Executive roundtable III: Security and the rapidly changing cloud environment

Businesses are accelerating the adoption of hybrid cloud and AI to achieve digital transformation. But increasing cyber threats and dynamic regulations are forcing enterprises to rethink their approach to managing security and compliance. In this session, hear about the experiences financial institutions and partners have mitigating risk and managing compliance across their multi-hybrid-cloud environments, defining prescriptive policies and controls; implementing data-centric protection & privacy with zero trust; and achieving continuous compliance.

Transcript:

Nataraj Nagaratnam (00:08):

Excellent. Good afternoon. Good afternoon. Thank you. Thank you for coming Sunny Florida, and typically in the past, security sessions have been in the end and this is one of those times where you start with security is literally such a key topic and I look forward to this conference as well. And given what's going on in the financial services industry and with many banks, fintechs, financial institutions that we have been working with globally, we have been noticing significant trend around threat and risk that you need to mitigate as well as the regulations and the regulatory compliance aspect that keep coming up. And more and more, the regulatory focus has increased given various dimensions here. So in this kind of informal session, supposed to be a round table, it became round tables. So the idea is to have an interactive session. So I'll share what we have been observing, working with numerous clients over the last few years in the context of hybrid cloud and share our thinking more importantly what we have done with our clients, financial services clients across the world and give some examples and walk through it. But feel free to ask question. Let's keep it going from that perspective. And we got about half an hour, 12:50 so that you can get ready for your next session as you go in. I'm Naraj nna, I'm CTO for cloud security here at IBM, and we have been focused on building an industry cloud from a cloud perspective. When we started building our cloud and evolving it, not only being a hyperscale was important, we saw the need given our expertise, our focus in terms of working with financial services over decades from their on-prem implementation transactions that run on our mainframes and our consulting that we have been work doing with them in modernization. We started to observe few core things in terms of what's happening and the need for building an industry cloud, and that's what we have done. So much of our experience and stories that we will share are from that. If I can, if it's okay, if I can get a sense of which team you are from. Typically, if you think of within your organization, either you focus on security and compliance and risk or excellent, very good. Are you focused on it? CIO, building things, our line of business building capabilities. Okay, that's a mix of all of you because this is exactly at the intersection of various things that's happening because at the speed in which financial services, the banks and many of the banks that you represent want to go, what we have observed is you're trying to innovate right at speed. FinTech SaaS adoption of those become a key part of your acceleration in terms of your digital transformation. At the same time, you need to balance risk and compliance. Not our study that we did a McKinsey study. Let's take a guess, So if you think of front office workloads, like productivity workloads, right? You do mobile banking or your office collaboration tools and so on so forth. If that's your front office, then much of your lending, your processing could all the way to core banking. That could be mid office and back office. How many percentage of the real core workloads, like mid office and back office, if you kind of think about percentages, do you think have moved to cloud ballpark range. You want to take a guess. The critical workloads that require resilience, performance, security, compliance can, I guess there's no right or wrong answer or you can say how many you can think about your own company and see how many, what percentage have moved to the cloud, right? It's about 5%. Only 5% have moved to the cloud. So there's a huge opportunity in terms of digital transformation because it's just not lift and shift our workloads and the primary reason when we look into why only 5% are moved predominantly it comes down to the resiliency requirements and performance on one side. But more importantly, security and compliance is at the core of that discussion to say, does it mean because from a regulator perspective, from a risk perspective, you're trying to protect your data. So that's at the center of these discussions as we see and more and more when it comes to digital innovation disruption, the Zel, the paymo, Venmo or the kind of micro economy and the transaction that's even happens on WhatsApp and so on. If I go, when I go to India, much of it's WhatsApp, which is a digital, completely cashless society. Now when I carry cash there, I'm one of those loaners who actually carry cash around or credit card for that matter. It's all QR code and U P I payments and so on, completely digital. So that's what we see in the economies, be it from a bank perspective on how they need to reach new markets or the communities they serve and the consumers they serve. This is significantly disrupting. But at the same time, when you look at how it's not like when you have all your core workloads, you've been working with third parties in terms of providing core banking application maybe, or you have your own core banking systems that run on mainframe that you have built over the decades and it is running there. Either way, as you look at digital transformation, ability to reach new channels, new mode, modes of payment and interaction, when you look at that holistically across using either fintechs, third parties, SaaS consuming SaaS, or building these services that run in a hybrid cloud environment become core part of your discussion. How many of you are looking at or working on your applications as part of moving to cloud? It could be hybrid deployment model. Okay, very good. Are you thinking about it? But you are stuck with thinking, Hey, is it safe? Is it, can I mitigate my risk and complaints? You're still hesitant. What part of your journey are you in? You can have the cake and eat it too. You can eat and then chime in with your comments as well as you feel fit. But yeah, so when we look at that, one of the key things asset looks from a risk and compliance perspective, if you look at risk, cyber risk comes up right all the time because of all the data breaches that you see. The ransomware, our export study shows in terms IBM security has our security threat intel unit. We look at what's going on in the internet, what the attacks we can and the companies that we consult with or we go for recovery and response in terms of when a ransomware attack happens as an example from all those learnings, we definitely see a significant focus in terms of risk. And risk has multiple facets to that. It's not only cyber. When we look at it, cyber is definitely part of it because you're worried about attacks, you're worried about consumer data, customer data that may fall into the wrong hands, but there is also third party risk. How many of you, even the recent federal regulation that came out and the guidance that came out two weeks back, that as all the banks start to focus on even more stringently third party risk, it's not like, hey, it's their problem. When you think about kind of a cloud responsibility model that more and more the regulators are emphasizing that is the financial services institutions are responsible and accountable even when they use third parties. So how many of you're concerned about third party risk and when third, those third parties run on a cloud and you consume as SaaS, it's hard to do, right? It's hard to figure out what they do other than looking at whatever they tell you. That's one of the things that we have observed when we talk to, I can quote for you consistently a pattern that we have observed. It takes anywhere between 18 to 24 months for one of the larger banks typically to onboard a third party, an ISVA FinTech through the security and complaints process. Does that 18 to 24 months sound about right because we see that pattern and that's long. So one of the customers, for example, here in North America over the last three years, they had 50 FinTech's that they've been working with their incubation, their innovation team have been working with. Functionally, it all works well. Guess how many of them have been gone into production?

