Establishing an enterprise ready internal process system for a Financial Technology service provider, within the banking and finance industry will require a depth of security standards. When considering the implementation for day-to-day workload, automations, and human resource infrastructure, Microsoft provides a suite of Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) offerings that align with this industry, directly off the shelf.
From an operational perspective, governance models are required to meet the Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley (SOX), and Payment Card Industry (PCI) Data Security Standard (DSS) regulations of this industry, from an internal viewpoint, while processing customer data for work and processing of customer data.
In a process to identify a risk profile, for the adoption of the services for the business needs of this financial provider, the key evaluation points should cover identification of assets, threats, and vulnerabilities. Through the process of reviewing the perceived risk of the data and infrastructure, risk assessment, mitigation plans, and monitoring tools will also be applied to the governance model which oversees this platform. These procedures should be established through business policies, reviewed by stakeholders who create checklists and establish baseline assessments to assure continuous security within the provisioned assets.
Data Classification, Assets, Threats, and Vulnerabilities
In the introduction of Microsoft 365 for business, the default toolset includes Word, Excel, Powerpoint, Clipchamp, Editor, Copilot, Teams, OneDrive, SharePoint, Outlook, Exchange, Loop, Defender, Intune, Entra ID, and Purview.
These tools, outside of Copilot are common in the modern workplace, and have provided to be successful catalysts for effective collaboration across organizations. In the use of OneDrive and SharePoint, through the SaaS option, can safeguard and control the access controls to content generated by employees with zero trust architecture. When using Artificial Intelligence (AI) in this context, it is very important to assure that the data being entered and processed, is controlled in a way that does not breach the user’s privacy. As many organizations increase their AI usage, they often work with the Cloud Service Provider (CSP) to identify the proper way to enable AI for their organization and establish the proper safeguards.
Through the combination of Entra Id, Defender, Purview, and Intune the employee accounts and their devices can be continuously monitored and managed through the lens of the governance model established by the business. These services protect the users and endpoints from external threats and risks, while enforcing data access policies internal to the system based on Role Based Access Control (RBAC) and Attribute Based Access Control (ABAC).
While processing and controlling financial data in the system for daily operations, the GLBA, SOX, and PCI DSS compliances will be met through Microsoft’s compliance certifications. In GLBA the system must provide privacy guarantees and safeguards to protect the financial information of the individuals using the system. Within SOX, the financial entity must apply controlling processes and reporting to correctly state the information about the outcomes of the financial services. When accepting payment card information, the financial institution must ensure controls and security to reduce fraud and protect the credit card data.
These compliances are certified for Microsoft through these products as SaaS implementation, which will greatly reduce the threats and vulnerabilities to this secure data from external threats. When creating a governance model, the internal threats will be mitigated by enabling strict controls based on roles and authorization, including access to documents and information of the customers by classification, for employees of the financial institution.
When introducing Dynamics 365 Human Resources the platform will centralize employee profiles, improve manager productivity, enhance payroll, automate workflows, and provide analytics. The industry guidelines do not specifically apply to the considerations, for the employees of the financial services business, however, are covered under these compliances, and will provide increased controls over the businesses data and reporting to operate with enhance ethical practices.
Roles, Responsibilities, Governance, Business Continuity and Disaster Recovery
When implementing these services through Microsoft offerings, there are various built-in configurations for backup within the products, including auto-save, secondary delete features like virtual recycle bins, and further protections provided through Microsoft’s security suite. Data retention policies, access policies, and lifecycles can be established through Purview to manage the ability of users down to the read and write levels of services within the Microsoft ecosystem.
In the event of PaaS and IaaS service implements that may be required to augment and perform further tasks for the financial service organization, Azure Backup can serve as a recovery, storage, availability, and data tiering option to manage the redundancy and preservation of the data. Through the Shared Responsibility Model (SRM), the financial organization and the CSP will work together to assure that the data processed through the system meets the compliance standards achieved by the CSP. The duty of the customer is to operate in an ethical manner which promotes the stewardship of the data in a way the continues the compliance established as a baseline by the CSP.
Role and Responsibility One:
Role: Stakeholders
Responsibility: Establish role hierarchy, create data policies, access control guidance, data retention policies, define data lifecycle, and categorizations of business-driven data.
Organization: Financial Organization
Role and Responsibility Two:
Role: IT / Security
Responsibility: Implement configurations for retention, establish access control settings, automate data lifecycle, and create policies which should be monitored to align with business policy through procedures.
Organization: Financial Organization
Role and Responsibility Three:
Role: Cloud Specialist / Sales
Responsibility: Collaborate with customer (Financial Organization) to assure data standards and compliance are met, review architectural model for additional requirements, support through outages and lower availability, and work with internal teams to maintain compliance.
Organization: Cloud Service Provider (CSP)
Mitigation, Monitoring, and Service Level Agreement
When operationalizing the cloud services to establish the software tools for the financial organization, it is important to continuously evaluate the services established for the effectiveness in securing the platform and meeting compliance. When these services are created and run within the Microsoft Azure cloud, they are guaranteed to meet an uptime standard of around 99.9%, or the service cost during the outage will be credited to the account in a range of 25%-100%. These offerings have built in data center redundancy, back up, and physical security established through Microsoft.
If there are additional vendors in partnership providing these services and infrastructure, it would require for the financial organization to assure that the partner data centers had backups, redundancy, availability, alternative power, and can handle environmental disasters. It is important to create SLA contracts with providers that do not already have them, and customize them, when available to further establish the trusted connection between the CSP and financial organization.
As a final implementation, for all these services it would be beneficial to add-on Microsoft’s Azure Monitor to enhance the observability of the infrastructure. These services would enable the financial organization to visualize the performance while auditing the connections between the applications for high-level and critical situations. An audit trail of internal operations would be an extra layer of security that can illuminate the access controls of the system.
Engineering resilience, security, and future-ready software architecture. Follow on X, GitHub, and LinkedIn, and visit https://joealongi.dev/.