Cloud and the right to audit
Until recently a majority of cloud solutions have tended to fit neatly into the widely accepted NIST (U.S. National Institute of Science and Technology) defined categories of public and private cloud. The ability to effectively use these technologies side by side and achieve an effective solution is really only now becoming a reality, creating what NIST defines as hybrid cloud.
The driver, of course, has been cost. Large hyper-scale public environments like Azure and AWS offer price points and scalability that can’t be achieved by smaller midmarket provider environments with finite resources. It’s not hard to see why it’s attractive to find a way to take advantage of this lower cost technology.
But what happens when you need to fulfil obligations for regulator access to your environment? This type of requirement has historically made engagement with outsourced cloud functions difficult. The security guidance for outsourcing cloud released by the FCA earlier this year has gone a long way to providing clarity on how to engage. It clearly demonstrates that the right to audit remains a critical requirement and this alone presents some challenges for engaging with hyper-scaled public cloud.
With the use of large-scale public platforms comes generalisation and lack of customisation and, critically, the lack of the right to physically audit the provider. This is more than audit for supply chain management. For regulated firms there is a regulatory requirement to have contractual support for the audit of the contents and location of their business critical outsourced services. Critically for service providers, this includes any supporting systems and processes. The physical audit requirement represents an operational risk for service providers simply resourcing such audits, but this is what differentiates service providers like Pulsant from the hyper-scale platforms where physical access is just not an option.
I have to commend the FCA for the specific and strong inference that industry-specific external validation should be used to support diligence when selecting and auditing cloud service providers. At Pulsant we invest heavily in the development, maintenance and improvement of the management system that defines our day-to-day activities. Through the external validation of these systems, our certifications provide a strong level of assurance of our business activities. Importantly, this investment reduces the need for customer audit and saves time and money for both parties.
Indeed there is money to be saved through using a service provider that has invested in a high-quality programme of external audits, and this can be used to support a business case for outsourcing. But that only works for the smaller, high-performance cloud offering from service providers like Pulsant where the scope of external audit can be directly proven to relate to a customer’s environment. So how can a regulated firm take advantage of public cloud?
The answer can be a bespoke hybrid solution customised to address the risks of a regulated business. By using the flexibility of a well certified enterprise cloud service provider with the right public cloud integration technology, cloud solutions can be created that maintain the right level of control for critical business assets and activities whilst using public cloud capabilities as a commoditised part of the solution. This opens up the use of cheaper resources where business risk assessment and risk mitigation allows, whilst maintaining the level of audit access and contractual control that the FCA requires around a private cloud resource.
Pulsant has developed public cloud integration technology under our Customer Connect product set that allows customers to do just this. Thus the advantages of FCA compliant private cloud practices supported by the best in external cloud security validation are available with the option to take advantage of low cost commodity cloud services from the hyper-scale platforms where possible, within a specific firms risk appetite.
Ultimately, by outsourcing your cloud solution to a cloud service provider who has a capable and customisable private platform, solid external validation credentials and the right public cloud integration technology, you can engage with public cloud and have confidence in meeting your FCA or similar regulatory compliance requirements like right to audit.