Article

Cloud computing technologies and financial services

Crystal Bedell, Contributor

You'd have to be living under a rock these days to avoid hearing about the benefits of cloud computing. Heck, even Microsoft is promoting the cloud in its Windows 7 television commercials. But does a technology that's pitched to consumers have a place in a highly regulated industry like financial services? Analysts and IT professionals agree: Maybe, in the future.

"The cloud is certainly on everyone's radar, but there are a lot of issues still to be resolved on the process and regulatory side," said Kevin McPartland, senior analyst at Tabb Group, a Westborough, Mass.-based research and advisory firm focused on capital markets.

"Banks are not using commercial external clouds like Amazon and Google. If they use external clouds, it will be many years away. But quite a few are looking into internal clouds for IT systems, testing and less mission-critical apps. The cost savings that can be had are so big, it's impossible for CIOs to ignore the opportunity," McPartland said.

Requires Free Membership to View

Cloud computing technologies promise cost savings as a result of more efficient resource utilization. In the case of public clouds (or commercial external clouds), all the hardware is managed by the cloud provider. The customer pays only for the computing resources it uses and no more. A private cloud (or internal cloud) is a computing architecture that delivers services to users behind a firewall. IT departments still save on hardware because they see better utilization of resources, which are delivered dynamically.

Lack of visibility = a lack of security

In the case of private clouds, the organization has complete control over its data and security. However, public clouds offer little in the way of service-level agreements and visibility into security, thanks to their distributed nature. A customer's data can be stored and moved between any number of data centers located around the world. "One of the phrases I've heard is, 'It's 5:00, do you know where your data is?,'" said Doug Johnson, vice president of risk management policy at the American Bankers Association.

"It's important for us to know what the security provisions are. Banks are used to having data internally or at a third-party data center where they can go and kick the tires. That's a challenge when computing is distributed," Johnson said.

This lack of visibility into the security of a cloud environment changes the way banks and other organizations in highly regulated industries must think about risk management. "An infrastructure that you know something about is inherently less risky than one you don't know anything about," said George Reese, chief technology officer of enStratus Networks LLC, a Minneapolis-based provider of cloud infrastructure management. "But that doesn't mean a public cloud is less secure than a private data center environment. It just means that you'll always have less information about that environment from which to make decisions about security," Reese said.

Case in point: A cloud provider might take a Fort Knox approach to security. But a lack of knowledge about the external data center represents a tremendous risk to a potential customer, explained Reese. "In order to be secure in the cloud, you need to be able to get answers to questions about what the provider is doing in the cloud," he said.

Standardizing cloud provider evaluations

For heavily regulated industries like financial services, the process of evaluating cloud services providers begins with the tedious and expensive effort of gathering audit data. An organization called CloudAudit aims to simplify this process by creating a standard way for cloud providers to communicate how they address security, governance and compliance. The volunteer, cross-industry effort became an official project of the nonprofit Cloud Security Alliance in October, and CloudAudit is part of a free tool suite for GRC in the cloud that CSA released in November.

"The most costly part of picking out a new vendor is assembling the documentation," said George Reese, CTO of cloud infrastructure management provider enStratus. "CloudAudit minimizes and may even remove documentation from being an issue."

CloudAudit is a simple specification for how information around control frameworks is presented, Reese said: "If I'm a customer of cloud services and I need a HIPAA-compliant cloud vendor, I can go to that vendor and ask a certain set of questions that will tell me what their assertions are with respect to HIPAA."

The idea is that cloud service providers will have this data readily available or, at the very least, be willing to provide it to potential customers. Armed with the standardized information, customers of cloud services will be able to more easily compare providers.

Providing this information benefits providers as well as potential customers. The cost of responding to a potential customer's compliance controls may be miniscule for a large vendor, but a small vendor charging say five cents an hour for CPU may find it burdensome to provide that information multiple times, Reese explained. With CloudAudit, vendors can provide the standardized information once and simply keep it current.

To further complicate matters, there is a lack of regulatory guidance associated with cloud computing technologies. "The regulations were written decades ago before the technology existed, so they don't address issues related to the cloud. These unknowns keep banks away," McPartland said.

The big audit firms try to stay ahead of the game by understanding how technology works, but they offer only limited guidance. "They have their interpretations of the law, but a law firm or audit firm opinion is still not a regulatory blessing," McPartland said.

While cloud computing providers are responsible for proving compliance to potential customers, regulators may see the matter differently. "Regulators may say that it doesn't matter what downstream providers promise. A bank could get all the promises they want but still be liable," said Paul Miller, founder of U.K.-based consulting firm, Cloud of Data.

Erring on the side of caution, many banks are choosing to wait for guidance from regulators on how they should view cloud computing technologies. "The SEC clearly has its hands full with implementation of regulations, so this is low on the list of priorities. It will be a couple years before [banks receive any guidance]," McPartland said.

Those banks that wish to move forward with public cloud computing are advised to go slowly. "Take the applications and use cases that you think might work in a cloud environment and try them one at a time. Do as much due diligence as possible to make sure the technology is within the letter and spirit of the law," McPartland said.

"Make sure your contract and SLA are water tight. Put in place some kind of inspection regime. At the end of the day, take a calculated risk," Miller said.

Private clouds: Cost savings and security

For many banks, a calculated risk is understandably too much to stomach. Instead, they are considering an internal cloud. "There is a lot of traction on the internal cloud front. Drivers are cost savings more than anything else," McPartland said.

Such is the case for McHenry Savings Bank, based in McHenry, Ill. The full-service community bank runs all of its storage in a private cloud. "At first we only virtualized the server farm, then we realized the advantages and moved all of the desktops to the cloud as well. Now everything connects to two storage units," said Bryan Nash, senior vice president of IT and chief information officer of McHenry Savings Bank.

Workstations connect to the internal cloud for applications and local storage via a Pano Device from Redwood City, Calif.-based Pano Logic Inc. The Pano Device is a stateless desktop computing hardware device that connects input-output devices like keyboards and display devices to a virtualized Microsoft Windows OS running in the data center. This setup has eliminated resource utilization issues for end users. "Now if they need more horsepower, it's there for them. As long as I have resources available," Nash said, "I can make them available to more people, and I can always add to it. I had a SAN that was filling up, so I added another in the cloud."

The internal cloud and virtualized desktops save McHenry Savings Bank money in a number of areas. The bank now saves more than $1,000 a month in electricity costs alone. But it has also experienced savings in labor. The IT department no longer has to deal with physical end-user machines going bad, and all administration tasks are centralized in the cloud. The department, which consists of two full-time and one part-time personnel, manages 135 virtual machines and 12 hosts, plus routers, switches and security.

Moving all storage to an internal cloud has also improved security. "Before every desktop was vulnerable, people could store data on their local PC, hook up USBs. Now if someone steals a Pano, they get nothing. They can't plug in USB devices or CD burners," Nash explained.

The bank's use of the public cloud is limited to Google Apps. The board of directors uses it to share information like board minutes, which are not confidential. Otherwise, like many others in the financial services industry, McHenry Savings Bank is taking a wait-and-see approach. "At this point, we're waiting to see what happens for security. When you start looking at vendors, you try to figure out who controls the security and where data is stored," Nash said. "Who owns the data? Who can have access to it? What happens if it gets hacked? Nobody will really tell you."

About the author:

Crystal Bedell is a freelance writer specializing in B2B technology. She can be reached at cbedell@bedellcommunications.com.