By Dhirendra Tiwari, Director in PriceWaterhouseCoopers
In my previous article, I talked about the four key maturing trends – Mobile, Cloud, Delivery Optimization and Process Digitization – that are changing the status quo in people, process and technology areas of the Enterprise Integration.
Although, this article is focused on the impact of ‘Cloud’ on the Enterprise Integration, to get up to speed on the maturing trends and to learn more about the impact of Mobile, please click here.
Banks have Traditionally Employed an On-Prem Caged Approach
Banks are in the business of managing money. Other than the fiduciary nature of the business, regulatory and compliance requirements mandated that banks built up an iron-cage environment shrouded in hawkish security policies and fed on an insomniac paranoia that outsiders – systems, devices, infrastructure — can’t be trusted. As a result, banks spent millions of dollars installing systems in their infrastructure and then fortifying their environments, and most certainly securing critical financial, core and other enterprise systems within it.
Business to Consumer (B to C) operating model is at the center of Banking, and, there would always be a need for consumers to walk-in through digital channels to create and manage their accounts. Thus, DMZ (De-militarized zones) were stood up to manage that risk. DMZ concept and naming is inspired by its real-world origin: A buffer zone between North Korea and South Korea where negotiations/vetting occurs before either party is allowed to go further. In computing, it is a part of the enterprise network which interfaces to the external world and can also house systems that have external facing consumer base (such as Application Entry component of Origination System).
Case for Optimization
While securing the systems, data and integration points is table-stakes, the new age banking operating model itself is changing. Banks are no longer a brick and mortar business; a large part of transactions, customer acquisition and customer servicing happens over digital channels.
Within digital channels, the concept of a marketplace — where offerings are shared or combined across different platforms or vendors — is gaining momentum. These changes coupled with innovation in enterprise systems that banks leverage to operate, are creating a need to modernize the core guiding principles of enterprise integration by adding the middle name “Cloud” in it.
Let’s look at some of the driving factors forcing a re-look at the Enterprise Integration vis-à-vis Cloud:
Enterprise Systems: Influx of Cloud-based Enterprise Systems
Buying COTS (Commercial-off-the-shelf) products and to host and connect it to hundreds of other systems has been the primary focus of Bank’s IT department. At times, these projects run over several years and come at a very steep cost. Things are changing though: Workday for HR, Salesforce for CRM and the list goes on and on. Within Banking core systems space, new cloud-based systems are set to alter the significant servicing and origination value chains respectively. The implementation timeframe for these cloud-based systems is less than two-thirds of a comparable on-prem system and the upkeep isn’t too shabby either.
Emerging Role: Emergence of Bank’s Role as a Service and Data Provider
While some banks continue to operate as a traditional bank, others are evolving into a Bank + Technology shop. They have expanded their portfolio to provide B2B services to other banks and to consumers. Live Oak Bank as an example started nCino, a commercial loan origination system; and Europe has proposed rules that will mandate a bank to share customer data with a third party, based on customer’s request.
Consumer: Evolving Definition of a “Consumer”
The definition of a consumer especially in terms of enterprise integration is fast expanding. The consumer is no longer just a human or another server accessing systems or data; devices are being included in the mix as well. Location-aware technologies will make a device equally – if not more — important than the customer itself. For example, Customer authentication can be tied to the device for purposes such as fraud monitoring; and we are not too far away from other “futuristic” use-cases such as: Automatic collateral value adjustment based on a real-time reporting event of a car crash, by the car!
Real-time marketplace: Need for Real-time Integration to Marketplace
The new age of customers and their aggressive shopping habits are forcing banks to apply the “real-time” lens. For example, a batch-based integration to BankRate may no longer cut it for the consumer who is looking for personalized real-time rate information. Online car buying experience providers such as TrueCar provide an avenue for banks to lock in their prospects in that platform and during the same process.
So with multiple factors forcing a look at Cloud-based systems integration, how does a bank protect itself while also ensuring that they are not losing out on integration to newer systems and potentially new channels of revenue?
The Impact of Cloud on ‘Enterprise Integration’ Approach
Before we get to the impact of Cloud on Enterprise Integration, let’s level set on the definition and different flavors of Cloud.
In banking, Cloud is nothing new but to connect the dots let’s talk about SaaS (Software-as-a-service) model first. For years, top banking solution providers such as Fiserv & FIS (“Vendor”) have offered their core systems and dozens of other systems — such as Online Banking, Mobile Banking — in a SaaS (Software as a service) model. In this model, the bank does not host the application in its data center, but in its stead, the vendor hosts the application and lets the bank configure and use it. So, in this scenario Vendor is the SaaS provider and the applications are essentially hosted in a Cloud; a Cloud that is managed by the Vendor and is only open for their subscriber banks. This type of Cloud is also called as a Private Cloud; think of it as a member’s only club.
There is another type of Cloud called Public Cloud which as the name suggests is open to businesses and individuals. So if I, John Doe, want to build an application and host it, I could do that. Some of the examples of Public Cloud are AWS, Salesforce Cloud, etc.
