Related Content
- Cloud computing has reached a pivotal point and market infrastructures are evaluating opportunities to expand the use of the cloud more broadly across external services and applications where most appropriate. This is because many cloud operations have reached new levels of robustness and sophistication, which many large corporates are unable to achieve with respect to performance, security, cost and scale.
-
Cloud computing has reached a pivotal point and market infrastructures are evaluating
opportunities to expand the use of the cloud more broadly across external
services and applications where most appropriate. This is because many cloud
operations have reached new levels of robustness and sophistication, which many
large corporates are unable to achieve with respect to performance, security,
cost and scale.
For market
infrastructures, the key to a successful cloud computing strategy will be to
work in collaboration with regulators and policy makers to ensure that mandates
and compliance obligations are met. Moreover, it is essential that any cloud implementation
strategy is in line with the abundance of guidance which has been provided for
such initiatives, including best practice guidelines.
Download
DTCC’s new white paper: Moving Financial
Markets Infrastructure to the Cloud
Testament
to regulator confidence in the public cloud is that many regulatory agencies
themselves are using the cloud in the provision of their services. The SEC has
migrated a number of applications to the cloud including its response tracking
system, while FINRA has moved 75% of its operations to Amazon Web Services.
So, what are
the conditions which regulators have set for the use of the public cloud in
financial markets and in particular market infrastructure? The prerequisite for
regulators agreeing to allow market infrastructures to outsource certain
operations to a public cloud provider is that the overall responsibility for
the services and data must reside wholly with the market infrastructure. This
includes governance, such as policy definition, management (including
contracts, service levels and monitoring), Service Level Agreement (SLA)
reviews and control audits. While cloud vendors and their related software
services may have the most sophisticated security capabilities, best practice
guidelines from policy makers and regulators state that the controls,
configurations and access management should still be overseen by the market
infrastructure.
Based on
this best practice cloud computing model, there are four main areas related to
policy and regulation, as well as security, which market infrastructures should
address when devising cloud strategies.
The first
area is around the confidentiality of data - the regulated market
infrastructure's security policy for outsourcing and cloud services must
provide ample safeguards to ensure data remains secure. Regardless of the level
of the cloud provider's data security, the responsibility for data protection
and the ownership of it resides with the market infrastructure. Its cloud
policy therefore must ensure that the cloud system in place protects and/or
encrypts sensitive data and mitigates any encryption key management concerns.
The second
key area of concern is data integrity. The market infrastructure must have adequate
data controls and procedures in place to validate and verify the reliability of
its outsourced and cloud-hosted data, as well as strict policies around data
retention. In short, the market infrastructure must ensure it is able to
prevent data from being altered or destroyed under any circumstance.
Continuity
of service is the third key consideration - market infrastructures must ensure
continuous data availability. As a result, cloud vendors are required to have
adequate disaster recovery and business continuity planning, as well as to
commit to providing essential communication links.
Auditing is
the fourth area which should be addressed. Cloud vendors interested in
partnering with market infrastructures must be able to demonstrate a proven
track record of working with regulated entities and ensure that they can meet
current compliance requirements, specifically related to required reporting and
safeguarding of sensitive information. Appropriate auditing tools should be
used by the regulated market infrastructure in order to ensure that the cloud
vendor's internal controls are adequate.
These are
the primary policy and regulatory considerations which market infrastructures
must take into account when implementing a cloud strategy. Should market
infrastructures be able to comply with these best practices and standards, the
public cloud can provide greater efficiency and security than private in-house
data centers.
DTCC has
been using cloud services for more than five years and we are now evaluating
opportunities to expand the use of the cloud more broadly across external
services and applications. We believe that the benefits of using the cloud will
continue to increase as public cloud providers invest even more resources in
its development.
All that
said, to ensure and maintain a successful cloud strategy, it is essential that
market infrastructures and other financial market participants do so based on
best practice guidelines which have been provided by regulators. If this
approach is adopted, we believe that the efficiency, resiliency and security of
global financial markets will be considerably enhanced.
This article first appeared in Global
Investor/FOW on July 3, 2017.
Related Content
- Cloud computing has reached a pivotal point and market infrastructures are evaluating opportunities to expand the use of the cloud more broadly across external services and applications where most appropriate. This is because many cloud operations have reached new levels of robustness and sophistication, which many large corporates are unable to achieve with respect to performance, security, cost and scale.