mitigating risk with a cloud governance strategy€¦ · overcoming challenges financial services...
TRANSCRIPT
Mitigating Risk With a Cloud Governance Strategy
2Mitigating Risk with a Cloud Governance Strategy
Table of contents
Summary
Research and insights
Limitations with existing systems
Architecture requirements
Solution
3Mitigating Risk with a Cloud Governance Strategy
MITIGATING RISK WITH A CLOUD GOVERNANCE STRATEGY
Governance is one of the top concerns for financial services firms in America. As software starts to eat the
world, and financial firms transform into technology businesses, cloud governance is a challenge that could
cause havoc if it’s ignored.
As cloud adoption soars to 96 percent in 2018, IT needs to take a greater governance role in advising on
which apps move to cloud, managing costs, policy-setting, and brokering cloud services.
In this whitepaper, you’ll learn all about three big challenges impacting the financial services industry, and
how limitations with existing systems, processes and permissions is putting many firms at risk.
But it’s not all doom and gloom. By following a cloud governance strategy you can mitigate your firm’s risk.
This whitepaper will review the architectural requirements and processes you need to follow to ensure your
compliant. Learn from a real world case study that highlights how a fortune 500 financial firm implemented
their cloud governance strategy.
Summary
4Mitigating Risk with a Cloud Governance Strategy
Start-ups and competitors from inside and outside the financial services industry
are using digital technologies to offer customers personalized products at lower
cost. Burdened by legacy systems and outmoded operating models, traditional
financial services firms run the risk of being bypassed by faster, more agile
competitors.
Research by Accenture found that financial services firms are using cloud to attain
three specific objectives:
Research and insights
The focus of this whitepaper is cloud governance. Learn how to identify ways you
can innovate faster and transform into a digital business while not putting your
firm at risk of a security or compliance breach.
Overcoming challenges
Financial services firms need to address regulatory and security issues related to
full cloud adoption. They need to develop an architecture and approach to cloud
that meets all requirements, sets appropriate policies, formalizes governance
structures and processes, and creates an architecture to support these initiatives.
Firms that take a comprehensive, enterprise-wide approach to cloud governance
can mitigate their risk and position themselves to take full advantage of the cloud..
1. Bypass legacy systems or developing new products.
2. Transform into a digital business.
3. Strengthen enterprise security and compliance.
BYPASS
TRANSFORM
STRENGTHEN
5Mitigating Risk with a Cloud Governance Strategy
Due to ever increasing concerns regarding security and government regulatory compliance, it is no longer a
viable option to let disparate teams provision and define infrastructure outside of central governance. The
risk is too high and the complexity of audits is too time consuming. In today’s business environment, it has
become imperative that all IT governance concerns flow through a central gateway.
To improve your cloud governance strategy, there are three challenges with existing systems you’ll need to
overcome:
1. Corporate structure: The IT chain of command and workflow. It is not possible to have a
central gateway without gatekeepers.
2. Technical implementation: Infrastructure, testing, and workflow tools will likely need to be
overhauled in order to make the transition successful and sustainable.
3. Human audits: Once a process and rule set have been formally defined they should be
automated. This way the gatekeepers concern themselves with defining proper regulations,
and the system automatically enforces it. In an ideal setup, non-compliant environments
cannot be published due to automated enforcement and workflows.
Limitations with existing systems
6Mitigating Risk with a Cloud Governance Strategy
Documentation
Documentation should be readily available and easily convertible into code and
configuration. The security aspect of this documentation is often referred to as
a STIG (Security Technical Implementation Guide). This describes the technical
requirements for a system to be considered compliant. STIGs will act as the
single source of truth for system compliance. If a system is not in alignment with
it’s STIG, it may not be released.
Automation
Automation programmatically defines the requirements from a STIG. Because
STIGs can be pretty extensive in their content, and company policies usually
dictate a multitude of STIGs ranging from software to storage to networking etc,
it is not feasible to manually adhere to all requirements. Automation should be
used to create the baseline templates or images for any IT system within the
organization, and additionally will be used for any subsequent modifications
to said systems. All systems should be procured via this process to ensure
compliance.
Testing
Testing helps to prevent STIGs and automation from being circumvented. This
is why probably the most important requirement is maintaining an inventory of
all systems and ensuring that they routinely run automated tests. This ensures
that if a system becomes non-compliant, IT will notified on the next test run. The
benefit of this is two fold. First, the sooner a vulnerable system can be restored to
a compliant state, the less likely it is that any unintended consequences will occur.
This reduces liability to the company. Second, by regularly testing, over time,
patterns can be uncovered. This allows for the iterative improvement IT processes
as the patterns are analyzed and remediated.
Architecture requirements
Implementing proper governance requires three main capabilities:
TEST
AUTOMATE
DOCUMENT
7Mitigating Risk with a Cloud Governance Strategy
Solution
Since there was no formal policy in place to document, organizational security practices and workflows,
consultants suggested a baseline, and then worked with stakeholders to fine tune it to their specific
business use case without compromising on the essentials. The end result was a security policy that
not only would keep the company safe from exploits, but also keep them in compliance with regulatory
agencies.
Define security requirements and practices to get a handle on overall level of risk exposure and keep up with
the state of the regulatory landscape.
Financial services firms need a way to mitigate risk and gain shareholder confidence. Maintaining
compliance and security means developing a cloud governance strategy.
Shadow Soft can assist in the development of a cloud governance strategy. Here’s a solution Shadow-Soft
implement for a Fortune 1000 financial services firm in Atlanta.
Consultants first assessed the overall state of the customer’s IT department by conducting in depth
interviews with each team. This allowed them to gather a more accurate view of current practices across
the organization. After seeing that organization was having critical problems with their security practice,
further analysis was done to come up with a game plan.
Architectural review of existing cloud and hosted infrastructure to determine key areas in need of
improvement - specifically with regards to security and access control.
After the security policies were documented and agreed upon, they were codified into the companies
automation workflow. The provisioning of cloud infrastructure was automated, and automated compliance
testing was added the provisioning process. In addition, compliance testing was added as a regularly
scheduled task to prevent configuration drift of company infrastructure. Security testing was also added to
run against application code during the automated build process.
Design deployment and release workflow as a touch-point to enforce quality assurance and
compliance.
The company was also having difficulties with orchestration. So, assistance was provided in setting up
clustered containers.
Setup clustered container provider to lower the overhead of scaling out new servers and keeping
up with demand.
Atlanta, GA www.shadow-soft.com770-546-0077 ||
Since 2008, Shadow-Soft has been evangelizing and deploying open source software and open standards
to help customers “take the power back” from their technology vendors. Shadow-Soft provides consulting
and managed services across three specialties: DevOps, Application Infrastructure, and Cloud.
Call our consultants and discover the right solution for your business:
770-546-0077
shadow-soft.com or email [email protected]