The financial sector focuses on information security and regulation in cloud migrations

The adoption and utilisation of cloud services across various sectors has progressed rapidly in recent years. Even traditional and highly regulated industries are moving their operations to the cloud. For the financial sector – with companies like banks, financial companies, and insurance providers – information security and regulatory requirements play a particularly critical role. Sulava has aided several companies on their journey towards secure cloud environments that are compliant with audit and banking regulations. This is done by leveraging Microsoft’s versatile cloud services.

For financial sector operators, information security and regulatory issues represent key considerations in any cloud migration, as the data they process is often subject to stringent banking and financial legislation. For example where and how data is stored and moved is very precisely regulated. Microsoft’s cloud services are widely utilised for example at the federal level of the United States, so the built-in security features of Microsoft’s products are at the top of their field, which makes them a great fit for the Finnish financial sector.

Information security and regulation play an extremely central role in this field. In this article, we will highlight the journey of one of Sulava’s long-term financial sector customers as they migrated to Microsoft’s cloud services. We hope that this article can provide useful tips to other organisations in regulated sectors on how they can handle their own cloud migrations.

notes consultant Oliver Lahti from Sulava.

“This customer had previously operated a fully on-premises environment. We began in 2018 with a Microsoft 365 pre-study and a cloud technology security assessment. After many phases, we were able to deploy their systems in 2020, and the coronavirus pandemic certainly accelerated their cloud migration schedule,” Lahti continues.

It began with an extensive pre-study

In an information security-first model, everything typically starts with an extensive pre-study. The customer’s pre-study was reviewed with the help of a very comprehensive set of reporting material. At first, a fundamental decision was made on the technology package, after which each small component was evaluated separately in order to understand their individual effects on, for example, regulatory requirements. All of these activities were based on an initial “nothing can be done from the outside” philosophy, and based on that it was planned how things can be done with an identity protection-focused approach. As a whole, the customer’s environment was very closed, meaning that rights management played a key role in the cloud migration process.

Even at the earliest stages of the project, both parties agreed that it would be essential to create a future-proof view that would allow the customer to react quickly and efficiently to all types of situations. All decisions in the project were made with information security and risk management in the center, and this approach lead the creation of a functional Microsoft 365 environment and an efficient governance model for the customer’s future Azure environment.

When it comes to information security, an environment’s governance model plays a key role in managing the environment itself, providing instructions to those who work with the environment, such as partners, and in the deployment of new services. From the very beginning, the process involved a great deal of training related to the functionality of the entire system, as the customer’s ultimate goal was to create a self-sufficient operating model.

Deploying an Azure environment creates new opportunities for businesses. This deployment project utilised Microsoft’s CAF (Cloud Adoption Framework) model, as it provided a solid foundation for best practices and for evaluating how each piece would best fit the entire system. Our goal was to build a multipurpose and secure Azure environment for our customer’s business needs, and we succeeded in this.

says consultant Petri Hooli from Sulava

Adapting to the “new normal”

At the start of the project, the customer utilised a completely on-premises environment, with all work being carried out locally in an office. From a business perspective, the key goals of the project included enabling a more rapid approach to introducing new services and keeping them up to date, the adoption of modern work methods and tools, enabling remote connections from outside the office, and permitting the more efficient allocation of technical resources due to the reduced need for maintenance when using cloud services. Information security and regulatory response served as the natural starting points for every goal.

“After the onset of the coronavirus pandemic in early 2020, our customer was soon faced with a very urgent and unexpected need for modern work methods and safe remote connections. The second phase of the project, which focused on identity and access management, endpoint protection, and continuously monitoring the environment, was rapidly accelerated by these external factors. We had already made and approved all technology-related decisions and governance models at an earlier stage, so we were able to proceed efficiently and set up the necessary remote work connections quickly. We also finalised our information security and monitoring practices at this stage,” Oliver Lahti notes.

New tools, new ways to work

The introduction of modern tools is rarely just a technical process, as any change in work methods can also require many changes in one’s work culture. While the financial sector customer highlighted in this article has gotten off to a good start in changing its work culture, the company remains acutely aware of the time that it can take to truly instill any cultural changes. New approaches can be nurtured through long-term communication, training events, and, for example, by clearly advertising new features.

Issues related to changes in work methods were highlighted throughout the project’s implementation process. Sulava provided the customer with e.g. trainings about Microsoft Teams as well as many other training sessions and exercises on tools, methods, and information security issues. More work method-related training events are in the plans for the near future.

Sulava as a cloud services expert

From the very beginning of the project, the customer’s goal was to ensure that its own IT department could independently handle as many facets of the service as possible after the cloud migration process. To reach this goal, the customer received a great deal of information from Sulava, which served as the project’s cloud services architect and expert.

The managers and heads of the customer’s various business units were deeply involved in the project. This commitment from the customer’s upper management ensured that all information related to the service was spread as extensively as possible throughout the organisation. From Sulava, the project involved several experts from many different areas, such as cloud service architecture, information security, and work culture change management.

In the future, the customer aims to further increase the agility of its own work processes with the help of new and modern tools and work methods. Developing a hybrid work model will require further training and adoption of new approaches. Thanks to the solid foundation created in the project, the customer’s business operations and employees can now make the most of their modern environment.

Need help?

Take advantage of our help and expertise! Microsoft 365 customers have the best chance of ensuring the safe management of Azure, endpoint security, end-user identities and the safe use of M365 services and other enterprise applications. Read more about our security services, get in touch with us and start leveraging the security of the cloud in your environment!

Azure projects can be anything from the migration of hundreds of virtual machines to the design of scalable architectures for modern applications. We offer e.g. several ready-made packages for IaaS and PaaS services and wide range of Azure-trainings.

Writer: Juhani Lassila

Published: June 2022

Quick facts
  • For financial sector operators, information security and regulatory issues represent key considerations in cloud migration
  • At the start of the project, the customer utilised a completely on-premises environment
  • From a business perspective, the key goals of a cloud migration project include e.g. enabling a more rapid approach to introducing new services and keeping them up to date, the adoption of modern work methods and tools, enabling remote connections, and permitting the more efficient allocation of technical resources
  • All decisions in the project were made with information security and risk management in the center, and this approach lead the creation of a functional Microsoft 365 environment and an efficient governance model for the customer’s future Azure environment.
  • The Azure environment implementation project utilised the CAF model, which provided a solid foundation for best practices and for evaluating how each piece would best fit the entire system