Bill Mann is the CEO of Styra, Inc., the founders of Open Policy Agent (OPA) and leaders in cloud-native authorization.
The financial services industry is shifting to cloud-native because it is more flexible and resilient than traditional systems, which can lead to a better, more accessible user experience. Customer expectations have skyrocketed with the pace of technology, and FinServ is not immune from these demands.
Of course, security is paramount, and there’s a mountain of tech debt to consider. An understanding of the upside — and a few best practices — can pave the way forward.
Cloud-native means your developers build applications in a different, modern way. Containers are at the core of this difference. Containers allow developers to split app code into discrete, changeable, manageable chunks and then use automation to manage how those all work together. It sounds complicated, but it results in easier fixes, faster updates and a better user experience.
Many in FinServ feel pressure to shift to cloud-native because of customer demands. Yet done correctly, this shift is about much more than catching up with expectations. It’s an opportunity to accelerate faster with an optimal blend of automation and precision-level control. Ultimately, cloud-native offers the chance to reduce costs, drive revenue and facilitate efficient innovation.
Here’s what that looks like:
• Improved time to market with new features and tools.
• Less manual maintenance and monitoring, saving valuable time and resources.
• Fewer human errors, mitigating risk.
• A better CX with enhanced performance and uptime.
• Elevated security with automated gatekeeping for user privacy and protections.
• An empowered workforce tasked with innovation and given the space to move more efficiently.
What To Watch Out For
• Dynamic competition. In many pockets of FinServ, competition is fierce from companies born in the cloud. They have agility, accessibility and adaptability built right in along with fee structures that competitors with more traditional overhead burdens can’t match.
The good news: Cloud-native companies have paved the way for new technologies, culture and processes. They’ve already suffered through the wrong tools, dead ends, research and hassle that comes from being first. Now, best practices and standards are far easier to come by, which accelerates innovation with fast, precise automation.
• Compliance and regulations. FinServ companies are often limited by compliance and regulatory frameworks that necessitate precise (and painstaking) governance decisions and attention upfront.
The good news: While there’s a heavier lift upfront in converting compliance-dominated companies, the upside is significant. Modern policy-as-code solutions codify compliance and regulatory rulesets directly into apps and infrastructure, establishing ever-present guardrails that don’t rely on human memory or documentation.
• Tech debt. Tech debt is a real problem across many industries, and FinServ is no exception. Policies currently live somewhere in a PDF that’s in an email in someone’s inbox on one of their devices. It’s intimidating to consider getting on top of this type of system, let alone iterating away from it.
The good news: You don’t have to uproot the entire system. Even if your business runs traditional systems but wants to layer on newer, faster-moving elements, a policy engine like Open Policy Agent (OPA) can do both. It’s agnostic, allowing you to write applications in whatever language you want. It doesn’t have to be an “either/or”; it can be a “yes, and.” Leverage incremental changes, combining legacy, new and hybrid solutions.
• Misalignment. Security, compliance, governance and platform teams should all share common goals, but those teams are typically siloed. Security has often stood in the way of accelerated delivery or innovation, and friction between teams leads to compliance heartache and real security risk.
The good news: When security becomes code, everyone can collaborate much more closely. Even a little interoperability goes a long way. Empowering platform teams to implement the security best practices and compliance needs of more traditional IT means each team can shine, and for the first time, security can be part of the platforms that actually accelerate development. Enacting this type of shift generates an opportunity to formalize collaboration and put new metrics around it.
1. Focus. You don’t have to find the best place to start. You just have to find a place to start. Let the talent guide you. Find a few team members with the skills and enthusiasm to innovate in the cloud, and let them start where their skills are. Once you have chosen a place to start and assembled a team that has the experience and capabilities to build it out, they will pave the way. The beauty of cloud-native architecture is that it’s infinitely modular. You don’t have to do everything at once. One well-developed idea can serve as proof and fodder for other innovations.
2. Standardize. Get on the same page with your core team. Once they innovate, have a team quickly follow to standardize processes by working together. The keyword: together. Create space for communication, collaboration, inspiration and ideas. As I discussed in a previous article, elevate the voices of people who have the technical knowledge, skill and experience but don’t usually get to talk. Let the innovation lead.
3. Control. Embracing DevSecOps should facilitate getting signoff from security and compliance. To codify policy and security from the outset, you will have to ensure that developers can articulate the what and the why. If they understand the goal, they can codify the solution.
The question: Can security and speed finally coexist?
Answer: For the first time, yes. Policy as code is the key. Empower the people who are passionate about modern app architecture, give them a clear road map, and allow them to choose the tools and projects that meet those goals.
A policy-as-code engine like OPA can smooth out the shift to cloud-native because it’s decoupled from the tools chosen, so your team can take the wheel without steering you into the ditch. Chances are, you already have people with the right capabilities and passions on your team. Find them, empower them and get ready to move forward.