Cloud computing feature: Come rain or shine?
Written by David Adams
Unusually for language used in the IT world, there's something quite poetic about the term 'cloud computing'. It sounds pleasantly distant from the mundane reality of servers and silicon. Looking at it in a more negative way though, clouds can be opaque, or dark and threatening. David Adams investigates if the cloud is going to bring rain or sunshine to the financial services sector
The cloud can be difficult to grasp, which seems appropriate, as there is still some confusion over exactly what cloud computing is. Wikipedia has its faults, but I applaud the efforts of its editors to keep up with the evolution of the phrase. This time last year it defined cloud computing as "... a style of computing in which IT-related capabilities are provided as a service... from the internet ... without [users'] knowledge of, expertise with, or control over the technology..."; noting that this could refer to software as a service (SaaS) as well as to the hosting of technology platforms or infrastructures.
It's now changed its mind about SaaS, on the grounds that such services could be delivered via dedicated servers (although SaaS can be and often is provided in a cloud environment) and has brought its definition in line with the sorts of cloud-based services now available to business users. Cloud computing is now "...internet-based computing, whereby shared resources, software and information are provided to computers and other devices on demand... Typical cloud computing providers deliver common business applications online which are accessed from a web browser, while the software and data are stored on servers."
Some people think the phrase doesn't mean anything at all of course. Larry Ellison, CEO of Oracle, famously criticised the term when he stated at the 2008 OpenWorld event that cloud computing simply meant "everything that we currently do" and that it will have no effect except to "change the wording on some of our ads" (see FST's blog or twitter accounts to hear it).
Despite some people's hostility to the term, however, the fact remains that cloud computing's attractiveness continues to grow. The fundamental advantages of the concept haven't changed: economies of scale; the fact that money spent on it can be classed as operational rather than capital expenditure; and the flexibility and power of web-enabled access to IT capability. There is no doubt that the cloud can be both efficient and effective, operationally and economically if you are clear at the start about what it is that you are setting out to achieve. The challenge is to find a way of using it that is suitable for the task at hand.
When it comes to cloud computing's use in the financial services sector there are still some practical and cultural concerns to be overcome. There are plenty of people working hard to win the argument. The past year has seen the launch of initiatives including the Cloud Industry Forum (CIF), a sub-group of the Federation Against Software Theft that aims to develop a code of conduct for standardisation and certification of cloud service offerings; and the Enterprise Cloud Buyers Council (ECBC), a cross-industry group including Deutsche Bank, IBM, Microsoft, Cisco and various telcos that aims to accelerate commercial availability of managed and secure cloud services by overcoming problems related to security, interoperability and other issues impeding adoption.
The financial sector should be one of the places where the cloud finds most favour, according to Matt Moynahan, CEO at on-demand cloud-based application security testing firm Veracode. "The ability to cost-effectively dial up and dial down computing infrastructure or utilities as you need them means cloud computing is going to be a very significant service capability in financial services."
Yet while you might think financial companies would be leaping on anything that generates cost savings right now, we are still some way from widespread adoption of the cloud in this sector. "Other than in the SaaS space we haven't yet seen the big moves we were anticipating," says Michael J Redding, global managing director of Accenture Technology Labs. He believes that the launch of Microsoft's Azure cloud platform, fully available on a commercial basis from early April 2010, may provide some impetus, as more companies start using it to run web applications and batch processing; and in the development of web services.
But Microsoft may not be the ideal standard bearer for a technology still regarded with suspicion by sceptics on reliability and security grounds. "From my perspective, having conversations with enterprise customers, the fundamental business benefits [of the cloud] are now evident to most senior managers, but they still have significant concerns about security and availability," says Darren Ratcliffe, Fujitsu UK and Ireland's chief architect for Infrastructure as a Service (IaaS - yet another variant you'll notice).
Fujitsu's IaaS platform is delivered via what Ratcliffe calls a 'trusted cloud'. "It's a private cloud that allows our customers to consume cloud services while maintaining the same level of security as a traditional outsourced service," he claims. The services are hosted within Fujitsu's UK-based data centres. "Some [financial sector clients] are into their third generation of outsourcing and they're looking to us and others to help them drive down budgets by providing something more flexible," Ratcliffe continues. "They're looking to drive cost savings through the adoption of infrastructure as a Service, rather than deploying new infrastructure."
Case Study: Butterfield Bank
Where the cloud is used by financial companies it generally runs non-core applications like email, collaboration, storage, and non-confidential data management. In 2007 Cayman Islands-based offshore financial services provider Butterfield Bank started using a cloud-based hosted email solution provided by Mimecast. It did so in part as a business continuity measure, in the light of Hurricane Ivan wrecking much of the islands' energy and communications infrastructure in 2004, knocking out the bank's email system for a week.
This was not a decision the bank took lightly, says Butterfield Bank chief technology officer (CTO), James C Knapp. He and his team asked tough questions about whether the solution could be trusted to protect the sensitive information passing through its email system, including transaction information and account details. "We looked at the security that Mimecast was providing and the encryption capability they could provide for all email between our locations and it was equal to what we would do ourselves," Knapp recalls. "And it got it off-island, so if we had an infrastructure problem here everyone would still be able to access their email."
