In September, data management trade association EDM Council launched Cloud Data Management Capabilities (CDMC), an assessment and certification framework that aims to develop and implement standards and best practices for handling sensitive data within cloud environments.
Developed by the EDM Council and partners such as Amazon Web Services, Google Cloud, IBM, and Microsoft, the framework has roped in other big names to the effort.
The Fintech Open Source Foundation, a Linux Foundation nonprofit that seeks to institute open standards in finance, partnered with the EDM Council in November in a bid to automate financial cloud compliance by implementing the CDMC framework via an end-to-end open-source testing and infrastructure-as-code suite. Data warehouse Snowflake announced that its Financial Services Data Cloud was the first cloud platform to be independently assessed by KPMG, an authorized CDMC partner, against the framework’s key controls.
Mike Meriton, EDM Council’s chief operating officer and co-founder, says he expects CDMC to garner full market adoption in the next three years—about half the time it took for the trade body’s Data Management Capability Assessment Model (Dcam), a framework for guiding industry participants’ data management and analytics projects, to reach industry-standard status.
A recent survey by IT management solutions company Flexera found that migrating more workloads to cloud is the top priority among financial services organizations compared to other industries, with 62% of firms surveyed indicating plans to move more workloads to the cloud in 2022. Additionally, one-third of respondents anticipate they would use a mix of on-premise, Software-as-a-Service, and cloud solutions for both consumer data and corporate financial data.
Despite that ambition, the path to full cloud adoption in finance has been murky.
Cost and security concerns have dampened some banks’ appetites for multi-cloud infrastructures, and new regulations in the UK place a heavy burden on firms who, under the new rules, will become auditors of their vendors and third parties, including cloud service providers. And in the US, banks asked regulators for greater clarity on cloud risk after the Federal Reserve, Office of the Comptroller of the Currency, and Federal Deposit Insurance Corporation issued guidance making it clear that banks are ultimately responsible for the risks of operations that are outsourced to third-party providers.
Nevertheless, firms are faced with an exponentially increasing amount of data and are running out of physical places to store it.
Wes Anderson, vice president and head of enterprise data management for project contributor TD Bank, says the cloud gives banks an unlimited storage capability. “There are physical limitations we deal with when we are the owner of the data center and the on-premise solutions,” he says. “The amount of time it takes a company to expand on-premise is significant.”
In the making
EDM Council’s previous work on Dcam provided a unique starting point for the organization to form the CDMC working group in March 2020. Morgan Stanley, a member of the trade body’s board of directors, had developed on its own a list of starting principles for cloud data management and protecting sensitive data. The bank had also been in conversation with a few cloud providers and had asked how data risk controls could be managed in a multi-cloud environment.
Morgan Stanley then approached the EDM Council on the issue so that cloud providers weren’t faced with the challenge of navigating firms’ different priorities. The Council needed at least 10 companies to form a working group. By May 2020, they had nearly 100.
“This many firms involved in something is notable,” Meriton says. “All the top cloud companies that are normally arch competitors sitting at the same table—that’s highly unusual as well.” Each cloud provider sent engineers weekly to work on the initiative.
Morgan Stanley donated their starting principles focused on cataloging, accessibility, and usage, which helped jump-start the original group meetings.
IBM had 18 individuals, including regulatory consultants from IBM subsidiary Promontory, working on behalf of the company during the working group’s duration. Soren Mortenson, director of global financial markets at IBM, sees the working group as a cross-industry collaboration toward a common goal—something good for everyone. “This is about the classification, control, procedures and security,” he says.
In the end, the working group, chaired by Morgan Stanley and the London Stock Exchange Group, spent a year and a half building the framework through debates and conversation. A total of 750 meetings and 45,000 person hours derived from 300 participants became 164 pages of guidance.
Today the framework includes six core components—governance and accountability; cataloging and classification; accessibility and usage; protection and privacy; data lifecycle; and data and technical architecture—along with 37 capabilities and 14 key controls for managing sensitive data in the cloud.
“At the heart of everything is governance and accountability which means that everything inside of the cloud needs to be cataloged and classified,” Meriton says.
The 14 key controls correlate to the pre-defined components, establishing processes and methods for the handling of sensitive data. The fourth key control concerning data sovereignty and cross-border movement was added at the suggestion of a regulator and put forth that the data sovereignty and cross-border movement of sensitive data must be recorded, auditable, and controlled according to defined policy.
