The power of ‘cloud’ in the digital horizon
Considering the move towards a “cashless society,” Bangladesh Bank published the “Guidelines on Cloud Computing” – a first of its kind – earlier this year and said all financial institutions are to implement it by 31 December. We take a look into the guideline and its significance
Not too long ago, every organisation hosting applications and data had to rent or build a data centre space for their hardware and software, allocating a big chunk of their investment to it. The physical location of the organisation and its data centres in different jurisdictions was very common but not the ideal solution because it increases security and privacy risks for both the organisations and the regulators.
Then enters a game-changing technology for hosting applications and data – Cloud Computing (CC). I remember the first time I heard, "Everything can now be stored in the Cloud!" and wondered how on earth data could be in "the Cloud?"
This pervasive technology became an evolution of two rising technologies, particularly timesharing and distributed computing. The former allows users to share the computing resources of an extensive system. The latter, in contrast, decentralises computing resources and shares the workload among many computers across a network (this could be in the same room or a completely different location).
The implication is that a business only needs to pay for its use, not for an entire data centre full of underutilised computing power. In short, cloud computing leverages and pools the computing resources to minimise costs and maximise computing efficiency for new, small and existing businesses.
Considering the move towards a "cashless society," in March 2023, Bangladesh Bank published the "Guidelines on Cloud Computing (Guidelines)." This guideline is the first of its kind directing banks, Non-Bank Financial Institutions (NBFI), Mobile Financial Service Providers (MFSP), Payment Service Providers (PSPs), Payment System Operator (PSO) and all financial service providers, including the upcoming Digital Banks, to ensure a safe and secured platform when using CC by the end of the year, ie, 31 December of 2023.
The Guidelines have termed all types of financial institutions together as "The Organisation" to address the approach and principles necessary to establish a minimum baseline for the management of CC. However, it does not suggest any particular platform or delivery model type.
The responsibility to maintain a minimum baseline for The Organisation should be to conduct due diligence, comply with all security, data privacy and computing requirements, and ensure interoperability and portability of data and services between intra-cloud environments.
To maintain a secure environment for data processing at all times and more during migration, clearly defined roles and responsibilities between The Organisation and Cloud Service Provider (CSP) are necessary.
Having an effective Cloud Service Provider (CSP) management coupled with the best practices (industry standard) of technology usage, The Organisation is free to choose any type of the five deployment models of cloud computing. These five types are (i) private cloud, (ii) public cloud, (iii) community cloud, (iv) multi-cloud and (v) hybrid cloud.
Additionally, there are three main delivery models including Software as a service or SaaS, Platform as a service or PaaS and infrastructure as a service or IaaS-all per the needs and requirements of The Organisation. Depending on their needs, an organisation can choose to deploy one, several, or all of these models.
However, many believe that a private cloud for exclusive use by a single organisation offers the best security over public and hybrid as private clouds maintain a certain degree of isolation and are the only viable option for a specific type of organisation that needs to maintain the separation of resources and data by law. An example of such organisations would be the financial or the health sector. An organisation needs to understand the characteristics of its workload and choose the best cloud deployment to match its requirements.
The Guideline suggests ensuring awareness of stakeholders' roles and responsibilities for protecting information in a cloud environment, which is key to ensuring business continuity, resilience and recovery capabilities. The Cloud Service Providers (CSP) would only charge for the resources that an organisation used, making CC platforms available on demand and on a self-service basis by an admin portal or script.
All types of financial institutions in Bangladesh, including the Digital Banks, that are now hosting applications and data, should opt for the private cloud computing model – the hardware on which the cloud runs is only for a particular organisation's use. In comparison, the public cloud computing model leverages cloud services over the open internet, using hardware and software that any other organisation can own.
Hybrid cloud computing platforms are considered the most costly as they can provide the best private clouds and public cloud deployment models having the objective to maximise the value of leveraging cloud platforms to meet the demand of its workload.
Some organisations may not want to depend solely on a single cloud provider and opt for multi-clouds. For instance, a mix of Amazon web services, Azure Google cloud platform or other cloud providers, as some cloud providers have benefits not offered by others. Or, maybe one is better at specific types of service, or maybe organisations would not want to depend solely on a single CSP.
There are also SaaS models, PaaS models and IaaS models for consideration.
With the rise of the tech industry and digital evolution, CC became an affordable and flexible solution for most organisations' challenges and risks in hosting applications and data.
Bangladesh Bank's "Guidelines on Cloud Computing" highlights that CC enables banks and other financial institutions to respond rapidly to customer demands for products and experiences without prescribing or recommending any specific service provider or deployment model.
It explained each cloud computing platform and its delivery model, giving approximately nine months to ensure a robust firewall, restrict intruders in financial systems, avoid risks, and build a robust information technology infrastructure in economic sectors.
The guideline talks about the architecture and characteristics of cloud computing in an effective financial system, which is crucial for a booming digital functioning economy where data is everything for The Organisation.
Before migrating to the cloud, every organisation must classify its data and conduct a risk assessment regularly. While security in the Cloud is typically much better than on-premise security, it takes a bit of planning and an understanding of what needs to be protected within the two domains of business security and technical security.
Based on the current and future threats or trends in the complex distributed systems, cloud security is broken down into two domains: business security and its domain and technical security and its technical domain. It is important that both domains define the security solutions in detail, as missing something here could mean a red flag in an audit, non-compliance, or worse, suffering a cyber attack.
The Organisation's approach to acquiring and deploying cloud computing solutions must involve a comprehensive analysis and careful budgeting while forecasting future needs and ensuring that the selected cloud solution adequately addresses the potential risk factors.
Organisations should splurge on training and hiring experienced cloud professionals to transition to the cloud successfully. At the bare minimum, it should include at least three positions: a Cloud Architect who can design and build cloud solutions, a Cloud Developer who can build cloud applications or migrate applications, and a Cloud Security Engineer who can implement effective cloud security and data management.
As we embark on 2024, The Organisation using or planning to use cloud applications must comply with the Guidelines for the sake of their businesses. The Guidelines suggest effective management of CSP agreements ensuring compensation for data loss or misuse by the CSP or for failing to maintain compliance with regulatory and contractual obligations.
When migrating to cloud computing platforms, it is essential for existing organisations to proactively consider security, compliance and performance issues upon looking at their requirements first, then to monitor and update any threat assessments continually.
Barrister Tasnuva Shelley is an advocate at the Supreme Court of Bangladesh.
Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions and views of The Business Standard.