(09:53)

Zero. Because they're worried about third party risk. They're worried about how do I assess the posture because it's no longer my application, right? It's no longer my team working on it. It's no longer my infrastructure. So when you look at the who, the variants and who's handling the data, all these concerns come up. So the third and fourth party risk has been core part of that discussion and more and more with some of the outages that we have seen in the C S P concentration risk, more cloud becomes critical infrastructure. You cannot offer it to be down, especially for a critical application and workload down for even five minutes, let alone few hours or days. So the concentration risk has been another key theme in terms of risk that has been coming out very consistently. So when we look at that risk, then when we look at compliance, one can always think about, I'm a security guy completely in my career, and I will admit, right? 25 years I've been focused on security from web to mobile to cloud. Many a times I think about security. How do you mitigate risk? Compliance in those days used to be checklist, oh, do you say what policy and controls you have and do you follow them? But now that's completely changed because regulators and the complaints requirements are becoming stringent. Not only you need to show what controls you have, you need to demonstrate them. Even if it's a different cloud provider, you are required to technically demonstrate it that you're meeting those controls. You are required to continuously monitor the recent regulation that came up as well, or a requirement that a guidance that has come up in terms of what you need to do. You're required to continuously monitor your workloads, your data, as well as third party. If not, you get into getting large fines that many of you would've seen heard of. We don't want to be in that space, right? So when it comes to compliance, be it your part of audit, they find matters requiring attention or technical control that you need to demonstrate and the requirement that you need to continuously monitor. So the compliance is no longer a checklist. It's no longer about, hey, every six months or 12 months, somebody will do audit. It is moving to a space rapidly moving to a space that requires you to be continuously compliant. The unfortunate situation, capital one 10 years back almost, if you think of that on Amazon, what happened? Object store open to the internet and the ability to get to the data. All of us in the industry learn from it. But when you think about it, you have a control of protecting your sensitive data, be it an object store or a database, and you define them to say, Hey, it should not be in the internet. It should only be on private endpoints. It always need to be encrypted. You need to control the keys. When you have these control requirements. All it takes is our five minutes, one hour, I mean few minutes actually, right? For it to be open for someone to have access to it to be considered that security or could it be considered that compliance because you've defined the control that it needs to be only in private endpoints.

(13:16)

So this is where risk and compliance and the compliance controls are becoming much more of a security posture than just a compliance report. So moving from reporting to monitoring is a significant shift that is happening and you need to be on top of it. And this we see across the industry in North America in every state as well as be it US or Canada, as well as in other countries, including of course Europe when it comes to Dora, the regulations of that sort or cloud. So more and more stringent regulations are coming up. So when we think about that in terms of innovation, managing risk and compliance. Adopting cloud does not mean it needs to be a public cloud either. Fundamentally, from IBM perspective, we bet on hybrid cloud. We talked about hybrid cloud before the industry talked about it, they all said, Hey, public cloud, everything will be only moving to public cloud. We said, no, no. That's why having a consistent architecture, why we acquired Red Hat OpenShift as that hybrid cloud platform. This way you can innovate on a platform that can be deployed on a public cloud or a private cloud. We support hybrid multi-cloud. Of course we have our IBM cloud for financial services, but we do support, we extend our capabilities, be it on Amazon, Azure, or on premise for you to leverage, right? Because that hybrid cloud model gives you the flexibility to say what kind of workload, criticality of workload, what kind of data, where does it need to move? Before I go further question starts in your journey in terms of your application modernization or your adoption patterns. Any question, any comment from your perspective in terms of Ali Faruki or chief risk officer who managers and owns our control framework working with industry and standard bodies?

Audience Member 1 (15:40):

To supply chain ecosystem and really oversight directly understand from perspective program starting to pay more attention to your projects, which your ecosystem and partners.

Nataraj Nagaratnam (16:20):

Yeah, so Ali is talking about, for those of you can't hear from the back, but your involvement as you do third parties, FinTech's, ISVs that you procure and work with, what are you seeing in terms of requirements and especially the recent guidance that has come out from FBA, right? Federal, federal Banking, FBA, yeah, federal Banking Agency in terms of the guidelines around third party risk management. Have you looked at that? Are you familiar with that? Are you starting to, any comments that you want to share? If you don't mind putting me on the Yes.

Audience Member 2 (16:56):

Well, specifically I'm focused on the compliance aspects and how you ensure that the laws ands, that the bank is responsible for adding to, you're able to apply those to specific third party engagements, and that's a very specific focus on my current role. Prior of course, more broad. I think you were just talking, I were talking about certain third parties that deal with don't really have a solid understanding of what all the expectations are the banks need adhere to, and how that then impacts how the banks work with third parties and what the third parties need to be prepared to do to ensure that they're helping the banks. I think, I don't think the new guys that out a huge change. More specific in some areas, but I mean it's been a continuation for

Nataraj Nagaratnam (17:50):

Yeah, So third parties understanding of what banks need and what the regulators are asking them to do is a inhibitor in terms of that gap. Do you agree? Or some of you are your vendors right in terms of FinTech's, SaaS providers, do you see that in your interaction with the banks? Where do you think your knowledge and understanding of their controls, their risk and how long does it take? Any of you want to comment on?

Audience Member 1 (18:24):

Also look for some security. Security. So we always follow rules.

Nataraj Nagaratnam (18:35):

Yeah.

Audience Member 1 (18:37):

So we go to the software compliance. Definitely all the regulations and we want be demonstrate that having a data in the cloud hybrid is safe for you guys. I think it's ification process. Take them, but everyone ask how that.

Nataraj Nagaratnam (18:57):

Yeah.

