Implementing storage: Compliance concerns for stateful financial services applications

There’s little doubt that industry pressures have driven financial services firms to implement - and to continue to adopt - transformative solutions to maintain competitive advantages that help streamline operations and introduce new products. 

However, along with having to surmount technical issues, this industry presents special challenges regulatory and compliance concerns, in addition to technology considerations. Regulators play a major role in financial institutions, therefore, by necessity, banks create organizational models and processes to ensure that work is being delivered with the most minimal risk possible - and technology solutions must also adhere to this regulatory overlay. 

Main regulatory bodies

There are two main regulatory bodies which oversee activities regarding compliance - the U.S. Security and Exchange Commission (SEC), and the Financial Industry Regulatory Authority (FINRA).

The SEC regulates and oversees FINRA, established in 2007. Unlike the SEC, FINRA is not a governmental agency, but a private organization. More specifically, FINRA is classified as a “self-regulatory organization.” However, it has congressional authority to intervene when investors file claims or complaints concerning suspected securities fraud.

While there is latitude in the actual performance and conduct of compliance activities - regulators do not oversee the methodology used by the bank, rather their focus centers on the end state of compliance itself - and that it can be demonstrated. With ever-increasing amounts of data being generated, manipulated, shared, transferred, and utilized, data management is a principal area in which compliance, security, and adherence must be demonstrated. Not surprisingly, these areas also form the central technical challenge in the sector in terms of product evolution and distinction among competing organizations.

 While by no means comprehensive, the compliance pillars for storing data are centered around:

•  Data loss or theft - prevention measures to detect and prevent unauthorized access, modification, copying, or transmission of confidential data.

• Strong encryption controls on confidential data at rest.

• Access controls and auditability for confidential data (covering access for entitled activity). The accomodation for data integrity and privacy aspects are subject to wide ranging sets of regulation. Among others, for international customers they are based on General Data Protection Regulations (GDPR) for compliance with EU law. Similarly, the California Consumer Privacy Act (CCPA) is the first U.S. regulation to follow in the footsteps of the EU’s GDPR restrictions. 

• Data retention - formal mandates include SEC regulations with restriction on time durations and storage integrity - typically requiring that data records can not be destroyed or rewritten for a period of seven years. 

Regulated, but open 

With data volumes and complexities increasing, financial institutions continue to embrace new methods and technologies to accommodate these ever-present challenges, including implementing storage on Kubernetes platforms. 

These changes were initially driven as organizations used containers for stateless applications, where storage was not necessarily required, and then transitioned to platform usage models for more stateful applications with storage requirements - including those subject to regulatory oversight - including databases, caching platforms, documents, and images etc. 

Red Hat’s Kubernetes platform, Red Hat OpenShift, has long integrated storage capabilities, and Red Hat OpenShift Container Storage can provide persistent storage for containers. The OpenShift Container Storage is installed on OpenShift and provides file, block and object storage to containerized applications - tailoring performance according to the specific workload required. Flexibility is provided by local disks and/or through cloud storage depending on where OpenShift is installed. Additionally, an existing or new external Red Hat Ceph Storage cluster can provide those three types of storage to containers through OpenShift Container Storage.

Principal roles

On a day to day basis, many involved parties within FSI organizations are exposed to data compliance concerns. To illustrate, we cite three principal functional roles - which contribute toward data compliance activities and consistency - each of which have their own technical challenges in achieving desired business outcomes most efficiently.

Developers: Developers require the ability to define the storage requirements and claim it for their applications. Traditionally, they make requests to a storage administrator to gain allocation. As the application moves through environments the request is repeated and subject to variations for the underlying infrastructure and can cause promotion challenges and inevitable troubleshooting. 

Hybrid Cloud Administrators: Administrators have oversight for the platform but also the responsibility of providing storage facilities. As a corollary inherited task, their role also might make them accountable for storage life cycle management and storage content custodianship. 

Storage Administrators: Storage administrators are responsible for providing and allocating storage to the OpenShift platform. Traditionally, they have worked with server administrators to provision storage to the applications. 

Tale of two scenarios

Financial institutions have at least two Red Hat OpenShift Container Storage implementations that they can use: 

1. OpenShift Container Storage can be used leveraged in standalone mode, for operational data and application configuration. 

   1.  Implement OpenShift Container Storage in standalone mode (consuming storage from the platform on which OpenShift is running) for immediate data needs and local operational data. 

   2. Administrators can set policy and guidelines that this storage is used for immediate data and configuration needs and the application can rebuild the data from a book of record if needed, meeting compliance concerns. 

2.  Pair OpenShift with external Ceph cluster for book of record data that requires long term retention and governance. 

   1. Allocate storage from a centrally managed Ceph storage system like the Red Hat Ceph storage. Storage provided to OpenShift can be claimed by the applications for data retention and its corresponding book of records systems in exactly the same manner as the previous installation, as it is also provided through OCS, facilitating a straightforward graduation process. An advantage of this approach would be that the organization can leverage mature storage practices including, backup, retention policies, data classification and other industry-standard compliance requirements.

Within both implementations, organizational models for separation of responsibilities and data custodianship can be met without adding burden to each set of distinctive duties and operating tasks as described previously. The involved OpenShift personnel can enable Kubernetes services that are stable and scalable, but do not assume the regulatory responsibility for the transient data through it.

While we have briefly described this implementation, please explore the flexibility Red Hat offers with Red Hat OpenShift and Red Hat OpenShift Container Storage.