DTCC has highlighted the challenges and opportunities of its cloud adoption journey in a white paper published today and designed to help financial institutions take best practice approaches to cloud implementation.
The paper, Cloud Technology: Powerful and Evolving, is authored by the company and recognises financial firms’ ongoing move to the cloud in search of efficiencies and business benefits. Its timing reflects an acceleration to cloud computing as a result of the coronavirus pandemic, although it also notes a change in the cloud proposition stating: “Initial enthusiasm for large scale transitions of entire application portfolios to the public cloud has subsided to a more practical pace amid deeper consideration of the specific requirements for individual business solutions.”
Business and regulatory issues to consider before embarking on a cloud adoption journey include:
- State and cost of an existing solution
- Appropriateness of cloud technology for business purposes
- Ongoing support for data security and privacy
- Ability of cloud technology to meet clients’ resiliency and performance demands
From a data and data management perspective, governance is key. Robert Palatnick, managing director and global head of technology research and innovation at DTCC, says: “At DTCC, any move to the cloud starts with governance processes. These are a key enabler to the cloud journey.” He notes that governance is not usually an IT responsibility, and is more likely to be the remit of control roles in areas such as risk, audit, compliance and legal.
Talking about the DTCC’s cloud adoption, Palatnick says: “We evaluated every app and associated data for cloud worthiness and whether cloud technology could support our data ratings and tier ratings for apps.”
The company’s data rating puts personal data and immediate trading data in the top tier of ‘red data’, above other ratings such as internal memos and, finally, public data. Palatnick says: “There are shades of red depending on how old data is, whether it is used in an app or archived, and how it is encrypted. This is all part of data governance.”
Classification of apps is made on the basis of how critical they are, recovery time and recovery objectives, issues that are often both business and regulatory requirements. The top tier of apps are those requiring the shortest time to recovery with as little data loss as possible. In lower tiers are processes and development environments with a longer time to recovery, but no impact on customers.
“We assess data and apps very carefully, and have moved app by app,” says Palatnick. “We have not yet moved our most critical processing, real-time clearing and settlement, to the cloud, but we are making progress.” Lessons learnt from DTCC’s cloud journey include the importance of governance and the need to engineer security as cloud vendors offer security capabilities but they must be customised to meet specific requirements.
Summing up elements of best practice, the DTCC report lists:
- Regulated entity obligations: cloud strategy, cloud governance, proactive security controls oversight, exit strategy
- Foundational technology capabilities: architecture, automation, on-premises cloud options, lift and shift vs. design for cloud
- Resilience and resilience verification capabilities: failover and disaster recovery, resilience, and chaos engineering
- Cloud vendor obligations: contractual agreement considerations, security considerations, evidence of available capacity, data localisation and privacy
As DTCC continues its cloud journey, further consideration will be given to developing applications using only cloud-ready technologies and approaches, and automation and layering of technologies to leverage cloud-hosted applications. Alerting and monitoring will continue to be core elements of resilient and secure operations, while the establishment of a principles-based, harmonised regulatory framework should better support further adoption of cloud services. Finally, the report parallels industry interest in a common lexicon of cloud terminology that could foster effective, cross-sector communication and increased understanding of regulatory requirements.