Audience Member 1 (18:57):

So we go through process S and I agree with you, we can't be stick with only a cloud solution without a flexible onsite hybrid you cloud solution and you, I think that sentiment skill exist.

Nataraj Nagaratnam (19:12):

Yeah.

Audience Member 1 (19:13):

Especially in and in US.

Nataraj Nagaratnam (19:16):

Yeah.

Audience Member 1 (19:19):

Look at right different policies, how you as I B M, how you guys things go with policies and how you bring to the industry.

Nataraj Nagaratnam (19:30):

Excellent. So the question is how do we see, given the policies and regulations vary across the geos? How do we see it actually, if we apply that and then say the control and the policies in every bank is different, right? The 18 to 24 month is for one bank with an ISV, let alone the time it takes for that I S V with work at every banks because everybody has their own control framework, right? So the approach we took, no, I did not seed the question before the session. The approach we took instead of defining a particular control set and this problem, the banks also saw the Bank of America, the BNP, Paribas, of the world. They saw an opportunity. We saw an opportunity. So we formed what is called an IBM Cloud Financial Services Council. We have 80 plus me member institutions with 140 plus members part of the council. We co-created a controls framework called IBM Cloud Framework, for financial services. It's based on NIST control framework. But we went further because what was missing was standardization In this implementation guidance will say, Hey, make sure you protect your data. It doesn't go into the level of what needs to be done to protect it in terms of technology, the technology controls and implementation guidance because at a high level kind of guidance is one thing, but very specific prescriptive implementation is another thing that's a gap we co-created with all these banks. So that's where the prescriptive pre-configured controls come into play. Not only we defined it, we feel it needs to be in for the industry we created with the industry for the industry. So we contributed it, it's available in public, it's available in our website under IBM cloud for financial services.

(21:35)

Ollie and the team then worked with standard bodies like Cloud Security Alliance, cloud Risk Institute, right? CRI. We map these controls and then we offer to clients. If you have, and I'm sure you have controls framework and you want to say how does it map, we do a mapping within two weeks we do the control mapping from the bank's control to ours, AP approximately 95% hit. And then we have to work on the GA differences between them as a matter of fact, BNP pariba, and they publicly stated this as well. They've adopted this. They co-created this with us and adopted it completely where they saw that we had many more controls. When you look at them having around two 50 plus controls, we have find an 85 control requirements. They said, we have lot more controls requirements than they had internally or they had at least standardized on. So, and similarly we hear that sentiment from others and they had couple of controls that they wanted to include and we did. It's an evolving and then we keep it up to date. To your point on regulation, geo regulations, in IBM, we have a unit called Promontory. There are auditors, regulators, right? They watch regulations evolving around the world and as they change what the differences are, we factor back into the framework. That's a commitment we have done. We have done that. That's one controls framework. The other part of this whole cloud for financial services is we implemented them into our cloud. Of course, in depth. That's why similar to hybrid cloud, no, when nobody talked about it, we define the industry for industry cloud. And when we say cloud for financial services compared to others, we have baked in the security and compliance requirements into the cloud so that it is not bolt on. We have consistently heard, Hey, I put my workload on this CSP every year we spent $3 million, but we are still not done. Whereas when they do it on our cloud, we have seen them reap benefits like BNP, as an example, or Bank of America or Citi. These are all public references to some of the capabilities they use with from our cloud because of the criticality of the workload and the data you deal with. The other part is the ISVs, the third party risk we talked about.

(24:04)

