by James Boswell
Principal Consultant, Cloud Excellence at CMD Solutions
In 2019, leading Australian health insurer nib health funds, achieved a major milestone, as one of the first APRA regulated entities to operate a system of record in “the cloud”. As a Principal Consultant at CMD Solutions, I had the privilege of leading the team of CMD Solutions and nib cloud engineers who moved this workload to AWS.
As the news about nib’s successful move of a health insurance system to AWS spread through health insurance businesses and other financial institutions, I was amused to hear all sorts of interpretations of what nib had actually done, and a broad spectrum of interpretations of APRA’s requirements of nib.
When I am explaining APRA’s role to people outside the Financial Services industry, I simply say that they exist to ensure businesses who look after other people’s money make wise decisions, especially when it comes to managing risk. While risk management in financial services covers many areas of decision making, as far as Information Technology is concerned, APRA’s focus falls on a few specific areas; Information Security, Business Continuity, Data Management, and Outsourcing.
APRA’s position on cloud computing has been refined over time, and in September 2018, it published an information paper for regulated entities providing its updated position. While it may be tempting to think APRA would be most concerned with risks related to the information security of workloads moving out of the corporate data centre, this is not the case.
APRA considers three broad categories of inherent risk when considering the use of cloud computing; low, heightened and extreme. The system of record we helped nib move falls into the extreme category, and this is why the news drew such attention.
Websites that deliver publicly available information are an example of low inherent risk. Should disruption occur, there is a negligible impact to business operations.
Heightened inherent risk applies to IT systems where a disruption would result in a significant impact to business operations, and the ability of an APRA-regulated entity to meet its obligations. It’s important to note that disruption in this context includes not only availability but also any compromise of confidentiality or integrity of systems or data. Examples of systems of heightened inherent risk might include call centre operations systems which allow staff to assist customers with policy updates or claims.
The difference between systems of heightened inherent risk and extreme inherent risk is that a disruption to the latter would have an extreme impact, either financial or reputational, and might threaten the organisation’s ability to meet its obligations.
APRA specifically calls out systems of record as examples of extreme inherent risk.
Examples of extreme inherent risk include public cloud arrangements involving systems of record which maintain information essential to determining obligations to customers and counterparties, such as current balance, benefits and transaction history.
In other words, a “system of record” is “the system that holds all the information you need to stay in business”. If nib lost access to or control of all the data about their members’ entitlements and claims it would clearly have “extreme impact”.
The APRA journey starts with your cloud strategy
From a business perspective, risk management begins with strategy. While there are many advantages to moving your IT workloads to AWS, it is not simply enough to get on the cloud bandwagon so you don’t get left behind. Nor should your company’s cloud strategy solely consider financial aspects such as cost and ROI, or technology trends such as devops or kubernetes.
Your cloud strategy should contain a clear architectural roadmap defining not only a technical target state, but how your organisation will make the transition from its present position, to this new order. Any successful cloud strategy will consider how the organisation will change its operating model to exploit the advantages of cloud, while being able to govern and manage the new environment and potentially new risks. This in turn will require new roles and skill sets, and a shift to new ways of working. Such organisational change itself represents a risk that should be understood by both the C suite and the board room.
Do you know what you are outsourcing to AWS?
If you have ever heard someone say something along the lines of “there is no such thing as cloud, only someone else’s data centre” you may have some appreciation of why one of the main lenses APRA views cloud computing through, is the risk of outsourcing.
For this reason it is essential to establish cloud governance mechanisms early on in your cloud journey, starting with procurement governance. This includes how cloud services will be selected and adopted and the risk assessments to be performed to ensure potential services comply with any regulations or obligations that you have.
The often quoted shared responsibility model is a way of highlighting that you are handing over a portion of the plethora of tasks required to successfully operate an IT service, to your cloud provider. Good business strategy often means not performing “undifferentiated” activities in-house, however you need to ensure you do not abdicate responsibility for things you are held accountable for.
Fortunately, AWS not only has a clear shared responsibility model, but also a strong compliance programme. This provides a mechanism for assurance that AWS is meeting its responsibilities for compliance with regulations and standards your business may need or choose to align to, such as SOC, PCI, and HIPPA among others. It is then up to you to ensure that you meet your obligations, and that consumption of AWS service as a precinct in your IT landscape is within the acceptable risk appetite of your business.
Architecture, Design and Security in AWS is different
Even though the quip above about somebody else’s data centre get’s the outsourcing part right, for just about everything else, it couldn’t be more wrong. The traditional assumptions that data centres have been based on over the years are no longer true. Even with virtualization, most businesses try to match their capital expenditure to demand, so they are not paying for large amounts of idle hardware. Whether they acknowledge it or not, this is based on the decades old assumption that the underlying hardware is always there and reliable.
It is only with the sort of massive scale AWS can provide as a public cloud provider that you can truly shift the basis of your architecture to the assumption that everything fails all the time. Once you acknowledge that as foundational, you begin to exploit the real differentiator of cloud – where all hardware and infrastructure is software defined. This enables far more agile, elastic, secure, reliable and resilient architectures than traditional engineering and click-ops based support teams could ever achieve cost-effectively.
The “somebody else’s data centre” mindset is based on migrating to cloud without changing your operating model. That approach is just expensive hosting, and leaves you with at best the same risk posture that you had on premises.
On the other hand, IT transformation which exploits the advantages of cloud through infrastructure and security as code, can significantly reduce operational risk but it requires cloud engineering and security expertise. It is essential that APRA regulated businesses consider their current capability and any skills and expertise gap they may have, and plan their IT strategy accordingly.
Building a track record in AWS
When viewing an IT strategic roadmap, it can be easy to see it as a series of projects to arrive at an eventual destination. Each project may have a scope and time frame based on what the organisation can achieve with its available resources.
Although this view of a roadmap, rate limited by organisational capacity is useful, it potentially neglects the more important consideration of your cloud journey – building maturity and experience with cloud architecture, design, implementation, security and operations. New technologies, skills, practices, organisational and team based operating models and cultures all benefit from time and practice.
A successful APRA engagement for moving material business activity workloads to AWS will be able to show evidence of existing experience and capability built up over time – not just technical experience, but governance, risk management and compliance also. By beginning your cloud journey with non-material workloads, with low inherent risk, such as systems of engagement, you can start to build capacity of skilled practitioners, new organisational capabilities, and most importantly a cloud mindset.
One of the best ways to accelerate your experience and maturity is to work with an AWS Partner like CMD Solutions. We are proud to be the AWS Services Partner of the Year for the second time in three years, and have been working with Financial Services clients since our very beginning. The FSI sector forms the largest part of our client base.
We have the capability to help guide you in every aspect of your adoption of AWS, and your APRA journey. We can help integrate cloud strategy and operations into your GRC framework, train and enable technical staff in AWS services, and help you develop or evolve your cloud strategy. We also love to present to company directors at board education days, introducing cloud technology, risks for consideration, and of course benefits, to help CIOs and CEOs clearly communicate the importance and urgency of a clear cloud strategy to the board.