Q&A from What AML Teams Need to Know about Working in the Cloud
June 9, 2020
Questions and answers from the webinar featuring Corie Murray, Software Architect at CaseWare RCM, James Poulin, Technical Operations Manager at CaseWare RCM and Ben Cheng, Cloud Solution Architect at Microsoft.
In this webinar, the trio discuss some of the myths around cloud adoption as well as real-life stories about why financial institutions moved their compliance solution to the cloud.
Q: Do I need to buy additional hardware or software to move to the cloud?
A: Murray: No, there's absolutely no need for new hardware or software to use Alessa. However, you might have specific business requirements that warrant additional resources, For example, let's say you're trying to implement transaction monitoring, where you want to integrate with our APIs, to make sure that you can detect when a transaction should be blocked.
Then you might have to invest in some middleware to technology if you don't already have it. In general, I would say no. You do not need any new hardware or software.
Cheng: It is situational. So, no, especially for customers who are potentially looking to extend their on-premise network. There may be a need to do you acquire some of those network devices, but, again, that's on a situational basis.
Q: Do I need additional IT resources to manage cloud infrastructure?
A: Murray: Absolutely not. Our DevOps and engineering team will manage everything in the cloud for you. That's pretty much what they do. You might require some IT help to get integration and security configurations implemented. But outside of that, we handle everything 100% on the DevOps side.
Q: What is the uptime of the cloud?
A: Murray: It depends on the resource, to be honest. In general, I think you're going to see an SLA from between, 99.9 to 99.99999, and it all depends on what components you have implemented.
So, in general, though, Azure will have different SLAs for different types of components. For example, if we're using data bricks for your analytic platform, then its SLA is 99.95.
And in general what we do is we will give you the minimum SLA out of all the resources that we use in an implementation. So we might be using VMs, we might be using APIs, or you might be using data bricks and cognitive services, So we'll pick the lowest one. We put the SLA for the lowest one and that will be our SLA to the customer.
Cheng: The SLAs that are posted for those Azure components are actually backed by service credit. Therefore, in the event that Microsoft doesn't meet those SLAs for those particular components, service credits are given back to the customers.
Q: What kind of data is stored in the cloud?
A: Murray: It differs from implementation to implementation, obviously, but for a fully hosted deployment, you will have, possibly customer data, accounts, transaction data, or any other type of line of business data would be stored in Azure.
Now, it depends on the implementation, because if you have a hybrid deployment, then you may also have a situation where all the data is stored on premises. Then it is passed to the cloud just for compute purposes.
So, you won't necessarily have the data being in the cloud. However, it depends on the type of implementation that particular customer needs.
Q: What's the process to move from on premise to the cloud?
A: Poulin: Hopefully, as minimal as possible, but it does change a little bit from client to client.
So, there are changes in how data moves into the cloud as we leverage the Azure infrastructure in place. As well as how client connectivity occurs and how clients are connecting back to the application itself.
Q: What processes are done in the cloud?
A: Murray: We have generalized processing and I'm including, continuous monitoring, which can go across pretty much any business space.
But we also have specialized processing specifically for AML, which includes things like transaction monitoring, sanctions screening, risk profiling and regulator reporting, those are the main processing that we do in Azure.
Q: What kind of security features does the cloud have?
A: Poulin: It may actually be easier to answer what it doesn’t have. Leveraging the Azure platform gives us a lot of features available to ensure security. From Alessa’s perspective, we are implementing end-to-end encryption of all of our client connections. And we also use encryption on all of our infrastructure, from virtual machine to data being held. So, there's lots available there.
Cheng: Just to add onto the security features, within Azure, we have a number of what we call first class services that are essentially just native to Azure. But in addition to that, we have a plethora of third party offerings that Microsoft was partnered with some major security companies. So, for customers used to other types of security software, typically, you can find it within the Azure Marketplace, and if they're more comfortable using that, they can just acquire it through the marketplace as part of their offerings.
Q: What about ISO certifications?
A: Poulin: So the Azure infrastructure itself, like Ben shared earlier, has the broadest certification coverage available in the cloud, which is fantastic. So we build off that, and with the Alessa application include our own ISO 27001 certification as part of that.
