You'd have to be living under a rock these days to avoid hearing about the benefits of cloud computing. Heck, even Microsoft is promoting the cloud in its Windows 7 television commercials. But does a technology that's pitched to consumers have a place in a highly regulated industry like financial services? Analysts and IT professionals agree: Maybe, in the future.
"The cloud is certainly on everyone's radar, but there are a lot of issues still to be resolved on the process and regulatory side," said Kevin McPartland, senior analyst at Tabb Group, a Westborough, Mass.-based research and advisory firm focused on capital markets.
"Banks are not using commercial external clouds like Amazon and Google. If they use external clouds, it will be many years away. But quite a few are looking into internal clouds for IT systems, testing and less mission-critical apps. The cost savings that can be had are so big, it's impossible for CIOs to ignore the opportunity," McPartland said.
Cloud computing technologies promise cost savings as a result of more efficient resource utilization. In the case of public clouds (or commercial external clouds), all the hardware is managed by the cloud provider. The customer pays only for the computing resources it uses and no more. A private cloud (or internal cloud) is a computing architecture that delivers services to users behind a firewall. IT departments still save on hardware because they see better utilization of resources, which are delivered dynamically.
Lack of visibility = a lack of security
In the case of private clouds, the organization has complete control over its data and security. However, public clouds offer little in the way of service-level agreements and visibility into security, thanks to their distributed nature. A customer's data can be stored and moved between any number of data centers located around the world. "One of the phrases I've heard is, 'It's 5:00, do you know where your data is?,'" said Doug Johnson, vice president of risk management policy at the American Bankers Association.
"It's important for us to know what the security provisions are. Banks are used to having data internally or at a third-party data center where they can go and kick the tires. That's a challenge when computing is distributed," Johnson said.
This lack of visibility into the security of a cloud environment changes the way banks and other organizations in highly regulated industries must think about risk management. "An infrastructure that you know something about is inherently less risky than one you don't know anything about," said George Reese, chief technology officer of enStratus Networks LLC, a Minneapolis-based provider of cloud infrastructure management. "But that doesn't mean a public cloud is less secure than a private data center environment. It just means that you'll always have less information about that environment from which to make decisions about security," Reese said.
Case in point: A cloud provider might take a Fort Knox approach to security. But a lack of knowledge about the external data center represents a tremendous risk to a potential customer, explained Reese. "In order to be secure in the cloud, you need to be able to get answers to questions about what the provider is doing in the cloud," he said.
To further complicate matters, there is a lack of regulatory guidance associated with cloud computing technologies. "The regulations were written decades ago before the technology existed, so they don't address issues related to the cloud. These unknowns keep banks away," McPartland said.
The big audit firms try to stay ahead of the game by understanding how technology works, but they offer only limited guidance. "They have their interpretations of the law, but a law firm or audit firm opinion is still not a regulatory blessing," McPartland said.
While cloud computing providers are responsible for proving compliance to potential customers, regulators may see the matter differently. "Regulators may say that it doesn't matter what downstream providers promise. A bank could get all the promises they want but still be liable," said Paul Miller, founder of U.K.-based consulting firm, Cloud of Data.
Erring on the side of caution, many banks are choosing to wait for guidance from regulators on how they should view cloud computing technologies. "The SEC clearly has its hands full with implementation of regulations, so this is low on the list of priorities. It will be a couple years before [banks receive any guidance]," McPartland said.
Those banks that wish to move forward with public cloud computing are advised to go slowly. "Take the applications and use cases that you think might work in a cloud environment and try them one at a time. Do as much due diligence as possible to make sure the technology is within the letter and spirit of the law," McPartland said.
"Make sure your contract and SLA are water tight. Put in place some kind of inspection regime. At the end of the day, take a calculated risk," Miller said.
Private clouds: Cost savings and security
For many banks, a calculated risk is understandably too much to stomach. Instead, they are considering an internal cloud. "There is a lot of traction on the internal cloud front. Drivers are cost savings more than anything else," McPartland said.
Such is the case for McHenry Savings Bank, based in McHenry, Ill. The full-service community bank runs all of its storage in a private cloud. "At first we only virtualized the server farm, then we realized the advantages and moved all of the desktops to the cloud as well. Now everything connects to two storage units," said Bryan Nash, senior vice president of IT and chief information officer of McHenry Savings Bank.
Workstations connect to the internal cloud for applications and local storage via a Pano Device from Redwood City, Calif.-based Pano Logic Inc. The Pano Device is a stateless desktop computing hardware device that connects input-output devices like keyboards and display devices to a virtualized Microsoft Windows OS running in the data center. This setup has eliminated resource utilization issues for end users. "Now if they need more horsepower, it's there for them. As long as I have resources available," Nash said, "I can make them available to more people, and I can always add to it. I had a SAN that was filling up, so I added another in the cloud."
The internal cloud and virtualized desktops save McHenry Savings Bank money in a number of areas. The bank now saves more than $1,000 a month in electricity costs alone. But it has also experienced savings in labor. The IT department no longer has to deal with physical end-user machines going bad, and all administration tasks are centralized in the cloud. The department, which consists of two full-time and one part-time personnel, manages 135 virtual machines and 12 hosts, plus routers, switches and security.
Moving all storage to an internal cloud has also improved security. "Before every desktop was vulnerable, people could store data on their local PC, hook up USBs. Now if someone steals a Pano, they get nothing. They can't plug in USB devices or CD burners," Nash explained.