Balancing innovation and risk as the cloud reshapes banking modernisation
Cloud infrastructure has evolved at a rapid rate over recent years to keep up with the financial industry’s growing desires for digital transformation and unprecedented speed and agility.
Risks to cloud security have given rise to mainframe dependency
The increasing ascent of the cloud has cemented technology-born innovation at the heart of banking modernisation.
From lending and card programmes to data capture and real-time reliability, the promise of the public cloud has shone with the potential for simplified development, faster release cycles and the requirement for less human capital, all tied together with outsourced platform services for a hearty dollop of portfolio diversification.
However, ever-increasing cybersecurity threats and all-too-recent examples of global service outages are causing banks to revaluate their relationship with the cloud, carving out a new path for hybrid operating models.
Head in the clouds
With the rising threat of cybersecurity attacks and the potential for service outages, regulators globally are responding.
In Europe for instance, the realisation of the European Commission’s Digital Operational Resilience Act (DORA), which is set to enter into force on 17 January next year, has sought to bring cloud providers closer to the same regulatory frameworks as the banks they serve.
The message of operational resilience promoted at the heart of the regulation was brought alarmingly into focus in July this year, when a coding flaw in a software update involving security vendor CrowdStrike brought about one of the largest IT outages in recent memory.
With banks fully aware of the potential reputational and financial damage posed by an inability to operate key and essential services, over the last few years, many have been starting to designate outsourced services with greater caution in some instances.
Data published by Omdia, an independent analyst and consultancy firm headquartered in the UK, provides a snapshot of how banks are currently progressing with implementing cloud technology.
Omdia’s Retail Banking Technology Spending Through 2028: Source Segmentation data reveals an ongoing tendency among banks globally to favour the on-premises functioning of both banking infrastructure and banking applications, which together account for more than 73% of source segmentation technology spending in 2024.
Meanwhile, deployments of cloud-based applications specifically appear to be strong. In 2023, total Software-as-a-Service (SaaS) deployments accounted for 32% of all contracts, compared to 21% the year prior, according to Omdia’s Banking Software Contracts Analytics Tool.
Source: Omdia
However, the IT Enterprise Insights: IT Drivers and Technology Priorities – 2024 survey by Omdia shows that only 29% of banks operating in the realms of retail have made “significant progress” towards adopting cloud services.
Fit for purpose
Financial institutions crave certainty, which could offer an explanation as to why banks continue to lean into their mainframes despite the advantages of cloud adoption.
Explaining this trend, John Duigenan, general manager of global financial services industry at IBM Technology, tells FinTech Futures of how 45 of the top 50 banks in the world still depend on mainframes to execute core functions, including transaction processing, recordkeeping and ledgers, and that as a result, “many of them are making 10 to 15-year plans for the mainframe, for how the mainframe continues to be a central part of their IT architecture, their technology architecture and their technology infrastructure”.
He cites the growing desire for operational resilience, security and privacy as the primary drivers of these preparations, designating the mainframe as “unparalleled in terms of being a massively scalable platform for the most complex transaction processing, and a reliably secure platform where the concerns around data privacy are baked in inherently to the platform, one of the most secure platforms any technology user could consume”.
Duigenan says the risks that this approach hopes to mitigate “have been ignored on an expedient path to just rushing towards technologies” and places the cause of cloud-born data breaches on “the use of stupid passwords” in cloud data warehouses, as an example.
“It could be any SaaS that experiences those issues, and yet, banks and financial institutions are inherently consuming those services. And now we, the consumers, and they, the organisations, are taking on massive risk because of those decisions.”
IBM, headquartered in New York, is one of the leading providers of hybrid cloud environments, which combine elements of public, private and on-premises technologies and, according to Duigenan, who has worked at the firm since 1998, places a strong emphasis on “fit for purpose architecture and fit for purpose design”.
“Fit for purpose design says put workloads where they should be based upon functional and non-functional requirements,” he continues. “What we find is that core transaction processing as well as a substantial portion of analytical and AI functions, are best suited for the mainframe because of their specific needs.
“We totally embrace the idea of hybrid cloud architecture which dictates that functions should run where it makes the most sense from a reliability, security and efficiency standpoint. There are a whole bunch of reasons why public cloud, hybrid cloud and edge technologies should put the customer experience closer to the customer.
“We believe there will be an enduring necessity for financial institutions to keep their most critical workloads and most sensitive data on premises. Because of this, we are making a significant investment in our mainframe platform by enhancing it with the Telum II processor enabling clients to take advantage of the productivity and insight advantages of generative AI in close proximity to the core of their business, making it the sweet spot of innovation.”
The balance of applicability
With the industry’s sentiment towards security, privacy and reliability continuing on an upward trajectory, banks are urged to now consider both the functional and non-functional requirements of their services, as well as the remit of the applications they engage when designating functions to the cloud.
Recognition of the sequence of transactions and their supporting services must sit front and centre of banks’ technology allocations in order to enable appropriate responses to the various cybersecurity threats facing the industry.
In practice, Duigenan concludes that these decisions will entail “keeping the most relied upon workloads on a most reliable platform”, stating “and that’s not on public cloud”.
“Public cloud services offer many advantages, it’s just that banks and other financial institutions especially are getting nervous about the span of control risks and data breach issues.”
