateway.

To improve your cloud governance strategy, there are three challenges with existing systems you’ll need to

overcome:

1. Corporate structure: The IT chain of command and workflow. It is not possible to have a

central gateway without gatekeepers.

2. Technical implementation: Infrastructure, testing, and workflow tools will likely need to be

overhauled in order to make the transition successful and sustainable.

3. Human audits: Once a process and rule set have been formally defined they should be

automated. This way the gatekeepers concern themselves with defining proper regulations,

and the system automatically enforces it. In an ideal setup, non-compliant environments

cannot be published due to automated enforcement and workflows.

Limitations with existing systems

6Mitigating Risk with a Cloud Governance Strategy

Documentation

Documentation should be readily available and easily convertible into code and

configuration. The security aspect of this documentation is often referred to as

a STIG (Security Technical Implementation Guide). This describes the technical

requirements for a system to be considered compliant. STIGs will act as the

single source of truth for system compliance. If a system is not in alignment with

it’s STIG, it may not be released.

Automation

Automation programmatically defines the requirements from a STIG. Because

STIGs can be pretty extensive in their content, and company policies usually

dictate a multitude of STIGs ranging from software to storage to networking etc,

it is not feasible to manually adhere to all requirements. Automation should be

used to create the baseline templates or images for any IT system within the

organization, and additionally will be used for any subsequent modifications

to said systems. All systems should be procured via this process to ensure

compliance.

Testing

Testing helps to prevent STIGs and automation from being circumvented. This

is why probably the most important requirement is maintaining an inventory of

all systems and ensuring that they routinely run automated tests. This ensures

that if a system becomes non-compliant, IT will notified on the next test run. The

benefit of this is two fold. First, the sooner a vulnerable system can be restored to

a compliant state, the less likely it is that any unintended consequences will occur.

This reduces liability to the company. Second, by regularly testing, over time,

patterns can be uncovered. This allows for the iterative improvement IT processes

as the patterns are analyzed and remediated.

Architecture requirements

Implementing proper governance requires three main capabilities:

TEST

AUTOMATE

DOCUMENT

7Mitigating Risk with a Cloud Governance Strategy

Solution

Since there was no formal policy in place to document, organizational security practices and workflows,

consultants suggested a baseline, and then worked with stakeholders to fine tune it to their specific

business use case without compromising on the essentials. The end result was a security policy that

not only would keep the company safe from exploits, but also keep them in compliance with regulatory

agencies.

Define security requirements and practices to get a handle on overall level of risk exposure and keep up with

the state of the regulatory landscape.

Financial services firms need a way to mitigate risk and gain shareholder confidence. Maintaining

compliance and security means developing a cloud governance strategy.

Shadow Soft can assist in the development of a cloud governance strategy. Here’s a solution Shadow-Soft

implement for a Fortune 1000 financial services firm in Atlanta.

Consultants first assessed the overall state of the customer’s IT department by conducting in depth

interviews with each team. This allowed them to gather a more accurate view of current practices across

the organization. After seeing that organization was having critical problems with their security practice,

further analysis was done to come up with a game plan.

Architectural review of existing cloud and hosted infrastructure to determine key areas in need of

improvement - specifically with regards to security and access control.

After the security policies were documented and agreed upon, they were codified into the companies

automation workflow. The provisioning of cloud infrastructure was automated, and automated compliance

testing was added the provisioning process. In addition, compliance testing was added as a regularly

scheduled task to prevent configuration drift of company infrastructure. Security testing was also added to

run against application code during the automated build process.

Design deployment and release workflow as a touch-point to enforce quality assurance and

compliance.

The company was also having difficulties with orchestration. So, assistance was provided in setting up

clustered containers.

Setup clustered container provider to lower the overhead of scaling out new servers and keeping

up with demand.

Atlanta, GA www.shadow-soft.com770-546-0077 ||

Since 2008, Shadow-Soft has been evangelizing and deploying open source software and open standards

to help customers “take the power back” from their technology vendors. Shadow-Soft provides consulting

and managed services across three specialties: DevOps, Application Infrastructure, and Cloud.

Call our consultants and discover the right solution for your business:

770-546-0077

shadow-soft.com or email contact@shadow-soft.com