Hey You, Get on That Cloud

The cloud is redefining how banks engage with customers, partners, and regulators. And it fuels the very core of digital banking services, which are growing more important each day. As with any paradigm shifting technological development, however, the cloud does come with its risks.?

This article will provide an overview of the cloud and explore its many benefits before identifying potential security concerns and offering practical advice for leadership and boards looking to maximize the impact of their organization’s cloud migration.?

First, what is the cloud exactly? You can think of it as an intricate network of virtual hubs, effortlessly delivering services without the need for users to manage the underlying complexity. Distributed across various locations, the cloud streamlines operations by sharing resources and optimizing costs through a flexible pay-as-you-go model. It propels digital services—from social media to streaming to the “internet of things”—to new heights of speed and accessibility.??

CLOUD CHARACTERISTICS

According to the National Institute of Standards and Technology, cloud computing stands on four deployment models, three service models, and five core characteristics.?

Deployment models encompass the private cloud for single organizations, community cloud for shared concerns, public cloud for general use, and hybrid cloud as a blend of distinct infrastructures.?

In service models, Software as a Service (SaaS) provides accessible applications on cloud infrastructure, while Platform as a Service (PaaS) empowers user-created applications. Infrastructure as a Service (IaaS) offers essential resources for software deployment.?

The five core characteristics include on-demand self-service, ensuring swift resource provisioning; broad network access, promoting versatile platform usage; resource pooling, dynamically serving users through multi-tenancy; rapid elasticity, allowing flexible scaling; and measured service, enabling resource optimization and transparency.?

Cloud Nine??

While we’ve yet to tap the cloud’s full potential, it’s definitely not a brand-new concept. A recent KPMG survey of global technology professionals showed that on average half of enterprise workloads are already on the cloud, and 80% of organizations are satisfied with the returns of their cloud transformation. The top advantages cited were cost and efficiency.?

Getting your organization on the cloud can indeed make things easier. Cloud service providers handle everything related to the tech infrastructure: from maintaining the data centers and servers to keeping the information secure. Utilizing the cloud can help organizations focus on core businesses instead of being consumed by the challenges of maintaining their own IT framework. It allows businesses to scale IT resources based on their needs and actual usage. And it makes the backup and recovery of data easier and faster.?

Maintenance is outsourced because the data is hosted on a server maintained by a third party without the need for the user to invest in expensive data centers. The cloud’s multi-tenancy enables the sharing of resources and spreading of costs across users allowing for the centralization of the infrastructure in locations with lower costs, fluctuating load capacity demands, and the efficiency improvements for systems that are not fully utilized.?

While some may question the security of the cloud, most reputable cloud service providers follow rigid regulatory guidelines and employ sophisticated cyber security protections to ensure the secure storage and transmission of data.?

Security and Risk??

There still is risk, of course. Although cloud computing can have far reaching effects on the systems and networks of organizations, many of the features that make the cloud so compelling are at odds with traditional security models and controls. In his book “Cloud Computing: From Beginning to End,” Ray Rafaels notes that boards and leadership teams need to be sure that cloud solutions are configured, deployed, and managed to meet the security, privacy, and risk requirements of the organization and regulators. Data must be protected in a manner consistent with company policies and regulatory expectations.?

Insecure interfaces with APIs, data loss and leakage, and hardware failures are among the cloud’s top security and privacy threats. Rafaels writes that because the data from hundreds or thousands of organizations can be stored on large cloud servers, hackers could gain control of volumes of information through a single breach or incursion.?

Rafaels emphasizes that the migration to the cloud is, in many ways, an exercise in managing risk. It entails identifying and assessing the threats and taking steps to reduce them to acceptable levels. The risks that are identified need to be evaluated against the organization’s existing controls. Organizations should ensure an appropriate balance between the number and strength of controls and the risks associated with the cloud’s deployment.?

By nature, cloud computing and cybersecurity often pull in opposite directions. Cloud computing processes and stores data off-site while cybersecurity builds virtual walls internally to protect the information. The cloud relies on outsourcing, trusting in third parties to retain the organization’s data and keep transactions safe. Cybersecurity keeps the protections close, placing reliance on the organization’s people, processes, and protocols.?

To be clear, cloud data security is the organization’s responsibility. Cloud service providers handle the perimeter, while the company safeguards data. Collaborative efforts involving the organization, cloud service provider responsible for configuration, and third-party software vendors are pivotal for comprehensive cloud security.?

The Federal Financial Institutions Examination Council says organizations should not assume effective security and resilience controls exist simply because the IT systems operate in the cloud. The agreements between the organization and the service provider should define the service level expectations and control responsibilities for both the organization and third parties. It may be determined that there is a need for controls in addition to those the cloud service provider contractually provides to maintain consistency with the organization’s standards and policies.?

Advice for Bank Leaders?

A 2021 Accenture survey of around 4,000 global business and IT leaders showed that by 2026 more than two-thirds of organizations plan to migrate the majority of their workloads to the cloud. But while a move to the cloud is intended to make things easier, the migration itself can sometimes be painstakingly slow. Finding the right level of security to match the organization’s operating environment and getting IT and the business in alignment is a complex task. Misalignment can create a disjointed implementation. Business units have their own distinct priorities. As a result, their cloud approaches can become siloed and disconnected from the work of other areas.?

McKinsey suggests board members and management evaluate the following when considering a cloud migration:?

• A move to the cloud creates an expanded IT footprint. Risk management practices need to shift to support the organization’s faster pace and greater agility that are enabled by the cloud.?
• Regulatory requirements expand when the cloud is used across multiple jurisdictions. This often requires adjustments to continuity and compliance plans that preserve the confidentiality and integrity of sensitive data.?
• Moving to the cloud can create dependencies on other IT transformations and systems that support the business, creating additional complexities and project risk.?
• When working with cloud service providers and other third parties, each relationship needs to be separately evaluated. Third-party risk management frameworks become even more critical.?

Concentration risk—having too few providers of cloud services—is also a growing concern. In 2021, Amazon’s cloud computing unit suffered three outages in a month , spurring disruptions at many organizations and underscoring how regional infrastructure problems can have far-reaching effects. Organizations are seeking ways to build resiliency into their cloud deployment. For example, they are spreading risk by tapping multiple regions of a single cloud service provider. This approach can, however, introduce more complexity and add costs.?

For board members and management, cloud adoption should not be narrowly viewed as a pathway for revenue growth and greater efficiency. Rather, its advantages of speed, scale, innovation, and productivity are essential in the pursuit of broader digital opportunities.?

McKinsey notes the organizations that benefit most from cloud adoption generally follow three practices: they have a well-defined, value-oriented cloud-ready operating strategy; they develop first-hand experience with the cloud and adopt a technology-centric mindset; and they emphasize building and educating a cloud-literate workforce.?

A mistake that organizations sometimes make when migrating to the cloud is restricting its scope to a limited portfolio of use cases. Individually, each use case may be helpful. But collectively they can lack the scale to realize the cloud’s full potential value. McKinsey recommends organizations productively take the following steps to create a scalable plan to cloud-driven performance improvements and value creation:?

• Set an ambitious aspiration. Many in the boardroom know that the cloud can free the organization from the limitations of traditional technologies. But they remain fixated on outdated models of what is achievable. They set the organization’s aim too low. The cloud aspiration needs to be ambitious and established with a sense of urgency.?
• Create the economic rationale. The migration to the cloud needs to be grounded in the understanding of the economics across cost savings (rejuvenation) and acceleration (innovation). The plans should be adjusted for the risks and evaluated by the required resource allocations and sequencing of tasks. The value that is unlocked or accelerated by the cloud needs to be projected. The economic rationale helps to secure consensus across the organization and build momentum.?
• Adopt cloud-native ways of working. The scope of the change needed to harness the cloud’s value requires the organization to have skilled people, both in-house specialists and ecosystem partners, who are experienced in the cloud. Successful efforts are achievable only when the organization is able to transform its operations.?
• Build a standardized, automated cloud platform. Investments are required to create a standardized, automated cloud platform that improves productivity, delivers the right experiences, and helps the business both innovate and scale.?

Holistic Change?

The cloud roadmap and the technology strategy need to be aligned and inextricably linked to the organization’s plans for digital transformation.?

Directors and management must recognize that the cloud can result in value beyond efficiency and agility. Deloitte suggests that cloud computing is a force multiplier to the organization’s outcomes. Among the best practices from high-performing organizations in moving to the cloud are:

• Do not over-spend. These organizations spend only slightly more on the cloud as a normalized percentage of their revenues, validating that it is not only the amount spent but the specific actions that matter. These companies focus their investments in areas with the greatest potential to boost operating performance, drive strategic outcomes, and enable breakthrough innovations.?
• Make use of multi-cloud models. The benefits of the multi-cloud deployment model include more and better choices, application and data processing scalability, and greater flexibility and leverage of new and migrated workloads. These organizations make use of multi-cloud models by working with three or four cloud service providers as opposed to only one.???
• Embrace advanced cloud services. While data analytics, software engineering, and cloud cyber services have become tablestakes, these organizations are now deploying advanced cloud services in areas like the internet of things, AI and machine learning, augmented reality and virtual reality, and the blockchain.?
• View industry community clouds as an enabler. Industry community clouds can be a catalyst for transformation and automation of industry-specific processes.?
• Focus on the culture. High-performing organizations emphasize creating the right culture to drive problem-solving, product innovation, and continuous improvement.?

Questions Directors Should Ask?About Cloud Computing?

• What are the organization’s aspirations in the cloud? What workloads need to migrate to the cloud??
• How are peers and competitors adopting and leveraging the cloud? What strategic moves are they making??
• What are the sources of value in migrating to the cloud? What are the results of management’s “cost versus benefit” analysis????
• What are the advantages and disadvantages of using a private or public cloud model? Should a hybrid or a community configuration be considered??
• How does the cloud fit into the organization’s plans to digitally transform? In what ways does the organization’s strategy incorporate the digital goals and the role cloud computing can play??
• How can the cloud help the organization meet its optimization and simplification objectives??
• What security and privacy challenges is the organization now facing? How will the cloud change the organization’s risk profile????
• How can edge computing be used to enhance the cloud migration? What is the right combination of edge and cloud computing systems??
• How should the board incorporate the cloud continuum into the organization’s long-range planning??
• What level of disruption is expected in moving to the cloud? What change management programs are in place to facilitate the migration??
• Does the organization have the right skills to lead the migration to the cloud? What kinds of talent is required? How are gaps addressed??
• Is the board sufficiently prepared to oversee the migration to the cloud? Do directors have the right skills and experience??
• What are the organization’s opportunity costs in not migrating to the cloud??

This article is adapted from a chapter in the upcoming book by Dean Yoost, “Disruptive Technologies Require the Board’s Critical Thinking.”?

DEAN A. YOOST, is the author of five books on corporate governance. He is a board member at Pacific Life Insurance Company and an advisory committee member of American Honda Finance Corporation. Dean is a retired partner of PricewaterhouseCoopers, where he spent 33 years. He can be reached at?[email protected] .?