November 30, 2021 By David Kliemann
Aly Farooqui
3 min read

An industry standard for assessing and reporting on cloud risk for financial institutions.

Cloud-based technology is transforming the financial sector at a rapid pace. As financial institutions continue to prioritize digital transformation, there are several hurdles that inhibit organizations from fully realizing the benefits of moving critical workloads to cloud. One major hurdle is a lack of a commonly integrated, industry-recognized method to measure and report the risk level of hybrid multicloud operations.

Assessing cloud risk is essential to the health of financial institutions

It is well known that security and risk management are critical components for financial institutions to host mission-critical workloads in the cloud and transact with confidence. There is a gap, however — many organizations that move workloads to cloud find that they can’t easily articulate, measure and report risks in relation to their cloud environments. Organizations can find it overwhelming to translate the wide array of potential metrics to stakeholders and regulators, potentially resulting in misalignment of resources. This situation is further amplified with hybrid multicloud deployments that many financial institutions are adopting.

Without a holistic cloud metrics model, financial institutions often struggle to track and articulate key considerations:

  • Are risks being recognized, managed and reported properly? To the right audience? In a timely manner?
  • Can organizations demonstrate strong governance and compliance in their cloud environments?
  • Is the business meeting organizational goals?

With a variety in approaches, it can be difficult for organizations to align with existing risk management programs and determine if they are meeting business goals, while continuously demonstrating governance and compliance requirements.

Financial sector cloud metrics model: The IBM Cloud for Financial Services approach

To directly tackle these challenges, IBM Cloud has collaborated with many organizations within the IBM Financial Services Cloud Council (Council) to develop a Financial Services Cloud Framework. The Council consists of CIOs, CTOs, CISOs and Risk Leaders from global and regional financial institutions who collectively work to de-risk cloud for the industry. More recently, the over 20 financial institution members of the Council worked together to create an industry-centric cloud metrics model to address hybrid-multi cloud governance and reporting.

Based on the NIST Cybersecurity Framework (CSF), the most widely recognized and accepted risk management framework, our industry cloud metrics model compounds upon this tried-and-true foundation to provide organizations with more flexibility. After reviewing with various financial institutions, we have added additional functions and components to account for operational and compliance needs that may not be explicit in NIST CSF. Considering how many financial institutions are still early in their cloud journeys, this is an important area to address.

We recognize that organizations across the financial sector have different risk appetite and tolerance levels. As such, the model must be able to be tailored towards each organization’s unique requirements. Instead of being rigid and prescriptive, our model provides a menu of metrics that can be geared towards different organizational levels — what the management team needs will be different from C-level or board-level requirements.

To help build a holistic picture for leadership to understand overall risk, we have worked with the Council to identify several cloud metric “domains” that can be used to bucket various metrics and demonstrate risk levels:

  • Cloud adoption: Implementing governance and achieving the potential of cloud benefits (e.g., agility, scalability, risk mitigation).
  • Risk and compliance: Meeting enterprise risk-management and regulatory requirements.
  • Cloud infrastructure security: Facets of security below the application layer (e.g., infrastructure, platform, networking).
  • Technology operations: Tools and processes to keep applications/workloads resilient and functioning.
  • Workload and data security: Facets of security at the application layer, along with data and application governance and security.

These domains include 50+ individual metrics, including insights for the following:

  • Workload inventory and mapping to enable management to know the placement of their workloads.
  • Workloads in each CSP to understand concentration risk and dependencies.
  • Infrastructure with unremedied vulnerabilities to allow for immediate focus to protect workloads.
  • Misconfigured workloads/applications detected to drive corrective actions.

Integrating these cloud domains with the CSF functional areas and providing a metric dashboard for reporting enables financial institutions to thoroughly assess their cloud risk.

Moving toward a new era of trust and transparency for financial institutions

With this cloud metrics model in hand, we are continuing to receive input from global FIs, industry regulators and expert analysts to further refine our metrics and examine organizational needs from all angles. IBM Cloud for Financial Services continues to advance the cloud space for the financial services industry — our proposed cloud metrics model is another key puzzle piece in the breadth of technology and expertise we provide to banking leaders looking toward the cloud. Stay tuned for more details.

To learn more about how IBM is creating a new standard for secure and compliance-centric cloud computing, please visit IBM Cloud for Financial Services.

Was this article helpful?

More from Cloud

The history of the central processing unit (CPU)

10 min read - The central processing unit (CPU) is the computer’s brain. It handles the assignment and processing of tasks, in addition to functions that make a computer run. There’s no way to overstate the importance of the CPU to computing. Virtually all computer systems contain, at the least, some type of basic CPU. Regardless of whether they’re used in personal computers (PCs), laptops, tablets, smartphones or even in supercomputers whose output is so strong it must be measured in floating-point operations per…

A clear path to value: Overcome challenges on your FinOps journey 

3 min read - In recent years, cloud adoption services have accelerated, with companies increasingly moving from traditional on-premises hosting to public cloud solutions. However, the rise of hybrid and multi-cloud patterns has led to challenges in optimizing value and controlling cloud expenditure, resulting in a shift from capital to operational expenses.   According to a Gartner report, cloud operational expenses are expected to surpass traditional IT spending, reflecting the ongoing transformation in expenditure patterns by 2025. FinOps is an evolving cloud financial management discipline…

IBM Power8 end of service: What are my options?

3 min read - IBM Power8® generation of IBM Power Systems was introduced ten years ago and it is now time to retire that generation. The end-of-service (EoS) support for the entire IBM Power8 server line is scheduled for this year, commencing in March 2024 and concluding in October 2024. EoS dates vary by model: 31 March 2024: maintenance expires for Power Systems S812LC, S822, S822L, 822LC, 824 and 824L. 31 May 2024: maintenance expires for Power Systems S812L, S814 and 822LC. 31 October…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters