Cloud computing is top of the hype charts, at least according to IT consultancy Gartner's so-called 'Hype Cycle for Emerging Technologies 2009', which maps the adoption curve of new technologies. Such a lofty position therefore heralds an investigation into this relatively new internet-based delivery model for IT services. Is the promotion of cloud-computing services so overzealous that banks have to be warned that they face the 'trough of disillusionment' that follows the peak of inflated expectation on the Gartner map? Or is there a real benefit to be gained from employing cloud computing services, as long as banks are able to manage their expectations and confine the cloud to those services to which it is best suited?
The first task for any bank is to ensure that it is clear on the definitions of the various terms bandied about when discussing cloud computing. What, for example, is the difference between cloud computing and software-as-a-service (SaaS)? And what is the difference between SaaS and the application service provider (ASP) model that was marketed 10 years previously?
A report from Oliver Wyman-owned consultancy Celent, 'Cloud Computing, SaaS, and Technology Outsourcing For Banks', aims to clarify this confusion by defining the various terms. "The banks are getting confused about the terms," says Jeff Goldberg, an analyst at Celent and the author of the report. Much of the fault can be laid at the door of various vendors who have rapidly been relabelling their products as cloud compatible only for unsuspecting customers to find that there is nothing new or 'cloud compatible' at all.
If the IT industry decides to keep things simple for once, these definitions should be easy to standardise. Cloud computing refers to the outsourcing of IT hardware - such as storage, servers and other infrastructure services - to a vendor that provides these services via the internet on an on-demand basis. The typical cloud providers are the likes of Amazon and Google. Users therefore pay only for what they use and can call on these services as and when they need them.
SaaS refers to the outsourcing of various applications, but not hardware. Readers may recognise this model as being similar to the aforementioned ASP model but, says Mr Goldberg, whereas the ASP providers found that the use of private networks and the constant customisation made the model economically unrewarding, the SaaS model is based on all users having access to the same application and via the same internet-based route.
Budgetary issue
It is easier, however, to summarise the benefits of cloud computing and its related business models, particularly in the current climate of miserly IT budgets. As with any IT outsourcing, banks no longer have to develop, implement, maintain or upgrade technology. In addition, there is the benefit of immense and rapid scalability. And, because of the on-demand nature of cloud computing, this scalability comes with added elasticity. Therefore, if a bank requires surplus computing power or storage space due to an occasional spike in demand, it can look to the clouds. However, as with any new technology and any form of third-party outsourcing, banks are cautious about security, availability and the threat to data integrity.
For example, the chief information officer (CIO) in the wholesale banking division of one European bank admits that he is not currently using any form of cloud computing and there are no files or folders or infrastructure held outside of the bank's own data centres. The bank is, however, a late adopter of SaaS. Despite this tentative take-up, the CIO is very clear about the potential advantages of the cloud: "If we do not have to install, deploy, maintain and continually patch and update software and hardware, it reduces our manpower requirement." But he is also very clear about the main obstacle that banks have to overcome before fully embracing the cloud computing concept.
"From a security perspective, everything has to be clean and legal. There are various regulatory requirements to meet, such as the rule that all data must be stored within the EU and there are also a bank's own internal security policies. For example, you want to be able to use your own [server] rack, your own encryption and your own rights of access to the hosting data centre for audit purposes. Essentially, we would want to take whatever approach we have with our internal applications or data and exaggerate that," he says.
Though this bank may not be using cloud computing at present, this could well change in the future and despite the concerns about security, his own chief security officer (CSO) is not against cloud computing in principle. "I was discussing with the head of security about whether he would ever let any data go to the cloud and he surprisingly said 'yes'. At the bank, every windows folder is given a security classification from bullet-proof confidentiality to public status. Anything that is confidential will stay within the bank and everything else can go outside, so I can see us taking steps in that direction and I think that same approach would go for many banks," he says.
John Meakin, former chief information security officer at Standard Chartered
Security benefits
John Meakin, the former chief information security officer at Standard Chartered, is a long-time board member of the Jericho Forum, an industry association that looks at IT-related security issues. Rather than trying to limit the extra vulnerabilities that come from cloud computing, Mr Meakin believes there are clear advantages from a security standpoint. "When I was at Standard Chartered, we were looking to implement more security for the same spend," says Mr Meakin.
"At the same time, there was a lot of interest in cloud computing in order to manage IT cost and delivery." Putting the two initiatives together, he says, was therefore a natural step. "For example, there are a lot of security tasks that are commoditised and where you don't get any added value from doing them in house - such as anti-virus checks or security monitoring. And many of the applications and systems already used by banks are web-facing, so why not use the web for security?"