Cheng: Just to add on to that, we actually have a Service Trust Portal, that's available to you. It's a repository that contains our latest audits or certifications across all clouds. All the certifications can be found and downloaded.
Q: How do I make sure they don't lose my existing data?
A: Poulin: Good question. From Alessa’s standpoint the Alessa Cloud Ops team is responsible for deploying our applications in a fault tolerant manner. In doing that, we leverage Azure infrastructure technologies available to us like replication and backups to ensure that data isn't lost in the event of any disasters or failures.
Q: If I have a branch in the U.S. and another in Canada, how is our data managed?
A: Murray: I see this one a lot. Basically, this is a typical scenario that you'll see with our AML implementations. But to answer the question, we can replicate our assets in each region. We don't have to move the data or we could just move the implementation to suit the needs of the customer. So, this will allow us to respect the data sovereignty requirements of the customer by applying it to the nearest available data center.
Cheng: Typically, we have at least two regions within the same country, and this is to have customers meet their data residency requirements, so that if one region does fail-over, it fails over to another region bound by the same country.
Q: What is the fault tolerance of the system?
A: Murray: I get this question all the time, but the truth is, before, migrating to Azure, we would have to write a lot of code to satisfy this requirement in terms of just being able to deal with failures, whether, you know, persistent or a transient type failures. But, luckily, it's basically built into the Azure platform.
Alessa takes full advantage of these features in terms of just making things available with high availability using geo replication.
Also, we have the ability to deploy multiple instances of each component that we use for a particular implementation. So, all of the tools are there, and we take advantage of them. So, no, this is not really a problem when you use the public cloud.
Q: What about a financial institution’s customer identification program, that must now include additional legal entity screening capability with regard to beneficial owners and control persons. This is a question around integration of data.
A: Murray: Normally, what would happen is that if we have to integrate a particular customer with the screening and APIs, we would have a workshop where we kind of work through what, exactly you're trying to do.
We will explain to you, how we think things will work, touch on all the different data points that you're trying to integrate, and come up with a plan. So, part of going to the cloud is that we can react to the different requirements, different customers. So, it's not that it's never going to be a one size fits all, but we have the ability to react quickly and get you to where you need to be.
Note: Alessa is also in integrated with a number of third party lists providers, our risk intelligence provider, companies like World Check.
Q: Will I have to set up my own Azure account for Alessa to work?
A: Murray: No, you would not. So, that's where our DevOps teams come in. We would set up the infrastructure.
At the end of the day, we will give you a URL or a connection string to upload data if that's a requirement. Or we'll give you the API URL, so that you can make calls out to that API to get a response about sanctions screening, or transaction monitoring, or something like that. So, you absolutely do not need any DevOps experience or anything like that to be able to implement the Alessa platform.
It takes some of the IT infrastructure work off your hands and passes it on to us. As well as the Microsoft team.
Q: Should a SOC 2 report be provided before usage?
A: Cheng: That's one of the reports that I mentioned, is available in the Service Trust Portal for all the underlying components within Azure.
Q: Have third parties conducted application validation of services on the cloud?
A: Murray: More than one organization or one provider, does assessments on whatever we offer.
And this is a part of our business strategy. So we often make sure that, we can provide our customers with the guarantee that their information and their environment is secure, and that we're taking steps to make sure that it remains that way.
So we do have a policy that says we have to do things to get the environment assessed and report it to our customers on a periodic basis.
Cheng: We actually have tools that help customers like CaseWare RCM track that and monitor it and make sure everything is compliant.
But based on what compliance needs you're targeting, it would actually adhere to and keep tracking and monitoring and eventually signal when compliance is met or not met. So it gives customers the sort of line of sight to make sure that the compliance is at the highest level.
Q: The next question I have is really around security, and specifically, cyber security. What is the risk of a business being subjected to ransomware attacks?
A: Poulin: Unfortunately, in today's day and age, that's something that is there all the time. Our responsibility is to make sure that we protect against that risk within all of our deployments.
So, there's a lot of different ways that we do that. And one of those ways is the replication and backups, to ensure that we have something to fall back to and maintaining encryption across all the channels we use. And then really stringent security policy on what is allowed in and out of our services to really minimize that attacks.