Risk & Security

How the Cloud Can Be Efficient and Safer for Regulated Industries

IBM's architect of vertical hybrid clouds, Howard Boville, talks about their impact — and their future.

The most disruptive trend in IT over the past decade has arguably been the public cloud. Many of the world’s biggest companies — and many more that aren’t so big — have moved some or all of their IT infrastructure and apps to cloud giants, such as IBM.

As these platforms displaced on-site servers and became more secure and stable, using their size and flexibility, while also reducing in-house costs, became a no-brainer for companies looking to offload many internal IT operations and to scale their software development efforts.

But for companies in regulated industries that narrative has its limits. Howard Boville, senior vice president of IBM’s hybrid cloud, has seen this from both sides. Before joining Big Blue in May 2020, Boville served as CTO for Bank of America. There, he led a massive digital transformation, moving the company’s networks and apps from 67 private data centers, packed with 200,000 servers, to 23 far more efficient and cost-effective cloud-based facilities.

Today, Boville is helping IBM bring a hybrid cloud model to the rest of the financial industry with IBM Cloud for Financial Services. Boville, who regularly posts updates about the latest hybrid cloud advancements on LinkedIn and Twitter, recently took time to explain the work to Endpoint.

Why did BofA set out to create a specialized hybrid cloud for the financial services industry?

Bank of America started the process in 2012 to improve the quality of consumers’ digital experience, and looked at both private cloud and public cloud technologies. The ability to sustainably consume cloud services — whether infrastructure-as-a-service, platform-as-a-service or software-as-a-service — was reduced by the need to build the control frameworks.

Wouldn’t that benefit BofA’s competitors?

The financial services system is an ecosystem that makes world economies work. De-risking was an important and noble pursuit. Adoption of IBM Cloud for Financial Services is not meant to be a competitive differentiator for just one bank. It’s designed to transform the industry.

That must have involved getting a lot of collaboration with competitors.

Yes, it did. Creating a set of standards — say, for how to encrypt data, or how to protect clients’ personal data — that all financial institutions would adopt and that global regulators would recognize was a long process. But the first step was to get one or more service providers to start building these capabilities into their platforms. IBM was the only company that stepped up.

Why do you think it was IBM that stepped up?

The reason is simple. IBM’s heritage is delivering mission-critical workloads in a controlled fashion. That’s what it’s done for its entire 100-plus-years history. The other companies in the cloud space come from a different heritage — not a bad heritage, but a different heritage.

IBM is creating an industry-specialized approach. It’s applying its industry expertise, along with leading security capabilities and an ecosystem of more than 50 technology partners, to create the world’s first financial-services-ready cloud. And that in turn is helping financial service institutions address regulatory compliance and security.

We also launched the IBM Financial Services Cloud Advisory Council. It includes some of the world’s top banks, and is meant to bring them together to help drive the strategic evolution of cloud security in this highly regulated sector.

How will regulated companies benefit from a hybrid cloud, versus public clouds?

The first advantage is pace. There’s not a single financial institution in the world that has moved more than 5 percent of its workloads to the cloud. And those are nonessential workloads. It’s because they can’t move the rest of it without a control framework to address industry security and compliance regulations. So, for financial services institutions, the ability to digitally transform can become faster with an approach like IBM’s that includes a streamlined compliance controls framework specifically for the industry.

This vision requires technology vendors, particularly the software-as-a-service providers, to embrace this framework as well. How is that going?

IBM is aiming to establish a trusted environment for all parties — including independent software vendors and SaaS providers. Regulators are very concerned when companies consume SaaS services that sit on cloud platforms and that don’t have controls built in. So this approach is good for the financial institutions and the regulators. But it’s also good for the SaaS providers because they don’t have to build in those controls themselves, which can take 12 months to two years to do.

In addition, this framework allows banks to work with smaller SaaS providers far more quickly. Without it, it can take a bank 18 months to onboard a smaller vendor and to ensure it complies with the control framework, by which time the innovation opportunity may have passed.

Will IBM create similar hybrid clouds for other regulated industries?

Yes. We just recently announced a hybrid cloud architecture designed specifically for the telco industry.

You said financial services companies have moved less than 5 percent of workloads to the cloud. As companies adopt a hybrid cloud strategy, how will that percentage change?

I would say 50 to 60 percent of workloads will move to specialized clouds as the industry adopts hybrid cloud strategies. But it will be based upon the industry. This push by other cloud service providers to move everything to the public cloud is incredibly naïve. We believe vendor lock-in goes against the spirit of true hybrid cloud, which should be open but also provide the security and control that businesses — especially those in regulated industries such as financial services — need.

With most of us working from home, companies are having to deal with far more endpoints than in the past. Are companies paying enough attention to endpoint management, even now?

Endpoint security is absolutely essential at any point, but even more so when our workforces are working from home. Many of the tools that were built to operate within the enterprise and over enterprise networks don’t work over Wi-Fi networks.

And endpoint security is massively important because fraud has increased by 4,000% since February, as cybercriminals look to take advantage of the fact that so many people are accessing corporate networks from insecure connections. So endpoint security was super important prior to the pandemic and is super important now, and it will be in the future, too, because people’s working behavior has changed.

Peter Burrows
Peter Burrows is a long-time technology journalist and author who has written for Business Week, Bloomberg News, MIT Tech Review and other publications.