You get the idea of different flavors of cloud and I don’t think there is a need to explain all the others such as Government Cloud, Monsoon Cloud (this one is a joke!).
Now, before we gauge the impact of Cloud on Enterprise Integration, the first question that an organization must answer is: What should be the focus: Public Cloud, Private Cloud, or both?
The answer to this is both but the timeline of impact depends upon many factors. For example, a small bank or a credit union, the chances are high that they are already integrated to a Private Cloud and are looking for opportunities to integrate with Public Cloud-based systems to gain competitive edge, provide a superior customer experience and to reduce their bottom line. For a big bank, who has only dabbled with Private Cloud for their online banking and Mobile channels, they must relook at their architecture and costs to determine an opportune time to pilot Public Cloud integrations.
Once an organization is directionally aligned on the type of cloud, then comes the question of what use-cases (functional and non-functional) do I need to keep on-prem vs. in cloud?
This is the most complex question to answer, and often requires a foundational Enterprise Integration approach that can then be enhanced in alignment with the business capabilities that a bank seeks to develop or enhance. One of the possible foundational approaches here can be a Hybrid Integration approach. In a Hybrid Integration approach, cloud based integrations and their supporting processes (such as security) are managed by a cloud-based Integration platform, whereas on-prem integrations are managed by an on-prem Integration platform. Both are connected via a Security Gateway.
While on-prem Integration platform is essentially a traditional ESB, one of the primary purpose of Cloud-based Integration platform is to connect to other Cloud-based systems and devices.
For example: A bank wants to develop a business capability to leverage an add-on feature in an existing ATM device to monitor traffic. This data will then be used for analytics purpose to inform branch efficiencies.
In this case, since it doesn’t involve PII (Personal Identifying Information) data, and the analytics of the data can be housed in Cloud as well, it may make sense to host this API on the Cloud platform. Did you notice the implicit driver for the enterprise data strategy here?
After having identified a set of use-cases to accompany on the initial expedition into cloud, an organization now must answer to the paranoia of security, which may very well end up defining the “new” in the enterprise integration approach. Some of the tough questions an organization must develop a strategy for are:
How to secure authentication and authorization of the consumer?
For existing consumers (i.e. customers, B2B servers, etc.) this area essentially remains the same. The SAML or oAuth2.0 protocol can continue to provide authentication and authorization services for B2B transactions. However, for devices a holistic device security lifecycle and governance must be built-in and integrated into existing IAM solution or supplemented with a new one.
How to secure connectivity/transportation of data?
Whether it is a Private Cloud or a Public Cloud, the data transfer must happen over the wire.
With Private Cloud, the most secure way is to establish a dedicated connection between the bank’s and the vendor’s data center. There is also an option to establish a VPN connection to secure connectivity between the two data centers. The detailed pros and cons of these two approaches are beyond the scope of this discussion, however, suffice to say that banks have been dealing with Private Clouds for a while and there is a lot of common wealth of practices and processes around it.
With Public Cloud, however, one must look at the message confidentiality aspects more closely. HTTPS along with selective message level encryption such as tokenization can be implemented to minimize risks.
How to secure processing of the data?
This often requires specialized processing rules based on the data domain. For e.g. a bank may decide that any mediation that requires PII data, should be sealed in a bullet-proof vest when passing through Cloud-based Integration platform, instead a Security Gateway in the bank’s infrastructure would continue to be the gatekeeper and mediator of such validations. For unencrypted CHD (Card Holder Data), a more stringent PCI infrastructure may be leverage in conjunction with tokenization to encrypt transportation of the data.
While all four maturing digital trends – Mobile, Cloud, Delivery Optimization, Process Optimization — are interconnected, Cloud appears to be the one to make the technology c-suite (CISO, CTO and CDO) most nervous. But the potential upside of Cloud adoption brings tremendous synergy in operating costs and also helps propel innovation.
Furthermore, with cross-sector competition on a swift rise in an already competitive marketplace, the adoption of Cloud is no longer a roadmap item. A carefully thought Hybrid Integration approach that is driven by the business capabilities will equip a bank to stay competitive while bringing great synergies among the strategic plans around their Security, Data, Business and Integration initiatives.
Stay tuned! In separate papers, I will also discuss the impact of ‘Process Digitization’ and ‘Delivery Optimization’ on Enterprise Integration approach for banking.
Dhirendra has over 14 years of experience executing large-scale complex initiatives in Financial Services and currently works for PriceWaterhouseCoopers. He is a TOGAF 9® certified enterprise architect and is also a Certified Scrum Product Owner. He has successfully demonstrated his leadership skills and technology expertise in architecting and implementing complex enterprise systems, designing and implementing DevOps capabilities, implementing Mobile technology & managing SDLC projects. When not make the world a digital place, Dhirendra is busy plotting commercial-fiction novels.
Dhirendra can be reached at Dhirendra.firstname.lastname@example.org