Other key controls stipulate that classification and cataloging must be automated for all data at the point of creation or ingestion and must always be on. In addition, entitlements and access for sensitive data must be defaulted to the creator or owner and all access of it must be tracked.
Structural issues
A May 2021 report from Firebrand Research highlighted the increasing number of partnerships between banks and major cloud providers. HSBC and Standard Chartered have partnered with AWS; Société Générale, Bank of America, and TD Bank have gone with Microsoft Azure; Deutsche Bank and Commerzbank have chosen Google Cloud; and BNP Paribas tapped IBM Cloud. Bank of America, BNY Mellon, and Standard Chartered also have multi-cloud strategies.
But for all the new partnerships inked and all the new technology capabilities that come along with them, firms’ data management proficiency is not equal across the board, particularly when it comes to unstructured data.
Sanjay Saxena, chief data and digital officer at Celebrity Financial, says its invaluable to have a framework that speaks to both structured and unstructured data. Saxena, who was previously senior vice president of enterprise data services at Northern Trust, says organizations typically have no control over their unstructured data.
“The first job is always to solve the problems surrounding the structured data. It might take years before you even get to the unstructured data,” he says. “But the reality is that firms never end up addressing the issues with unstructured data, and that’s why these problems continue to exist all around the industry.”
However, financial firms don’t have the years required to sift through all the data in their systems and rectify issues, particularly ones that operate within regions under advanced privacy regulations like the EU and California, which are under the General Data Protection Regulation and the California Consumer Privacy Act of 2018, respectively.
Mark Davies, a partner at London-based data and analytics firm Element22, which also contributed to CDMC, says the amount of data and information that financial institutions have is staggering.
“Most financial institutions have got reams and reams, terabytes of data and obligations to maintain and store that information for a long time,” he says. “A lot of it is structured data, and a lot of it is unstructured data like signed contracts and documents, emails, voice and video, all part of the same records that need to be kept.”
He says pinpointing the location of sensitive data can be nearly impossible, particularly if its unstructured like a security video. The classification and security controls outlined in the CDMC framework help remedy that problem so that whether the data in question is structured or unstructured, it’s protected at its start.
Success with CDMC can be achieved simply for firms, Meriton says. First, firms need to be ready, willing, and able to conduct informal checks on themselves, and then act upon any deficiencies found. To achieve certification, an auditor or compliance firm should be brought in to independently assess the cloud environment when the firm is confident in its capabilities.
The framework is available to download for free on the EDM Council’s website. Since the roll-out in September, the Council has embarked on the CDMC Authorized Partner Program, for which it is seeking companies who want to conduct independent assessments of their own capabilities against CDMC.
Further reading
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: http://subscriptions.waterstechnology.com/subscribe
You are currently unable to print this content. Please contact info@waterstechnology.com to find out more.
You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@waterstechnology.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@waterstechnology.com
More on Data Management
Removal of Chevron spells t-r-o-u-b-l-e for the C-A-T
Citadel Securities and the American Securities Association are suing the SEC to limit the Consolidated Audit Trail, and their case may be aided by the removal of a key piece of the agency’s legislative power earlier this year.
Chief data officers must ‘get it done’—but differ on what that means
Voice of the CDO: After years of focus on data quality, governance, and compliance, CDOs are now tasked with supporting the business in generating alpha and driving value. How can firms put a value on the CDO role?
In a world of data-cost overruns, inventory systems are a rising necessity
The IMD Wrap: Max says that to avoid cost controls, demonstrate the value of market data spend.
S&P debuts GenAI ‘Document Intelligence’ for Capital IQ
The new tool provides summaries of lengthy text-based documents such as filings and earnings transcripts and allows users to query the documents with a ChatGPT-style interface.
As NYSE moves toward overnight trading, can one ATS keep its lead?
An innovative approach to market data has helped Blue Ocean ATS become a back-end success story. But now it must contend with industry giants angling to take a piece of its pie.
AI set to overhaul market data landscape by 2029, new study finds
A new report by Burton-Taylor says the intersection of advanced AI and market data has big implications for analytics, delivery, licensing, and more.
New Bloomberg study finds demand for election-related alt data
In a survey conducted with Coalition Greenwich, the data giant revealed a strong desire among asset managers, economists and analysts for more alternative data from the burgeoning prediction markets.
Waters Rankings 2024 winner’s interview: S&P Global Market Intelligence
S&P Global Market Intelligence won two categories in this year’s Waters Rankings: Best reporting system provider and Best enterprise data management system provider.