We committed to the banks and said, you know what? We will help you. We'll work with these ISVs, onboard them to our cloud, assess them. So we have what is called an FS validation program. We assess them in terms of their posture. Do they meet their controls? If not, what should they do? We help the ISVs. So we have many ISVs on our cloud, which are FS validated so that they are easily and readily usable by financial services industry and these banks so that they don't need to be using their mapping, right map their controls. This is industry based control. IBM cloud framework for financial services. All these ISV mam meet those controls. We can actually monitor them using what we call IBM, cloud Security and Compliance center. So you can say, is it implemented? What's going on? For example, talking about geo, one of the key differences, I shouldn't say a difference, but emphasis in the Europe has always been data privacy. And in addition to the data focus, they're also concerned about the risk of the CSPs being in the us and what if the federal knocks on our door, if the subpoena, what what'll happen, right? They're worried about their data. Can a different government get access to it? So we worked with them and implemented technologies for example in like when you do encryption and key management, I always joke about encryption is for amateurs and key management is for professionals. So when it comes to key management, the ability to demonstrate that you have complete control of the key and complete control of the data is critical for their own risk, purpose and regulatory purposes. So we built what is called key, your own key. So our heritage with our Z systems and mainframe and what we had with HSMs there, the industry's highest level of certification with FIPs one 40 dash two level four hardware security module. We built a single tenant service that can be consumed as a cloud service. You can do key ceremony over the internet using CLIs. So if you think of that as an example, one example and we recently launched ability to protect PII, right? Because personal information need to be protected. How do you encrypt at the field level? Because when I look at some of the MRAs and audit findings that our customers share with us to say Help us, these are critical ones that come up. So we solve it in that context. And so those geo regulations, like if you take Dora or of course GDPR, but many from European banking agencies and others when it comes up mapping them into controls framework is very easily done. So we are able to do it and then we also bake it into our cloud across the world.

(27:02)

So control framework built in technology, continuous monitoring with technology like security and compliance center, our keep your own key and data security capabilities and protection capabilities and ISV validation program FS validation. So we help validate and give them a badge and we ourselves, recently we announced that not only we built it in and said, Hey, we are compliant. We actually had one of the big four audit firms audit us that we actually meet those, right? Transparency is important. So we do that as well. So the ability to provide that is what position does in terms of financial services, and this is across a set of client set across different geographies.

(27:52)

If you think of BNP, pariba, I talked about IT or kaisha Bank, they use cloud native platform, be it with OpenShift or virtual servers and services. But also in terms of if you think of their VMware workloads, we have the largest VMware footprint in the world from a cloud perspective. And those also have these financial services controls baked in LBBW. If I take that example, it's an interesting example. They don't have any workload that their workload on any cloud, it's a German bank, but they use Office 365. They have hundreds of branches. You're talking about hundreds of keys. But they want to demonstrate for scrums to requirement talking about the geo requirement that they control the key. So we have a multi-cloud key management. Everything that we do is not only on IBM cloud, but the ability to do in another clouds as well. So they get able to manage the keys in Azure with the key management technology on our site, right? Or others who use our payments, our confidential computing digital asset crypto is on the news for crypto digital asset custodians, data security, the ability to protect those tokens and crypto is existential for them. If they lucid it, their business is gone. That's why we embedded that and enabled that. They can actually do that with our confidential computing technologies, an ability to protect them, right? The level of technical assurance, not just operational assurance. Hey, I don't have access to the data. Hey, we do not use your data or get access to your data. So operational assurance is a cloud provider will not access your data. If you go to like Amazon website, the privacy, it'll say that, right? That's a general stance. Operational controls, what we do is technical assurance. We cannot access your data.

(30:00)

