Cloudy days ahead
Financial services are all about risk management, regulatory compliance and cyber security – and none of it is easy. Just when companies thought they might have the hang of this, the cloud darkened the sky.
Cloud services are rapidly dominating the IT infrastructure, changing the way we work and interact with each other. The cloud gives us scalability, flexibility and accessibility like never before imagined. IT departments are relieved of the maintenance burden, yet an entirely new migraine comes along with it, namely risk.
Companies large and small are jumping onto the cloud. While some still have a hybrid ecosystem consisting of both on-premise (mostly legacy at this point) and cloud, cloud applications dominate. They’re just so darned easy to obtain, use and manage, right?
Not so fast. For every cloud application giant like Workday, Salesforce, and Office 365 that may be under somewhat tighter control, there are dozens of smaller, lesser-known SaaS apps many IT departments may or may not know anything about. Even worse, there is typically duplication. Marketing may use Basecamp for project collaboration among team members while IT may use Projectplace for the same purpose.
Before you know it, your highly regulated financial services company is out of control with a double barrel of risk and costs pointed squarely at its head. License optimization, security control and regulatory compliance is vital, but how does a financial company plan for ‘what’s next?’
Three things financial service companies must have for SaaS management
Financial institutions are no different from any other company serving the public in that they both must know what’s going on within their respective organizations and then be proactive in governing some sort of protective protocol. Perhaps the differentiator here is that financial services companies must deal with never-ending regulations and fines that can drown them if they are negligent.
Cyber security and data breaches from the outside may keep execs up at night, but there’s a more a more sinister threat looming from within. It’s more persistent and prevalent than the data breaches we all fear and it’s all because of a lack of three things:
1. Transparency
Cloud applications have their charm, but they come with plenty of risks that can spoil the mood. The fact that they are so easy to obtain and so difficult to monitor make them a perfect breeding ground for corruption. Employees may inadvertently or willingly put sensitive customer or company data into the hands (or eyes) of the wrong person. Former employees may have an axe to grind.
Less nefarious may be employees who circumvent the approval process to subscribe to a SaaS app they personally enjoy using, encouraging others in their departments to do the same. They may download the mobile app onto their personal devices and think nothing of the risk and cost they pose to their organizations.
Every new SaaS application means new challenges for IT and the financial institution. Without transparency into exactly what apps are not only being used but those that are underutilized – along with who is using them, they are completely blind to the risk they face. Not a good place to be when it comes to security and compliance.
So how do you get the transparency you need? Read on.
2. Accurate data
Financial companies get data. They live and breathe data. It’s at the core of everything they do – except when it comes to SaaS management, in many cases. In order to gain visibility into the who, when, what and where’s of cloud applications, one must have data.
The problem with data, however, is that is often siloed across the enterprise. It’s rarely in one place. This makes it rather challenging to get a comprehensive view of the organization. Some cloud services companies provide utilization reports, but they require someone to collate the individual reports from each vendor into a single spreadsheet. Even then, it’s common to miss multiple cloud applications.
SaaS management also requires real-time data. Employees come and go, moving positions, departments and companies at a moment’s notice. IT is often the last to know. What are they taking with them? What SaaS apps did they download on their phone? When they leave, are those apps still being used and paid for? Do you have access to this data when an auditor asks or are you scrambling to put it all together? So many questions.
Using a purposely-built SaaS management platform that puts cloud vendor data, contract details, user information, utilization records, license statuses, etc. in one place, in real time is not only helpful, it’s genius. Financial companies should stop chasing their tail and use the right technology to make this whole SaaS management thing a heck of a lot easier with much better results.
3. Governance
Ah, governance. Financial services companies love that word, don’t they? It’s easy to put governance policies in place, yet not always so easy to enforce them. But, they are meant to protect companies from risk and we all know, risk is a more despised four-letter word.
Governance policies around cloud applications may differ from company to company, but they should all include protocol as to how approved apps can be purchased. The right technology will present data that reveals which apps already exist in the company and if those apps have open licenses that can be leveraged before a new subscription is purchased. Policies should be in place as to how cloud subscriptions are negotiated and by whom. Authorizations should be clear – who is allowed to purchase what. Most certainly, policies must be well-communicated as to where the cloud applications can reside. Are personal mobile devices okay? What technology is in place to track it all?
Governance shouldn’t end with the employee. How will IT, purchasing and finance work together to develop and enforce the governance? What policies can be put in place to ensure all stakeholders have access to the same data so silos never rear their ugly heads?
Governance is a big job but worth every drop of sweat. Establish the right protocols now and be ready to enforce them. You can bet your auditors will be hot on your heels. The more your organization gets into cloud apps, the more you have to cover your SaaS.
Financial companies need transparency to answer the tough questions auditors are going to ask. They need access to consolidated, real-time data so they can get an accurate view of the entire SaaS environment. They must have enforced governance that insists employees comply. Only then can they minimize the risk that so plagues their industry.