Financial institutions are often wary about moving sensitive data to the cloud because of compliance requirements. But that’s a common misconception, according to one expert.
“For most Canadian financial institutions, it’s not a regulatory issue,” said Dan MacKay, Financial Services Compliance Specialist with AWS at a recent Canadian CIO virtual roundtable. “Whether or not a particular FI chooses to move sensitive data or personally identifiable information to the cloud is typically a matter of risk tolerance.”
Many financial institutions have moved production workloads with sensitive data to the cloud, said MacKay. Often organizations start with one workload that contains personal data. “What we advise our customers to do is to assess the workload against global security standards and our Well-Architected best practices to ensure the organization can demonstrate that they can achieve or exceed the same controls in the cloud as they currently have on-prem,” he said.
That was one of six key points that MacKay and Robert Cruz, VP of Information Governance at Smarsh, discussed with CIOs from the financial sector:
Cost savings is no longer the primary driver to cloud
Two years ago, the initial conversation with financial sector customers often started with costs, said MacKay. However, that thinking has changed since many FIs have had to incur transition costs to ensure they have the appropriate cloud governance and operations in place to meet regulatory expectations. Now, the primary drivers are the agility and scalability that cloud offers, he said. Cloud is about response time and speed to market, added Cruz. “Do you have systems that allow you to respond quickly? If you don’t, that is a cost.”
The participants noted that innovation is another key driver. “Cloud opens up a lot of opportunities we couldn’t imagine before,” said one CIO. Another said his company was motivated by the ability to connect third parties securely and separately from on-premises systems. “There will always be new ways that clients and employees will want to interact, and cloud enables that,” said Cruz.
The migration involves more than data
Migration strategies have evolved over time, as well, said Cruz. The focus now is on moving data selectively and in smaller components that are easier to manage.
However, it’s not just about how to move data. It’s really a change in management processes,” he said. “You have to look at how to adjust policies and training to make stakeholders comfortable because it won’t be the same.”
Think about an iterative plan
The approach is different for everyone, but few go “all in” on cloud at the start, said MacKay. “Most start with some experimentation and progress from there.”
Coordinate with stakeholders on compliance
The IT team shouldn’t be alone in developing the cloud strategy, said Cruz. “This must be done in concert with legal, compliance and other stakeholders involved in the decision-making process.”
As well, the organization must remember that it shares responsibility for maintaining compliance with its cloud provider and its software-as-a-service provider.
The cloud provider should work as a partner
Cloud providers have significant resources, such as expertise on compliance for specific sectors. “If your provider isn’t offering those types of resources, then push them to do so,” said Cruz.
The most common pitfalls are not technology-related
Most of the challenges in cloud migrations stem from organizational issues, said MacKay. “The number one thing is that leadership has a clear strategy,” he said. “If they don’t have the will, it can be slow and painful. But if there’s a will, there’s a way.”