Huge difference will not to cannot, right? That's the kind of from our principle to strategy, we've implemented those things and across various use cases that we will be happy to share. We are here from today and tomorrow as well. But one of the key things that we have observed in this journey is in the kind of balance between the IT team who want to focus on business innovation. They're not security experts to the security team. It comes down to more the security team can build prescriptive controls and say, thou shall use this particular technology, this tool on this cloud more you can automate not just landing zone, Hey, I want a landing zone on this cloud. It needs to be secure landing zone built with security and compliance controls built in. So that from the get go, when you provision, when you push code, it needs to be, and imagine that developers who are doing that code push with DevOps don't need to understand security and controls. Wouldn't that be cool? We got it. So not only can monitor, we actually help you automate, right? So you can have these deployable architectures that bring them together. So simple way for us to think about it is you define your controls. Defining controls are based on the cloud framework for financial services that could be mapped to customer control requirements or geographic based controls and policies and regulations. You implement them, you implement saying, what does your reference architecture, how do you automate it using Terraform? We completely automate these into deployable architecture and make them policy as code so that we keep it up to date and it's easy to implement. We used it ourselves. The ISVs that I talked about initially took our last year, it took us around eight weeks for an ISV to understand the control, implement it and go through the waiting processes and talk to the bank. Now it takes two days because we have automated it because we saw patterns. Either simple virtualized workload, I'm not simplifying or minimizing the complex workload in enterprises. That'll take some time and engineering and modernization and architectures. But many of the FinTech's and ISVs that we worked with have simple application deployment models, be it container based or virtual server based. So it's easy to understand and implement and provide them the tools and technologies to make it happen. That time from eight to two days is huge. And not only that, you can actually continuously assess them. One of the banks now asked these ISVs to say, not only do you need to show me that your FS validated that you meet these controls, show me using this tool, what we call a CC security complaints, manager, that you actually, there should not be any red when you kind of onboard and keep showing, right? It's an interesting test with our council. I talked about a hundred plus members around 18 months back. We said, we asked them, do you want this kind of a monitoring tool that you want to monitor your ISVs third party? They said, no, no, no, no, no. It's a liability because if something goes wrong, we are responsible to fix it. We ask them again after six months and in the last six months they said, absolutely, yeah. The regulators are asking that we are responsible and accountable. So that is shifting. That is changing. So how do you define it? How do you implement it? How do you assess it? So this is how do we bring them together is important and we have built the cloud working with it. I'm not the sales guy in the room, but I'm passionate about solving customer problems. So we have solved it. We are solving it. It's an industry problem. That's why we've been working with our customers and numerous of these banks to do this right and do it together. Comments, questions, thoughts? Any particular thing that resonates with you? Or you're saying, oh, that particular thing never works. Any contradictory views? Silence. It's okay, you're not a shy group. The conference is here to begin. Does it address your question? Yeah. Very good. Excellent. I'm mindful of your time. Yes.

Audience Member 3 (34:39):

Well this sounds very impressive and important. A lot of times we get asked is show me the evidence, right? Show me how to a bank file your cloud bank fourth party. Right?

Nataraj Nagaratnam (35:03):

That's a great question. So what we are seeing is two kind of use cases. One is when you consume SaaS, a FinTech, they are your third party because you're writing a contract with them. Then who they run on like IBM cloud is a fourth party. So you're able to mitigate for third and fourth party risk. Whereas if you deploy your cloud workloads on cloud, any CSP, that CSP is your third party in that context. And of course any other supplier we use would be your fourth party. So that's the way we see it.

Audience Member 3 (35:31):

As you have ability to provide evidence to the bank. Third party essentially transfer?

Nataraj Nagaratnam (35:40):

Exactly, yes. And given you'll have the contract, the banks will get it from the ISV, but we provide it to the I S V or and their consent will enable you to get it much more.

Audience Member 3 (35:55):

It's factual options you have getting access to even the third party.

Nataraj Nagaratnam (36:28):

Yeah. Mean this in the industry. This is definitely a journey. We are begin that. But that's more to solve and we are starting to think about this as a data lake, right? Because you're config, you may be using vulnerability management from somebody, management tools from someone else, SIM tools from someone else. But ultimately when you get these data, now you need to do analytics on it, get insights from it even before you do AI, generative AI and rich topics like that. But there's so much opportunity right here and solving it is key and solving it as a community. We have regional councils as well. Ollie and I will be happy to share in addition to the main council I was talking about, we also have regional councils where in every geo that different set of banks get together and discuss and feed into this mechanism as well. So we are here. So trying to solve for the industry. And the good news is, even though I'm, for example, I'm an IBMR 25 years. Ali comes from the financial services industry. He was a controls officer at Pfizer. Our head of cloud who runs our cloud comes from Bank of America, right? You're talking about the mind and skills from the industry, joining hands with the technology company to solve this.

(37:54)

Alright, I know we are a few minutes away from the main conference, but thanks for joining. If you haven't had your dessert, please do and we'll be around today, tomorrow, and happy to answer your question as well. Thank you for coming.