The Luxembourg Stock Exchange heads to the clouds.
Organisations at work within today’s society face numerous challenges such as the public demand for flexibility and scalability, not to mention the necessity to quickly deliver new solutions to customers and counterparties. These are some of the reasons that led the Luxembourg Stock Exchange (LuxSE) to reflect on the future evolution of its existing technological assets and resources in 2018. We met Laurent Pulinckx, CIO and Member of the Executive Committee of LuxSE, to discuss the issues and solutions that the company has identified as it enters the second year of this extensive change.
"After exploring several options, we decided to migrate our infrastructure and applications to the cloud," explains Laurent Pulinckx. "This solution allows us to strengthen our interactions with our customers, partners and other stakeholders." These stakeholders include LuxSE’s wholly owned subsidiary Fundsquare, which was created in 2013 and operates as a fund market utility. Last year, LuxSE furthermore voiced its commitment to drive innovation by acquiring significant stakes in a London-based FinTech known as Origin, and Luxembourg start-up StarTalers.
"As our objective is to increase flexibility and scalability beyond the layer of the operating system", he says, "we cannot simply base our project on a 'Lift & Shift' approach, meaning that we would take a workload as it is today on premise and run it on cloud-native resources. We have done quite the opposite in our approach. First, we must have a fully integrated functional architecture capable of giving us these levels of agility everywhere and anywhere in the IT value chain while increasing the interconnection capabilities."
Understanding the risks
LuxSE is arguably one of the most important financial institutions in Luxembourg's ecosystem. It is therefore essential for LuxSE to understand and account for the risks associated with this project, as well as the mitigation plans that must be implemented to reduce these risks. "While our initiative is conducted in a cloud migration context, the same approach could be adopted regardless of the infrastructure. A similar question could be raised with regard to on-site infrastructures," comments Laurent Pulinckx.
To properly address this risk management issue, LuxSE decided to base its approach on a methodology developed by the European Union Agency for Cybersecurity, ENISA. "The use of this framework allowed us to balance the inherent risks of any major infrastructure change and brainstorm on the necessary mitigation plans, from both a technical and organisational perspective," underlines Laurent Pulinckx. "What is important," he adds, "is to understand that such a risk analysis must first and foremost be founded on a sound understanding of how the cloud works. In particular, it is essential that we clearly identify the responsibilities of all parties involved, and define how the cloud provider will be monitored by the Luxembourg Stock Exchange. At the end of the day, we are accountable to our stakeholders."
When compliance leads to better, smarter, and safer processes
LuxSE is supervised by the CSSF and has the obligation to obtain and comply with the opinion of the supervisory authority regarding its cloud migration project, particularly in the context of the CSSF’s March 2019 update 17/654 relating to IT outsourcing based on a cloud computing infrastructure.
"A major advantage of this approach is that it forced us to document all the upstream processes," admits Laurent Pulinckx. "It gave us the opportunity to challenge our understanding of our own responsibilities on the one hand and the responsibilities of the cloud provider on the other. We analysed in detail all the risks associated with a cloud migration, and defined the most appropriate mitigation measures to be applied, including the frequency of control checks."
This led LuxSE to write a highly detailed reference document that describes the technical solutions envisaged and the organisational measures to be implemented, as well as the respective roles and responsibilities of LuxSE and their cloud provider. "As an additional benefit", says Laurent Pulinckx, "by exposing the risks involved we were able to analyse the residual risk remaining after the effect of the mitigation procedures. This document, along with the proposed migration plan, received a favourable response from the CSSF in November 2019."
Today, all the prerequisites and technological tests at LuxSE are either completed or underway. "We are currently working on the formulation of a detailed plan for the migration of our applications to the functional target, which will of course be located in the cloud," explains Laurent Pulinckx. "Since we received the green light from the CSSF, all new projects are in principle hosted on the cloud and built on the new technological stack. This means that some of our ongoing projects are already deployed at the cloud level. Our goal is to finalise the migration of all our resources by the end of 2021," he concludes.
Interview by Michael Renotte, which was originally published as the first in the LuxSE IT Series on IT One.