IBM Cloud Metrics Model

December 08, 2021

By: David Kliemann, Cloud Risk and Controls Leader and Aly Farooqui, Chief Risk Officer, Cloud for Financial Services | 3 minute read

An industry standard for assessing and reporting on cloud risk for financial institutions.

Cloud-based technology is transforming the financial sector at a rapid pace. As financial institutions continue to prioritize digital transformation, there are several hurdles that inhibit organizations from fully realizing the benefits of moving critical workloads to cloud. One major hurdle is a lack of a commonly integrated, industry-recognized method to measure and report the risk level of hybrid multicloud operations.

Assessing cloud risk is essential to the health of financial institutions

It is well known that security and risk management are critical components for financial institutions to host mission-critical workloads in the cloud and transact with confidence. There is a gap, however — many organizations that move workloads to cloud find that they can’t easily articulate, measure and report risks in relation to their cloud environments. Organizations can find it overwhelming to translate the wide array of potential metrics to stakeholders and regulators, potentially resulting in misalignment of resources. This situation is further amplified with hybrid multicloud deployments that many financial institutions are adopting.

Without a holistic cloud metrics model, financial institutions often struggle to track and articulate key considerations:

• Are risks being recognized, managed and reported properly? To the right audience? In a timely manner?
• Can organizations demonstrate strong governance and compliance in their cloud environments?
• Is the business meeting organizational goals?

With a variety in approaches, it can be difficult for organizations to align with existing risk management programs and determine if they are meeting business goals, while continuously demonstrating governance and compliance requirements.

Financial sector cloud metrics model: The IBM Cloud for Financial Services approach

To directly tackle these challenges, IBM Cloud has collaborated with many organizations within the IBM Financial Services Cloud Council (Council) to develop a Financial Services Cloud Framework. The Council consists of CIOs, CTOs, CISOs and Risk Leaders from global and regional financial institutions who collectively work to de-risk cloud for the industry. More recently, the over 20 financial institution members of the Council worked together to create an industry-centric cloud metrics model to address hybrid-multi cloud governance and reporting.

Based on the NIST Cybersecurity Framework (CSF), the most widely recognized and accepted risk management framework, our industry cloud metrics model compounds upon this tried-and-true foundation to provide organizations with more flexibility. After reviewing with various financial institutions, IBM has added additional functions and components to account for operational and compliance needs that may not be explicit in NIST CSF. Considering how many financial institutions are still early in their cloud journeys, this is an important area to address.

IBM recognizes that organizations across the financial sector have different risk appetite and tolerance levels. As such, the model must be able to be tailored towards each organization’s unique requirements. Instead of being rigid and prescriptive, our model provides a menu of metrics that can be geared towards different organizational levels — what the management team needs will be different from C-level or board-level requirements.

To help build a holistic picture for leadership to understand overall risk, IBM has worked with the Council to identify several cloud metric “domains” that can be used to bucket various metrics and demonstrate risk levels:

• Cloud adoption: Implementing governance and achieving the potential of cloud benefits (e.g., agility, scalability, risk mitigation).
• Risk and compliance: Meeting enterprise risk-management and regulatory requirements.
• Cloud infrastructure security: Facets of security below the application layer (e.g., infrastructure, platform, networking).
• Technology operations: Tools and processes to keep applications/workloads resilient and functioning.
• Workload and data security: Facets of security at the application layer, along with data and application governance and security.

These domains include 50+ individual metrics, including insights for the following:

• Workload inventory and mapping to enable management to know the placement of their workloads.
• Workloads in each CSP to understand concentration risk and dependencies.
• Infrastructure with unremedied vulnerabilities to allow for immediate focus to protect workloads.
• Misconfigured workloads/applications detected to drive corrective actions.

Integrating these cloud domains with the CSF functional areas and providing a metric dashboard for reporting enables financial institutions to thoroughly assess their cloud risk.

Moving toward a new era of trust and transparency for financial institutions

With this cloud metrics model in hand, IBM is continuing to receive input from global FIs, industry regulators and expert analysts to further refine its metrics and examine organizational needs from all angles. IBM Cloud for Financial Services continues to advance the cloud space for the financial services industry — IBM's proposed cloud metrics model is another key puzzle piece in the breadth of technology and expertise they provide to banking leaders looking toward the cloud. Stay tuned for more details.