This conclusion has not been lost on the vendor community, and US-based Veracode is one of several security-managed services providers available on a SaaS basis. "There are security advantages that come with cloud computing and SaaS," says Veracode chief executive Matt Moynahan. A bank, for example, can have entities in 40 or 50 countries and it may be trying to put in security procedures to cover all of these entities. "Without the cloud, it can be nearly impossible for a CSO to implement any security policy quickly, consistently or globally across distributed teams or entities. The benefits are real, so I don't think you should be afraid of the security of cloud, but executives should certainly hold it to the same scrutiny as any other internal security process."
Matt Moynahan, Veracode chief executive
Assessment process
This scrutiny should begin with a thorough assessment of the vendor and whether it has the scale and infrastructure to be able to offer a cloud-computing service and whether it can be trusted with storing, managing and retrieving a bank's data. "A lot of these so-called cloud companies are really just SaaS vendors and don't have the scalability of infrastructure that's needed to provide a cloud-computing service," says Mr Moynahan. "A bank has to do its due diligence carefully so that it is getting the operational benefits as well as the cost benefits. Just because someone is a SaaS provider does not mean they have a scaleable or secure cloud computing infrastructure. They are different."
The due diligence should include questions about how users' access to data is defined and how data is segregated within the cloud, says Mr Moynahan. "Is proper encryption used? How is it stored within the cloud - is it co-mingled or separate in an encrypted vault? Can the vendor replicate the data across multiple sites? Can the vendor do complete restoration of data and how long would that take?" Of course, the better the job the bank does on its own internal security, the better the results it should get from a cloud provider, but there should also be a periodic review of security and the provider should be willing to submit to these security audits, says Mr Moynahan.
Are there any reasons why banks should engage in cloud computing to a lesser extent than anyone else? "No," says Mr Meakin. "The cloud could be a threat if you don't know what you're doing, but it can be an opportunity as well. For example, in my time at Standard Chartered, we wanted to use social networking as a way of improving collaboration between staff. There was a reaction of horror from some colleagues, but we came up with a prioritised list of what we needed to fix and put those measures in place. We had an internalised version of [the popular social-networking site] Facebook, that used the site's code, but all of the data was held in a server on the edge of our network."
Regulatory control
Of course, regulation may well have a restrictive effect on cloud computing, particularly in relation to the legislation around data residency and location. For example, under EU rules, customer data should not be stored beyond the confines of the EU, and similar rules apply in the US and elsewhere. "The regulators are interested in any kind of outsourcing and cloud computing is an extreme form of outsourcing," says Mr Meakin. "But if you look at the regulators' control requirements, there is no reason that they cannot be translated to the cloud-computing context. The banking industry needs to have an intelligent discussion with its regulators."
Kevin Perara, systems architect at core banking vendor Temenos, is less confident about the likelihood of an intelligent discussion. "The potential for location sensitivity issues such as data residency would require a radically different approach to how regulatory compliance is measured," he says. This seems unlikely with the current economic climate and the existing issues with customer identity management that have led to regulations designed to help combat the rising issues of electronic fraud and anti-money laundering.
Outage problems
Both regulatory concern and bankers' trepidation could be increased if there are any more high-profile outages, such as those suffered this year by Google's popular internet-based e-mail service Gmail, and Danger, the unfortunately named Microsoft-owned SaaS company that supplies internet services to mobile phone users. Neither incident directly involved financial institutions and, while some data was irretrievably lost in the Danger outage, many people would argue that the availability standards of most major cloud providers exceeds those of most banks.
So it is little surprise that risk management vendors are offering SaaS-based versions of their products. According to Ian Warford, Microsoft's head of securities and capital markets, EMEA, the likes of RiskMetrics are working with Microsoft's cloud offering for pricing data used in market risk management. A number of operational risk vendors, such as Kinetix, are doing the same. Of course, says Mr Warford, while putting generic market data in the clouds presents few security concerns, some software will remain permanently in house. "There will not be everything in the cloud tomorrow. In terms of what remains in house, this will be the proprietary pricing algos and analytics - it is all about intellectual property."
For every concern that comes with cloud computing, there is a well-reasoned arguments to diminish it. But banks are still reluctant to throw themselves fully behind the cloud concept as seen by Standard Chartered's Facebook-branded social networking application that sits fully within the bank's own network rather than on the internet.
There are significant possibilities promised by cloud computing that go beyond mere cost savings. For example, banks can employ the cloud to boost their performance by running more expansive calculations across more hardware. Yet it may well be that the more frivolous social networking applications such as Facebook hold the key to banks and other businesses embracing cloud computing. Each new generation will be more acquainted with internet-based networking sites and the collaborative benefits they offer, and an application such as Facebook may be just the tool needed to bring all the various aspects of cloud computing together.
As one bank's CIO admits: "It is still very early days in terms of cloud computing, but I use it a lot in personal computing and I think that personal use will grow and ultimately translate to the bank. People will become increasingly accustomed to using the cloud for their personal computing and will then expect to get the same benefits from their business computing."
