In November of 2019, in a pre-pandemic world that seems an age ago, I wrote the first article about the collaboration between IBM and Bank of America to develop a financial services-ready public cloud. In May of 2020, I previewed an update announcing the first round of Independent Software Vendors (ISVs) and Software-as-a-Service (SaaS) partners who announced intent to onboard to IBM’s financial services-ready cloud. In July 2020, I chronicled significant progress in the project as BNP Paribas announced it would be the first anchor customer in Europe.
Yesterday, IBM announced the latest chapter in the IBM Cloud for Financial Services, a public cloud capable of overcoming the stringent cybersecurity and regulatory challenges for a bank.
Addressing a market need
IBM is increasing the level of transparency and control for a financial institution within the public cloud. Most financial institutions would agree that the public cloud can enable transformation around new revenue opportunities and new customer experiences, but security and compliance remain barriers to adoption. The IBM Cloud for Financial Services platform addresses cybersecurity, compliance, and inherent risk in the public cloud. The program has three goals. It will enable banks and financial institutions to run workloads into the public cloud and consume IBM services. Second, enabling the digital supply chain of ISVs, SaaS providers, and FinTechs. Third, a set of IBM middleware, applications, and SaaS to be used in banking solutions. IBM Cloud for Financial Services runs on the IBM Cloud, with everything operated through the IBM Cloud Framework for Financial Services described in more detail below.
What IBM is creating is more than a platform, but rather an entire ecosystem for all financial businesses to serve its IT needs. I believe this is more powerful than just a “cloud” for the financial services industry.
A framework to instill confidence
The IBM Cloud Framework for Financial Services is the core compliance and control set and the program’s basis. It is contributed to and overseen by a set of global financial institutions and Promontory Financial Group, a company IBM acquired in 2017, that constantly monitors regulatory changes in jurisdictions worldwide. It is a framework that covers from the ground up the capabilities, the cloud itself, the foundational services such as containers and VM workloads. Hardened services ensure consistency in managing risk and compliance both on-premises and with the public cloud. ISV and SaaS providers that run on the cloud must also conform to the framework.
Everyone has to be compliant with this framework. Tooling from the Security and Compliance Center, a cloud security compliance management environment enables continuous compliance monitoring of environments, all the way out to document generation for regulatory purposes.
The bank is in control
One of the significant challenges, especially the last year, is that everyone has wanted to move faster to transform digitally. For banks and financial institutions, the public cloud’s use involves a great degree of caution because of the regulatory obligations. Critically important is safeguarding data using hyper-secure crypto capabilities. IBM leverages confidential computing technology such that not even IBM’s public cloud operators can have access to the keys that protect the data. Control of workloads to remain in the bank’s hands is critical to assure visibility at all times.
Onboarding partners faster
IBM has taken a set of technologies, brought them together in a coordinated structure referred to as the cloud framework, and then applied technologies like continuous security compliance posture management to the cloud services to enable a bank to adopt the cloud much more quickly. Typically cloud adoption can be a very long journey of assessments and risk evaluations with all ISV and SaaS provers.
The framework is the means of vetting the ISV and SaaS providers that come on to the environment. Those ecosystem partners are committed to proceeding through assessment and validation against the framework. A bank will have the same information about security and risk and compliance for workloads and the ISVs and SaaS providers, reducing risk in the digital supply chain.
Banks having outsourced to SaaS providers continue to have overall responsibility for ensuring the data is protected. The program achieves compliance faster and ensures that compliance is maintained.
IBM works with each ISV, SaaS provider, or FinTech in the program by enlisting experts within IBM Security Services and the IBM cloud client success team to assess the partners’ architecture. IBM will also assess controls relative to the control objectives in the framework. Any shortcomings within the software or operations must be before validation.
Validation in the program goes a long way towards the onboarding process with a program’s financial institution because of the common controls and criteria. The provider can then address multiple banks in the program with the next iterative step that may be bank-specific controls related to onboarding and consumption of a partner.
Participants in this program agree to maintain compliance with the framework, with IBM providing the tooling and other operations to enable them and the financial institution partners to ensure compliance.
What’s new in this announcement
Added into the IBM Catalog are two more foundational runtime environments, Red Hat OpenShift and IBM Cloud Virtual Server for Virtual Private Cloud, in addition to already announced support for VMware regulated workloads. All these services include built-in security and compliance controls for both cloud-native and VMware workloads.
The second part of this announcement is the expansion of the ecosystem of partners from 30 to 90. Noteworthy is the fact that SAP has agreed to join the IBM Cloud for Financial Services Program.
It has been a long journey for IBM to get to this point, understandable because the regulatory burden is not trivial. IBM has built a cloud that monitors and ensures continuous compliance with all regulatory obligations for the big banks and companies that sell them software and services.
The state of financial services in the cloud is evolving quickly. The cloud, with its elasticity, can help enable everything from risk modeling to analytics. Additionally, several emerging companies, such as Temenos, specialize in core banking which is the next wave of cloud adoption for financial services. Banks are looking to move core banking to the cloud, and IBM Cloud for Financial Services gives them a competitive advantage. I believe this is an area IBM can win in and that’s a big deal.
I look forward to the next chapter in this journey.
Note: Moor Insights & Strategy writers and editors may have contributed to this article.
Moor Insights & Strategy, like all research and analyst firms, provides or has provided paid research, analysis, advising, or consulting to many high-tech companies in the industry, including 8×8, Advanced Micro Devices, Amazon, Applied Micro, ARM, Aruba Networks, AT&T, AWS, A-10 Strategies, Bitfusion, Blaize, Box, Broadcom, Calix, Cisco Systems, Clear Software, Cloudera, Clumio, Cognitive Systems, CompuCom, Dell, Dell EMC, Dell Technologies, Diablo Technologies, Digital Optics, Dreamchain, Echelon, Ericsson, Extreme Networks, Flex, Foxconn, Frame (now VMware), Fujitsu, Gen Z Consortium, Glue Networks, GlobalFoundries, Google (Nest-Revolve), Google Cloud, HP Inc., Hewlett Packard Enterprise, Honeywell, Huawei Technologies, IBM, Ion VR, Inseego, Infosys, Intel, Interdigital, Jabil Circuit, Konica Minolta, Lattice Semiconductor, Lenovo, Linux Foundation, MapBox, Marvell, Mavenir, Marseille Inc, Mayfair Equity, Meraki (Cisco), Mesophere, Microsoft, Mojo Networks, National Instruments, NetApp, Nightwatch, NOKIA (Alcatel-Lucent), Nortek, Novumind, NVIDIA, Nuvia, ON Semiconductor, ONUG, OpenStack Foundation, Oracle, Poly, Panasas, Peraso, Pexip, Pixelworks, Plume Design, Poly, Portworx, Pure Storage, Qualcomm, Rackspace, Rambus, Rayvolt E-Bikes, Red Hat, Residio, Samsung Electronics, SAP, SAS, Scale Computing, Schneider Electric, Silver Peak, SONY, Springpath, Spirent, Splunk, Sprint, Stratus Technologies, Symantec, Synaptics, Syniverse, Synopsys, Tanium, TE Connectivity, TensTorrent, Tobii Technology, T-Mobile, Twitter, Unity Technologies, UiPath, Verizon Communications, Vidyo, VMware, Wave Computing, Wellsmith, Xilinx, Zebra, Zededa, and Zoho which may be cited in blogs and research.