Capitalizing on Cloud Infrastructure: Everything Financial Institutions Need to Know About Moving to the Cloud
As financial institutions refine their digital strategy to keep up with market and regulatory demands, cloud computing is emerging as the future of banking technology. There are a myriad of reasons institutions should capitalize on cloud computing, including enhanced scalability, efficiency, reliability, risk management and regulatory compliance. Despite these and other appealing benefits, it can be intimidating for community banks and credit unions to move to the Cloud.
In this post, we examine some of the most important issues related to moving to the Cloud to help institutions streamline the decision-making process, determine what can and should be moved to the Cloud, and examine the cost and security issues of cloud computing. Hopefully, this will shed light on how beneficial cloud-based solutions can be and provide the information IT managers need to make the best decision for their institution.
Three Questions to Ask Before Moving to the Cloud
Hosting applications and systems on a cloud network can be appealing to community banks and credit unions as it allows them to reduce servers, internal infrastructure, and applications that would typically have to be hosted inside the institution, as well as the associated support each one requires. It also offers the benefits of system standardization, centralization of information, and the simplification of IT management. However, here are three essential questions financial institutions should ask before moving to the Cloud:
- Which applications can be moved to the Cloud? Evaluating which applications can be moved to the Cloud and which vendors offer cloud-based solutions is really the first step. This will help IT managers understand issues and elements that will be solved or created by the move to the Cloud. For example, even with cloud-based solutions, they will still need to manage user workstations, security issues, connections to applications, as well as switches and routers.
- Is the institution’s internet connectivity strong enough to support cloud-based solutions? Delays in loading cloud-based applications can be frustrating as well as costly. The increased use of cloud-based computing will place added demands on internet speed and connectivity, making a strong connection critical for the success and health of the financial institution. This is a very important consideration when determining whether to move to cloud-based services. Confirming the availability of the proper connectivity—including a redundant internet connection to ensure access at all times—will help streamline this transition.
- Are there additional compliance issues to consider when selecting a cloud vendor? Moving to a cloud-based application will mean giving up some controls to a cloud vendor. When selecting a vendor, institutions must evaluate their practices and strategies for user identity and access management, data protection, incident response, and SOC 2 Type II documentation. They should have a solid vendor management program in place to verify that their vendors are compliant and are following the service agreement.
Financial Implications of Migrating to the Cloud
Migrating to the Cloud commonly requires an organization to move from a capital expenditure (CAPEX) to an operating expenditure (OPEX) financial model. The difference in long-term costs can be difficult to measure as many of the internal costs of managing an IT network are not documented.
Most community banks and credit unions have a good understanding of their IT capital expenditures. The up-front, fixed costs, such as hardware and software, and the resulting amortized or depreciated costs over the life of the asset, are historically well tracked. Traditionally, an on-premise infrastructure is considered a capital expenditure since it includes the purchase of servers, computers, and networking hardware, as well as software licenses, maintenance, and upgrades.
What is not generally well documented are the internal costs involved with running the system, including the power, cooling, floor space, storage, physical security, and the time IT teams devote to the daily management and continual maintenance of these systems. In addition, the equipment and software will need to be upgraded or replaced periodically, making for on-going large capital costs in years to come.
The move to the Cloud means a move from a CAPEX financial model to an operating expenditure model, in which large capital outlays are replaced by monthly, quarterly, or annual fees an institution pays to operate the business. These periodic OPEX fees include license fees for software access, as well as all the infrastructure and maintenance costs associated with the technical environment. Hosting an application in the Cloud via a Software as a Service (SaaS) model can minimize required capital investments for the institution. It can enable them to be up to date with the latest technology which can lead to generating more profits and ROI. The OPEX model can also provide the IT staff more time to focus on strategic revenue-generating and customer-facing activities.
The evaluation of CAPEX and OPEX expenditures is not an apples-to-apples comparison. It is important for IT management to understand the differences between the CAPEX and OPEX models, perform an analysis, and be able to effectively communicate the pros and cons before presenting a proposal to leadership.
Four Steps for Moving Server Workloads to the Cloud
Today, banking services are increasingly being hosted in the Cloud. Cloud outsourcing often begins with specific IT functions or processes such as disaster recovery, backup, and supporting servers. However, a financial institution can be strongly in favor of cloud computing without moving 100 percent to the Cloud. For example, a bank could easily have its ancillary systems and lending in the Cloud and maintain its core in-house.
There is a great deal of infrastructure involved in managing all the applications needed to run an efficient and successful financial institution. While cloud technology has proven to be beneficial for community banks and credit unions by enabling their limited in-house personnel to focus on core strategic initiatives, there are four important factors institutions should carefully consider before moving their data to the Cloud. They are:
- Support the financial institution’s business strategy
Some organizations consider moving to the Cloud simply because they think it is the right thing to do; however, there is no set path that all financial institutions must follow.
