November 30, 2021 By David Kliemann
Aly Farooqui
3 min read

An industry standard for assessing and reporting on cloud risk for financial institutions.

Cloud-based technology is transforming the financial sector at a rapid pace. As financial institutions continue to prioritize digital transformation, there are several hurdles that inhibit organizations from fully realizing the benefits of moving critical workloads to cloud. One major hurdle is a lack of a commonly integrated, industry-recognized method to measure and report the risk level of hybrid multicloud operations.

Assessing cloud risk is essential to the health of financial institutions

It is well known that security and risk management are critical components for financial institutions to host mission-critical workloads in the cloud and transact with confidence. There is a gap, however — many organizations that move workloads to cloud find that they can’t easily articulate, measure and report risks in relation to their cloud environments. Organizations can find it overwhelming to translate the wide array of potential metrics to stakeholders and regulators, potentially resulting in misalignment of resources. This situation is further amplified with hybrid multicloud deployments that many financial institutions are adopting.

Without a holistic cloud metrics model, financial institutions often struggle to track and articulate key considerations:

  • Are risks being recognized, managed and reported properly? To the right audience? In a timely manner?
  • Can organizations demonstrate strong governance and compliance in their cloud environments?
  • Is the business meeting organizational goals?

With a variety in approaches, it can be difficult for organizations to align with existing risk management programs and determine if they are meeting business goals, while continuously demonstrating governance and compliance requirements.

Financial sector cloud metrics model: The IBM Cloud for Financial Services approach

To directly tackle these challenges, IBM Cloud has collaborated with many organizations within the IBM Financial Services Cloud Council (Council) to develop a Financial Services Cloud Framework. The Council consists of CIOs, CTOs, CISOs and Risk Leaders from global and regional financial institutions who collectively work to de-risk cloud for the industry. More recently, the over 20 financial institution members of the Council worked together to create an industry-centric cloud metrics model to address hybrid-multi cloud governance and reporting.

Based on the NIST Cybersecurity Framework (CSF), the most widely recognized and accepted risk management framework, our industry cloud metrics model compounds upon this tried-and-true foundation to provide organizations with more flexibility. After reviewing with various financial institutions, we have added additional functions and components to account for operational and compliance needs that may not be explicit in NIST CSF. Considering how many financial institutions are still early in their cloud journeys, this is an important area to address.

We recognize that organizations across the financial sector have different risk appetite and tolerance levels. As such, the model must be able to be tailored towards each organization’s unique requirements. Instead of being rigid and prescriptive, our model provides a menu of metrics that can be geared towards different organizational levels — what the management team needs will be different from C-level or board-level requirements.

To help build a holistic picture for leadership to understand overall risk, we have worked with the Council to identify several cloud metric “domains” that can be used to bucket various metrics and demonstrate risk levels:

  • Cloud adoption: Implementing governance and achieving the potential of cloud benefits (e.g., agility, scalability, risk mitigation).
  • Risk and compliance: Meeting enterprise risk-management and regulatory requirements.
  • Cloud infrastructure security: Facets of security below the application layer (e.g., infrastructure, platform, networking).
  • Technology operations: Tools and processes to keep applications/workloads resilient and functioning.
  • Workload and data security: Facets of security at the application layer, along with data and application governance and security.

These domains include 50+ individual metrics, including insights for the following:

  • Workload inventory and mapping to enable management to know the placement of their workloads.
  • Workloads in each CSP to understand concentration risk and dependencies.
  • Infrastructure with unremedied vulnerabilities to allow for immediate focus to protect workloads.
  • Misconfigured workloads/applications detected to drive corrective actions.

Integrating these cloud domains with the CSF functional areas and providing a metric dashboard for reporting enables financial institutions to thoroughly assess their cloud risk.

Moving toward a new era of trust and transparency for financial institutions

With this cloud metrics model in hand, we are continuing to receive input from global FIs, industry regulators and expert analysts to further refine our metrics and examine organizational needs from all angles. IBM Cloud for Financial Services continues to advance the cloud space for the financial services industry — our proposed cloud metrics model is another key puzzle piece in the breadth of technology and expertise we provide to banking leaders looking toward the cloud. Stay tuned for more details.

To learn more about how IBM is creating a new standard for secure and compliance-centric cloud computing, please visit IBM Cloud for Financial Services.

Was this article helpful?

More from Cloud

Enhance your data security posture with a no-code approach to application-level encryption

4 min read - Data is the lifeblood of every organization. As your organization’s data footprint expands across the clouds and between your own business lines to drive value, it is essential to secure data at all stages of the cloud adoption and throughout the data lifecycle. While there are different mechanisms available to encrypt data throughout its lifecycle (in transit, at rest and in use), application-level encryption (ALE) provides an additional layer of protection by encrypting data at its source. ALE can enhance…

Attention new clients: exciting financial incentives for VMware Cloud Foundation on IBM Cloud

4 min read - New client specials: Get up to 50% off when you commit to a 1- or 3-year term contract on new VCF-as-a-Service offerings, plus an additional value of up to USD 200K in credits through 30 June 2025 when you migrate your VMware workloads to IBM Cloud®.1 Low starting prices: On-demand VCF-as-a-Service deployments begin under USD 200 per month.2 The IBM Cloud benefit: See the potential for a 201%3 return on investment (ROI) over 3 years with reduced downtime, cost and…

The history of the central processing unit (CPU)

10 min read - The central processing unit (CPU) is the computer’s brain. It handles the assignment and processing of tasks, in addition to functions that make a computer run. There’s no way to overstate the importance of the CPU to computing. Virtually all computer systems contain, at the least, some type of basic CPU. Regardless of whether they’re used in personal computers (PCs), laptops, tablets, smartphones or even in supercomputers whose output is so strong it must be measured in floating-point operations per…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters