A series of announcements Wednesday by IBM show the technology company is making progress in getting large banks to invest in the financial services cloud it has been developing with Bank of America.
First, BNP Paribas has begun deploying IBM Cloud for Financial Services as part of the Paris bank’s effort to innovate while protecting customer data and complying with global privacy regulations.
Meanwhile, IBM is rolling out a set of compliance and security controls for its cloud service and has created a banker advisory council for the bank-specific cloud.
The following is an exploration of those developments and what they mean for the broader financial services industry, which appears to be forging ahead with cloud projects despite high-profile breaches such as the one involving Capital One Financial and Amazon Web Services a year ago that raised concerns about the vulnerability of the cloud.
BNP’s cloud journey
In an interview, BNP’s chief information officer, Bernard Gavgani, explained how the world’s ninth-biggest bank by assets plans to use its new platform.
BNP started working with IBM on cloud technology 18 months ago, he said.
The two companies collaborated to build what Gavgani calls a “dedicated public cloud in house.” (He says he is trying to come up with a better term for this.)
It’s not really a public cloud, Gavgani explained, because BNP has to ensure it can fully protect customers’ data. For one thing, the bank has to comply with Europe’s General Data Protection Regulation, which is nearly impossible to do in a public cloud. (For instance, under the data privacy rules, banks need to know physically where their customer data is being stored and used. Most public cloud providers don’t support this. )
“Eighteen months ago, when we decided to start this initiative, we were quite sure that the GDPR would be the blocking point for all the businesses in Europe” to go to the cloud, Gavgani said.
But BNP’s deployment is also not a private cloud, he said.
“When you hear about a private cloud, that means that you have your own setup and you are managing everything, including the evolution of technology, which we didn’t want to do,” Gavgani said. “Our experience in the past told us that’s not very efficient.” His technology organization has about 33,000 people.
BNP Paribas is using a public cloud built by IBM that resides in the bank’s data centers.
“We are benefiting from the best of the public cloud, but in our own environment,” Gavgani said.
One advantage to this arrangement is that the bank can make this a private cloud anytime it wants.
The ability to “reverse” a cloud computing instance and bring it in-house was the first feature that interested Gavgani in IBM’s cloud for financial services.
Innovation was a second. With its acquisition of Red Hat over a year ago, IBM obtained open source cloud container technology that Gavgani considers to be the best out there.
The third factor was cybersecurity.
“When you go to a public cloud, by default you have to build your own security environment,” Gavgani said. “You will become less energized because you will add more and more different layers of cybersecurity solutions.”
All banks have been taking cloud security even more seriously than ever since the Capital One-AWS breach last summer that compromised personal data of 100 million people.
IBM’s cloud framework monitors applications banks are writing for the cloud all through the software development life cycle.
“As you are writing lines of code, you will get alerts if what you are doing is contrary to the policies being put in place by the financial services industry,” said Howard Boville, senior vice president of IBM Cloud.
“This will allow you to check that you are doing the right things, and also ensure that you don’t do inadvertently or unwittingly the wrong things,” said Boville, who was chief technology officer at Bank of America, overseeing cloud deployments, for eight years ending in May.
BNP Paribas also liked the way IBM lets it keep its own encryption keys.
“Only BNP is in charge of the encryption and the encrypted information,” said Christophe Boulangé, cloud director at BNP Paribas. The bank helped build this capability and is the first to start using it.
Boville pointed out that this addresses an important data privacy issue. Under the USA Patriot Act, any company can be subpoenaed to provide data to the U.S. government without the knowledge of the company that is using the cloud service provider.
“That’s a very big issue from a data privacy perspective and much debated,” Boville said. “You could have your applications in a cloud service provider, and you would not know that they’d been subpoenaed and data was being taken.”
Because IBM doesn’t have the encryption keys, it could be subpoenaed, but it wouldn’t be able to provide that information because the customer owns the encryption keys.
On July 1 the bank received the encryption keys to the cloud from IBM. Now it’s testing and adjusting the platform.
“Our goal is during the next six months to adjust our technology, train more of our people to use it, and find a few workloads to move to the cloud,” he said.
The bank plans to take the new cloud environment live on Jan. 2. But the work will be ongoing.
“If there’s someone that says that their journey to the cloud is finished, I don’t believe him,” Gavgani said. “This will be a journey for a long time.”
Gavgani plans to gradually move applications over to the new cloud environment, starting with workloads that need extra computing power. Some compliance applications will not go to the cloud, to insulate them from the rest of the infrastructure. Some applications with highly confidential data will also be kept separate from the cloud.
“I would say that maybe 60% of our workload will move to cloud and 40% will stay in what I call stand-alone systems,” Gavgani said.
IBM’s other financial services cloud moves
IBM also announced on Wednesday that the fruit of the collaboration with Bank of America it unveiled in November, the IBM Cloud Policy Framework for Financial Services (which complements the new cloud environment), is now available. The framework is meant to address banks’ need for compliance controls for any data and applications they want to move to the cloud. There are about 400 controls banks need to have in place when they write software applications in a compliant way, according to IBM, which says its framework supports all 400.
“As a regulated industry, you have to demonstrate that you have this notion of parity of controls, not just for cybersecurity, for a raft of things,” said Boville.
There are controls for data privacy, cybersecurity, technical and operational risk, and unconscious bias creeping into artificial intelligence models, to name a few. For instance, banks have to adhere to specific requirements around access control and virtual private network tunneling.
“It’s the whole massive swath of needs,” Boville said.
IBM also announced Wednesday the formation of the Financial Services Cloud Advisory Council to help build on that set of 400 controls and keep them current as laws, rules and regulations change. BofA Chief Technology Officer Tony Kerrison will represent the bank on the council, which will be led by Boville.