Each community bank or credit union has a unique strategy driven by its market situation, whether that includes business expansion, rapid disaster recovery, or replacing existing servers or hardware. An institution’s decisions about cloud computing ultimately must align with its business goals, strategies, and objectives.
- Identify the application opportunities
Not all business processes and applications are suitable for the Cloud. Before moving to the Cloud, the IT team must understand the requirements of their business applications. They should evaluate the data footprint, transaction types, and frequency, as well as the IT infrastructure that is being used to host each application in order to determine which applications need to remain on-premise and which can be moved to the Cloud.
- Determine the best path to the Cloud
Once the institution’s cloud and business strategies have been aligned, and its applications have been identified, it is ready to migrate supporting servers, applications and other assets to the Cloud.
There are several approaches that institutions can use to facilitate their migration to the Cloud. They can simply move the physical servers they already have to a co-location facility or data center. This can be an attractive option since it does not require extensive configuration changes to applications and servers but moves these critical assets out of their building to a highly available data center.
Or a financial institution can adopt an Infrastructure as a Service (IaaS) model. This means that instead of physically moving the servers it owns, a bank or credit union can lease the server capacity that it needs from a third-party provider. The institution can then access the servers remotely to install, run, and maintain its applications.
As a third option, financial institutions can implement the Software as a Service (SaaS) model. With this licensing fee and delivery model, software is licensed on a subscription basis and is centrally hosted by the application software provider. This approach enables community banks and credit unions to run their applications from a browser that is supported by the developer, so there is no additional infrastructure to maintain.
- Develop a Phased Approach
Long term, financial institutions should consider using a graduated approach to moving their applications to the Cloud. The migration should be completed in multiple phases to enable a smoother transition. However, the applications that are not technically ready should not be moved as this can cause unnecessary complications and technical issues.
Misconceptions About Cloud Security
Many community banks and credit unions struggle with truly understanding the security differences of housing their sensitive data in the Cloud vs. keeping it housed on servers and hardware solutions that are located on-premise.
Having sensitive data housed in a cloud-based data center is uniquely different from maintaining on-premise resources for data storage. So, it makes sense that security-related issues and concerns would need to be addressed and considered prior to cloud migration. Understandably, some institutions might have lingering doubts about whether they can truly trust a cloud-based data center that they can’t physically see or control.
Let’s take a look at some of the common issues and misconceptions organizations have about cloud security:
- Misconception #1: The Cloud is not secure
To the contrary, the Cloud can enable financial institutions to experience as much as or more security than with an on-premise environment—and without the hassle and expense of maintaining physical servers and storage devices. Major cloud service providers have the technical expertise and strict internal processes to physically secure their IT hardware against unauthorized access, theft, fires, flooding and other potential hazards. For example, Microsoft® employs thousands of cybersecurity experts and cutting-edge technology such as artificial intelligence to detect, respond to and thwart security threats.
In addition, cloud providers often give their customers access to extra security programs and resources. This can make it easier for organizations to more effectively combat threats like data loss, leaks, and hacking. Of course, no security model—even one that uses a multi-layered approach—is perfect, but a cloud solution protected by substantial security measures can ultimately enhance a financial institution’s security posture.
- Misconception #2: The provider is responsible for keeping data secure in the Cloud
A common concern for many financial institutions who are considering moving to the Cloud is determining who is responsible for data security moving forward—the cloud services provider or the customer? The short answer is both parties. Data security is typically a shared responsibility and requires banks and credit unions to continue monitoring the security of their solutions to ensure the data is secure and meets all regulatory requirements.
- Misconception #3: Data can be easily lost in the Cloud
Information resiliency is a key differentiator for cloud-based services. These solutions help reduce the likelihood of data loss if key security features and backups are enabled and used appropriately.
In addition, cloud services can help financial institutions recover quickly from business disruptions like equipment failure, power outages, and natural disasters. This provides financial institutions with continuous access to data and other critical applications, enabling business operations to run smoothly.
- Misconception #4: Anyone can access data in the Cloud
The Cloud actually prevents unauthorized individuals from accessing data on the network because cloud providers use a variety of security processes to control points of access. Most cloud providers use data encryption to protect data while it’s being stored and during transmission as well as multi-factor authentication to require two or more forms of verification to access the system.
Moreover, cloud services providers maintain detailed activity logs that show who accessed, created and modified data. Having this type of intelligence allows cloud vendors to better understand unusual activities, detect potential threats and more effectively protect the client’s data.
Building a strategy for cloud computing can be intimidating. All community banks and credit unions have a unique business strategy that will guide how they migrate to the Cloud, what type of cloud solution is best for their environment, and what specific technology assets should be moved to the Cloud.
Working with an experienced service provider such as Safe Systems can simplify the process. Safe Systems helps institutions design and install cloud solutions while also ensuring their systems are compliant and meet examiner expectations.