To continue the case study of 123 Bank Corp introduced in a previous blog post, the global financial services organization sought the right cloud applications (SaaS) and cloud infrastructure to modernize their computing workloads. 123 Bank Corp chose to utilize this 5-step checklist for selecting cloud services:
- Identify security, privacy, and compliance requirements for these specific solutions
- Define features and functional requirements, including resilience
- Generate “short list” of suppliers offering relevant cloud solutions
- Research “short list” of cloud provider companies: financials, global cloud data centers, support
- Evaluate cloud services against detailed requirements for each cloud service
Step 1: Identify Security, Privacy and Compliance Requirements
123 Bank Corp approached defining their security, privacy and compliance objectives through a formal process that involved diverse stakeholders. They nominated an Executive Sponsor and program manager to lead the strategic initiative. Leaders engaged the relevant stakeholders across their organization to collectively define their requirements from a variety of perspectives. Given their interest in Financials and Human Resources applications in addition to cloud infrastructure, discussion participants included CISO/Security, Compliance, Operations, Finance, Human Resources, IT, Supplier Management and Legal teams.
Through a series of conversations, each stakeholder contributed to refining a collective set of security, privacy and compliance objectives. They leveraged a previous post for some guidance on identifying these objectives: “Compliance Considerations for Cloud Services.”
The bank looked at their organizations’ operating environment from multiple perspectives, then consolidated these insights to capture the full set of corporate requirements. Here are some of the questions that helped 123 Bank Corp both comply with internal policies and identify stakeholders’ needs:
- What data is to be processed and where?
- What are the requirements in applicable regulations based on the type of data processed, geographies of operations and customers?
- How do our organizational policies for supplier risk management guide the evaluation and procurement process?
- What security controls must be possible to implement, to comply with our security policies and internal technical standards?
- What commitments have we made to customers, partners and other third parties regarding our security and privacy controls?
- How do we foresee our customer commitments and organization strategy evolving requirements in the foreseeable future?
123 Bank Corp’s Compliance team analyzed all security and privacy requirements collected from the key stakeholders. For areas where the cloud provider has sole or shared responsibility, they then mapped their requirements to a small set of security and privacy compliance frameworks after researching the relative benefits of compliance framework types. 123 Bank Corp decided to request the audit-based attestations for these particular frameworks for relevant cloud services, having confidence that an accredited third-party auditor validated the required controls: ISO 27001, Systems and Organization Controls (SOC) 2, European Union Cloud Code of Conduct (EU CoC), and Payment Card Industry Data Security Standards (PCI DSS).
They carefully considered the compliance implications of operating in the cloud vs. on-premises and noted the on-premises software, IaaS, SaaS and ‘cloud at customer’ scenarios available to them. The Compliance team educated colleagues about their compliance responsibilities using IaaS services for hosting their customer banking portal, AI-based chatbot and other systems. While the IaaS services need cloud provider compliance certifications as a foundation, 123 Bank Corp understood that it remained fully responsible for the security of what they build, configure and use on IaaS services. Technical training and general education was provided to the bank’s IT staff to help them effectively shift from operating on-premises to operating in the cloud.
Step 2: Define Features and Functional Requirements
123 Bank Corp knew it needed to identify the core business-critical features for the intended cloud services as no cloud service was likely to initially meet all the bank’s requirements. The bank gathered functional and feature requirements from both the business teams who will use the technology and from the IT staff who will manage, configure, monitor, and forecast costs for the cloud services. One of the challenges in this area was to internally prioritize the requirements so the bank could score each competitor’s offerings. These are some of their “conversation starter” questions used to discover their functional requirements:
Focus Area |
Example Question |
Process |
What business processes are being replaced or automated? Which systems are being replaced and what do we do in those systems now? What processes would benefit from machine learning or generative artificial intelligence (AI)? |
People |
Who will use these systems, what do they need to achieve and what are their skills? |
Access |
What are the different user groups and what capabilities are needed by each role? |
Data |
What data should the systems take as input and provide as output? What reports or analytics are needed and by whom? |
Tasks |
What tasks must be possible in the user interface and APIs? |
Locations |
Where should the primary and disaster recovery data centers be located, considering regulations and performance (low latency)? |
Monitoring |
How do business and IT teams need to configure and monitor their cloud tenancies? What cloud usage and application auditing will we need to perform? |
Programming Languages |
Are the programming languages requested by the developers supported for the IaaS API, SaaS API and artificial intelligence platforms? |
To be continued! Future posts of this series will cover checklist steps 3 through 5.
This blog entry is part of a 4-blog series: