Amazon, Google, Microsoft, IBM create cloud data controls

The financial industry has long been interested in the potential benefits of cloud computing, such as lower costs, greater flexibility and simpler information technology management, but has been hung up on issues around security, privacy, compliance and overall control of sensitive data stored in a public cloud. These concerns were reignited by the Amazon Web Services/Capital One data breach of the summer of 2019.

cloud computing
A group that includes the four largest cloud computing providers has created a set of best practices for managing data in the cloud.
Adobe stock

On Tuesday, Amazon, Microsoft, IBM, Google and an industry data management group called the EDM Council announced an attempt to address this. The tech giants have created a framework that financial firms, cloud providers and other companies can use to establish discipline in the way they store, use and manage data in public clouds. Perhaps more significantly, the group is also setting up assessment and certification for cloud providers, so that bank clients can be assured their vendors are in compliance with the framework.

The Cloud Data Management Capabilities framework was developed over the last 18 months by an EDM Council workgroup that included participants from financial industry firms and consulting and technology companies, including the four largest public cloud providers. It is chaired by executives from Morgan Stanley and the London Stock Exchange Group, with project management provided by Capco. The EDM Council was originally a data management group for the financial industry, but recently it has broadened to include members from other industries such as automotive.

The framework has 14 sets of controls that demand strong governance of data. For instance, one control requires that the ownership field be filled out for every set of sensitive data. In other words, someone has to have accountability for sensitive data and making sure it is fit for purpose, timely, complete, uncorrupted, cannot be leaked and doesn’t violate any rules around data sharing and retention.

Another control requires the data owner to understand the jurisdictional implications of cross-border data movement and any region-specific storage and usage rules for a particular data set. This is the kind of in-the-weeds work that has to be done not only to keep data safe in the cloud, but to meet varying regulations around the world surrounding the movement, sharing, storage and use of data.

“It's not just about security and privacy in the cloud,” said Soren Mortensen, global director of financial markets at IBM, who helped lead this initiative. “It covers many other complex areas of how to manage data clouds, such as cataloging the data, classifying the data, looking at governance and data accountability, looking at how you can track the usage of data in the cloud.”

The project started with Morgan Stanley donating its initial data framework, Mortensen said. This was a set of best practices the New York bank established for its own management and exchange of data. Several working groups developed that framework into something any bank or other company could use.

The EDM Council plans to present the new framework to regulators around the world with the support of IBM Promontory, IBM’s risk and compliance consulting arm.

The group will appoint a set of partners that will certify cloud providers and other tech companies that adhere to the framework’s principles. IBM will be one of those partners.

For reprint and licensing requests for this article, click here.
Cloud computing
MORE FROM AMERICAN BANKER