The solution also offered a superior spam filter, a secure online archiving capability, created an effective audit trail and required the installation of no additional software on local desktops. "It integrated with Exchange so we didn't have to put anything else on the machines and the archive capability meant we didn't have to archive," says Knapp. He has absolutely no doubt this was the right decision. "Once the due diligence was done and we knew they were a good company and that they had a customer list that was significant - and satisfied - this was the easiest sell in the world to the board." Butterfield Bank has now moved its entire IT infrastructure off-island as part of a company-wide consolidation and standardisation programme, with all internal systems now hosted in Canada.
Security and proprietary concerns
In 2009 the EU's European Network and Information Security Agency (ENISA) published a major report examining the benefits and risks of cloud computing from a security perspective. The authors compiled a detailed checklist of criteria to be used by companies assessing potential cloud providers. They also identified some potential security benefits. "The scale and flexibility of cloud computing gives some providers a security edge," said ENISA's executive director Dr Udo Helmbrecht at the report's launch. "For example, providers can instantly call on extra defensive resources like filtering and re-routing. They can also roll out new security patches more efficiently and keep more comprehensive evidence for diagnostics."
There are also cloud services that can help improve security, like MessageLabs' cloud-based email filtering service; or Veracode's SecurityReview application risk management services platform, which includes a service for security assessments of applications developed internally, offshore, or bought off the shelf. Customers include Barclays, Fidelity and credit reference agencies, Experian and Equifax.
"Banks outsource a lot of code development to third parties, they're on the hook for 100 per cent of the liability and they're not building the code, so many of them set a guideline that all code must reach x level of security, regardless of who wrote it," explains Veracode's Matt Moynahan.
"But code comes from all over the world, it may be in different forms, in very different sizes. Ensuring it all meets your guidelines would require huge resources. With the cloud no hardware or software needs to be deployed - thus solving the resources problem."
Nonetheless, concerns persist, particularly around the storage of data (although there are plenty of cloud services in which no data passes into the cloud, as with the Veracode service). Clearly, the drafting of the Service Level Agreement (SLA) is crucial, as is compliance with data protection legislation. But, suggests Accenture's Redding, this combination of security and compliance issues continues to hold up adoption of cloud technologies. "It's almost that the compliance issue drives the security issue," he says. "Here in the US, with all the scrutiny the sector has come under in the last ten years - and the last 18 months in particular post-crunch - the financial sector has taken a beating in the court of public opinion. No-one's sure what would or wouldn't be compliant and therefore they're kind of hesitant. This is a new frontier and everyone's nervous."
Then there's the fear that a company will end up trapped with one particular service provider. Only standardisation and interoperability between technologies will eliminate that problem from a technical perspective: until then the onus has to be on each end user company to ensure this issue is resolved in the SLA and at a contractual level.
Finally, there is a cultural reluctance to outsource which persists in some parts of the sector, impeding the adoption of cloud computing. "The first question I always ask a bank is 'who prints your statements?'," says Accenture's Redding. "The bank probably has several vendors they share the file with - the most sensitive information of all. But that's OK. And the reason that's OK is that they've had 20 years to build trust, to put controls in place with the vendors. It comes back to trust. The cloud providers have got to earn their trust and prove they can live up to the necessary service standards."
If trust can be earned, what's next for the cloud in the financial services sector? Andy Burton, chief executive of Fasthosts Internet and chairman of the Cloud Industry Forum (CIF), can't imagine that functions closely related to a financial company's brand, like online banking, will go into the cloud any time soon. "I see the biggest trend being in areas which don't provide differentiation, but do provide a lot of the basic IT governance capabilities you need: things like back-up, storage of information, collaboration," he says.
Andrew Yeomans, a member of the management board at international IT security association the Jericho Forum and also vice-president of global information security for an investment bank, is sure the cloud will soon play a bigger role in the City. "Financial modelling: the ability to do certain amounts in house, then push peak load processing outside onto other systems; that's one key area," he says. "And some of the ways that stock exchanges operate, with very high volumes and very low latency, would benefit."
That's a trend that Accenture's Redding also highlights. "Some of the capital markets institutions, who live and die by the millisecond, seem to be the most open in holding discussions," he says. "Because they're so used to pushing the envelope they will look at every technology that could be a new source of advantage - or disadvantage if they don't get it. They seem most keen to work through the issues and see if it's viable. Maybe it's because of the volatility of their business compared to retail banks and insurance companies." Redding also predicts more use of the cloud in another niche: the construction of bridges and interfaces used to transport personal and financial customer data between firms involved in M&A activity, as an alternative to the purchase of new hardware and software. "Often there is a need to rapidly stand up parallel systems and do one-time-only data conversion and all the clean up and repair that happens when you're merging customer record sets," he explains. He also expects to see more use of the technology in business continuity functions.
Far from being wispy and insubstantial, the cloud has the potential to become a central feature of IT architectures in the financial services sector. All that has to happen is that companies have got to learn how to harness its power in a secure and compliant way. "I look at it as the future of computing," says Butterfield Bank's Knapp. "You eliminate desktops, it's all controlled somewhere else, you log in anywhere that you're at and have all the information that you need, as well as all the applications." He's probably right: but it's still unclear when the rest of the sector will feel truly safe in the clouds. For now the forecast is overcast with neither rain nor sun coming out of the cloud.