The Biggest Myth About the Public Cloud for Financial Services

It’s human nature to protect our most valuable assets. Knowing they’re secure typically isn’t enough – we also want to feel they’re firmly within our control. It takes considerable time for us to relinquish control even to the most secure environments. For instance, the majority of people feel safer driving to work than flying on a commercial airline, even though driving is empirically more dangerous. Our lack of visibility into who’s piloting the plane and the automated systems controlling the aircraft often has us feeling insecure about the safety of our most important asset: our lives.

This is exactly why financial organizations have been hesitant about adopting the public cloud. They wrongfully believe the public cloud isn’t suitable for our most sensitive data assets, especially personally identifiable information (PII). This myth persists not because the public cloud is less secure than traditional IT, when, in fact, it actually offers financial organizations the opportunity to improve their security posture. The requirement to give up infrastructural control is what creates an illusion of insecurity that shouldn’t thwart cloud transformation ambitions.

The public cloud security myth prevalent across the financial service sector is primarily fed by this psychological phenomenon, but there’s something else at play. In fact, many financial organizations found themselves less secure after embarking on their cloud journeys. But the cloud wasn’t to blame. Gaps in their incumbent security posture were the culprit, which were exposed following their migration to the cloud. Naturally, it’s far easier to blame the new platform than the decisions made during implementation. We’ve seen many organizations underinvest in their technology groups to ensure a secure and successful outcome and they often fail to activate modern capabilities.

When that happens, it’s hard not to wonder if a company is committed to cloud transformation in the first place. Sometimes the security question manifests itself as a symptom as opposed to the root cause of the inertia. Those that truly want to activate cloud transformation will mobilize sufficient resources, communicate a strong value proposition, and empower teams to operationalize their strategy. That fact is, if a company begins its cloud journey without deploying more advanced security capabilities, significant gaps will be exposed in its security posture. And retrofitting software-defined security—policy as code (PAC)—in an already established cloud architecture is incredibly costly. So basically, if your company doesn’t have a strong case for change, it’s important to consider that cloud transformation may not be a good fit.

At Maven Wave, we recommend selecting a small but integrated application or data warehouse to refactor as an initial end-to-end cloud workload. We call this a “vertical slice” because it cuts through all of the organization’s operational units while focusing on use case at hand. Doing this allows you to deliver immediate value to your business by comprehensively refactoring a part of your company without exposing vulnerabilities or having to undergo a cost prohibitive overhaul of your aggregate IT environment if you don’t have the organization buy-in or resources.

The resulting architecture (at least temporarily) can be thought of as hybrid cloud, since it would be dependent on applications or data running in traditional execution venues, while benefiting from modernization. When facilitating this approach for customers, we form multi-disciplinary teams that implement software-defined technology across all layers of the slice: cloud orchestration, network, application, data storage, monitoring, and most importantly, security. Next, we model out DevSecOps and Site Reliability Engineering (SRE) capabilities to establish a modern framework for technology delivery and technical operations. Leveraging this approach, we have been able to activate cloud-ready capabilities across the operating model and dispel friction associated with change.

When clients reach  the other side of a cloud transformation, our clients have deployed sophisticated penetration tests and subscribed to rigorous compliance audits. The conclusion is always the same: with proper platform selection and technical security implementation methods, the company’s security posture in the public cloud is improved compared to the former state.

Did you catch Maven Wave’s latest insight on becoming a digital leader in the financial services space? Download our whitepaper to learn more. Contact us to get started on your cloud transformation journey.

About the Author

Andrew Dunmore
Andrew Dunmore
With over 15 years of solution delivery experience, Andrew Dunmore leads the financial services consulting practice at Maven Wave. Mr. Dunmore is one of Maven Wave’s thought leaders in capital markets innovation and delivery excellence. Prior to Maven Wave, Mr. Dunmore served as a Vice President at Bank of America in their global private equity investment office and an Assistant Vice President at LaSalle Bank in their credit derivatives servicing division.
August 21st, 2019
CLOUD & MOBILE APPS

Get the latest industry news and insights delivered straight to your inbox.

Sign up for our Newsletter
2019-08-21T10:06:20-05:00