by  Thomas Muth

Banks Can Have Confidence in Secure IT Modernization Strategies

clock-icon-white  8 min read

There seems little doubt that most bankers and technologists now accept the need to modernize often archaic IT infrastructure (or core systems) to deliver the latest technologies that customers today expect. And although there remain concerns over both the potential disruption these projects can create and the security of the required cloud platforms and open architecture, there are signs that many are now much more confident these risks can be managed.

Bank

Last week I had the pleasure to talk to senior bankers in the UAE, along with Sebastien Linsolas from our partner AWS, about the modernization of banking and insurance systems in the region and the responses revealed a healthy and constructive debate on the subject is taking place.

The challenge for FSI incumbents, in the UAE as elsewhere, to renew their banking systems down to the core is not a new one. But it was surprising to discover from those conversations that many of the obstacles from the past are already being addressed in the region.

First up, there was a common understanding that digital transformation is imperative to remain successful in the future and that the worriers, or people who explain to you why something is NOT possible, have become a minority in most organizations.

New capabilities

The main motivation for a commitment to modernize IT systems is to be able to deliver the new capabilities that are not only expected by customers but will also produce the greater efficiency and agility that underpins future profitability. But the ability to embrace technologies like AI and ML to support these new customer interfaces and services without creating further technical debt will only happen once core infrastructure is upgraded.

But it seems that a growing number of bankers have now come to terms with the fact that too many silos within a bank reduce the effectiveness and ownership within their organizations and limit the use of data that is critical for new services. Therefore, the demand for change is being recognized to the point that some banks in the region are now starting to fully embrace an agile work environment based on the so-called “Spotify approach,” including the necessary training which has generated the required buy-in from the workforce.

Even the principal-agent problem of investment and break-even horizons being beyond C-level vision seems to have been addressed – meaning there is sufficient management attention and will to invest even when the tangible returns of this investment are not immediately visible.

But all the above does not mean that modernization strategies, especially for incumbents and their core systems, are plain sailing for banks or other financial service providers. Concerns around security, sustainability, and data privacy, among many other issues, still need to be addressed. However, there does seem to be a recognition that there are not too many strategic options when looking at reforming the core systems. In fact, realistically, there are only three. These are:

image-1
image-2
image-3

The “strategic core” approach – is where the bank chooses a strategic partnership with its core banking vendor that ideally fulfills most of the bank’s requirements. If external integrations are necessary, the bank would typically rely on its strategic vendor.

The “composable banking” approach – sometimes also called a “modular approach,” is where the bank chooses a combination of best-of-breed solutions from different suppliers within the framework of an orchestration layer.

The “front-to-back” approach – focuses on the customer-facing systems to make them as independent from the core as possible by leveraging a form of integration platform.

Indeed, in my conversations, it became clear that – independent from the strategic approach – the integration layer (or orchestration layer) is seen as one of the main challenges to ensure flexibility within the bank’s architecture. This means having the flexibility to add external third-party services and products and being able to properly connect internal systems. It also enables a tighter grip on a bank’s own IT systems with respect to key metrics or identifying bottlenecks and opening the possibility to monetize existing or new services.

Data security

Lock

Of course, all the above strategic options can be operated on-prem, privately hosted, or in the cloud (hybrid or public). Further options in this regard have been unlocked after AWS recently opened a new data center in the region, which opened the door for more practical discussions around the following main themes with respect to cloud modernization in MEA.

Like many other parts of the world, keeping customer data in the country is a regulatory obligation, including the protection of this data from unauthorized external access.

One obvious solution here could be greater encryption. However, if encryption was to be added proprietarily on top of cloud-based applications, performance could deteriorate.

Therefore, to compensate for this, AWS (and other vendors) now offer encryption functionality, which is natively built into their cloud services, with a key management service that will allow clients to stay in solemn control of their encryption keys. However, one by-product of this action is that as this encryption is built-in deeply into the cloud architecture, we see third-party auditors assessing the security and compliance of the cloud service providers, including audits on specific services and against compliance programs. It is imperative for all cloud vendors to be able to provide such independent audit reports to prove that the mechanisms they have implemented are not only safe, but that clients can trust their end-customer data is also secured.

Security

Cloud conundrums and vendor challenges

Although a complex project, a potential cloud migration can start with a simple lift-and-shift of existing systems into the cloud. On this side of the spectrum, the biggest opportunities that can be leveraged are from the infrastructural advantages of the cloud vendor, which deliver some basic cost benefits, and only a weak vendor lock-in, as these services are pretty much standard in the cloud landscape.

On the other side is the cloud-native solution, which leverages a cloud-first approach, and basically takes as many services as possible from the vendor’s cloud infrastructure. This might include API management, encryption, specific CICD functions, and many more.

Money

A cloud-native solution should deliver higher cost advantages, but with the potential downside of a much stronger vendor lock-in due to the proprietary way, cloud vendors have designed their architecture and services. Therefore, depending on the strategy, a financial service provider needs to understand these dependencies and trade-offs to be able to make the best-informed decision as to how far they want to go and how quickly.

But there are other ways to approach this. To circumvent a full vendor lock-in or to meet specific requirements, some players are embracing a multi- or hybrid cloud strategy, that is the simultaneous use of public cloud vendors as well as private clouds.

However, apart from some obvious advantages for price negotiations and hedging against obsolescence, the multi-cloud approach can be more challenging from a security and governance perspective, while also presenting some latency challenges. Of course, the holy grail of vendor independence is a cloud-agnostic system, which would include all the cloud-native advantages but remain vendor independent. However, creating such an agnostic system can take some significant investment.

To sum up, our discussions in the UAE demonstrated that there is a healthy appetite for banking modernization and an acknowledgement of the benefits that such a digital transformation can deliver. But this was balanced by a recognition of security and vendor lock-in concerns and some of the challenges thrown up by parallel cloud migration strategies, which are an important component of delivering the agility and flexibility and therefore competitive benefits that drive these changes.

As the points I have highlighted show, there is no easy answer or one-size-fits-all solution. But it was clear that bankers in the UAE region were keen to discuss possible pathways with ourselves and AWS, who between us have already been able to help so many financial institutions to start these journeys. These can then translate into having the confidence to adopt the customized approaches that reflect both where they are starting from, where they want to get to and when.

For those who would like more detail about how our partnership with AWS helps deliver better outcomes for our clients, enabling their teams to spend more time on developing new features and capabilities read this blog from our AWS Ambassador Jaroslaw Grzabel, published recently on the AWS website. Best Practices from SoftServe for Using Kubernetes on AWS in Enterprise IT | AWS Partner Network (APN) Blog (amazon.com)

Protection Steps