In this first bobsguide blogger (aka contributing editor) submission from Barclays’ CIO Andrew Witney the issue of cloud computing is addressed. The pros and cons of private, public and hybrid cloud solutions for financial services (FS) firms are examined alongside uptake; the Infrastructure (IaaS), Platform (PaaS) and Software-as-a-Service (SaaS) models; and the inherent security, regulatory and technological factors.
Before I discuss the use of cloud computing in financial services I’d like to first define what is meant by the term ‘cloud’ as the detail is important and there are many differing views. The US National Institution of Standards and Technology (NIST) defines it as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”. The ‘NIST Definition of Cloud Computing’ document also points out that there are many identifying characteristics of cloud projects and three main service models - IaaS, PaaS and SaaS - and four deployment methodologies ranging from private, community, fully public and hybrid options which mix elements of the earlier options.
There are many other definitions available but however you describe it cloud computing is a big technology issue for chief information officers (CIOs), chief technology officers (CTOs), IT architects and other technologists to be aware of as it is increasingly adopted.
With or without a good common definition at a detailed level - and I still think some commonality needs to be agreed upon here - the rise of the cloud has been prevalent for years. Adoption is being driven on by cost pressures and the complexity of maintaining large legacy estates. For many firms the use of the cloud as part of an overall technology strategy has moved from an issue of ‘if’ to one of ‘when’, if indeed it hasn’t already been adopted.
Cloud computing is now broadly accepted as a key part of most organisation’s forward high-level planning. The question is what shape their cloud should take; which model can be utilised at sufficient scale to make it cost effective and operationally efficient; and when and how to implement the cloud. This is what I intend to examine on this bobsguide blogger discussion, looking at the issue from the perspective of the financial services industry.
Cloud Computing Explained
Cloud computing service models can broadly be characterised as one of the following: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS).
• IaaS: at a simple level defines and delivers a set of basic infrastructure, servers, networks and storage, and has the ability to provision and remove these resources in a dynamic fashion.
• PaaS: builds on the basic IaaS capability and adds an integration layer, normally a traditional middleware type solution or set of REpresentational State Transfer (REST)-based interfaces. The integration layer provides a set of development tools and the ability to deploy developed application code into the environment.
• SaaS: goes a step further by offering a fully blown application and associated functional capabilities to the mix.
These service models can either be delivered via a ‘public’ cloud offering, accessed via the internet, or ‘private’ cloud internal offerings, using existing data centres and network capabilities – or indeed a hybrid combination of the two is possible. Herein lies a key issue – namely, the security and regulatory challenges surrounding public cloud offerings in the FS sector. These considerations can potentially be more complex than the solution itself.
There are two key questions to consider and it is unwise to be deaf to the second by the apparent financial lure of the first:
- Can we become more financially efficient in a real and sustainable fashion?
- Will our data be safe in the cloud and can we prove this assertion to the satisfaction of the firm (e.g. audit, compliance, fraud FS departments, etc) and also to the regulator and the customer?
To be able to answer these questions, a key consideration is the use to which the cloud is put. Is it something to be used for development and testing purposes, or is it something that we would consider for running production services? Existing cloud solutions today already offer production services and have run into trouble with some regulators, so you should be mindful of the watchdogs when planning cloud projects.
Given the immense regulatory scrutiny on financial institutions (FIs), it represents a particularly searching challenge for the FS sector. Although there seems to be general acceptance of cloud computing as an increasingly widespread technology option for the future, how we get there in a controlled manner - with regulatory approval - is far from clear in these early days of the FI move towards the cloud.
The Private Cloud, Standardisation and Legacy Considerations
The private cloud is the easier, more secure and ‘regulator acceptable’ answer for many large organisations at present. Big FS and other firms typically have server farms and virtual server environments already which share a close proximity to the cloud model already - with the addition of self-service provisioning capabilities they can provide everything you need to define them as an IaaS.
At this point it then becomes a question of scale - are you a large enough organisation to justify the expense of building out a large server and storage environment? This, however, is not the full story as the real challenge for most large organisations is the legacy estate. No large-scale financial firm has a truly homogeneous estate that is easy to migrate to a highly standardised environment.
Having a strategy to standardise and replace legacy is key for both private and public shared cloud solutions, but it does mean that large-scale adoption of cloud strategies can have a substantial up front capital cost. While this might make the initial adoption of the cloud (both public and private) challenging, once this path is taken the on-going benefits in terms of cost, scale and support are significant. Clouds impose a level of standardisation that can otherwise be difficult to justify and hence achieve.
Once a standardisation strategy is in place, the road from IaaS to PaaS, and logically to SaaS, should be relatively straightforward one, provided one additional key item is considered - a well formed application processing interface (API) strategy is essential.
The true power of cloud lies beyond the IaaS world and is largely defined by PaaS. If you have a PaaS solution then an easy to consume set of APIs is paramount to success; otherwise adoption will be slow and likely to falter. Therefore, when looking to buy a public PaaS service the richness of the APIs should be one of the key assessment criteria.
Public Cloud and Security Factors
The security question for a public cloud strategy is more difficult to answer but does need to be nailed down before launching into an implementation - if you cannot provide a secure environment then you shouldn’t press ahead. It is also crucial to future proof the solution because the landscape will change and potentially rapidly.
The big challenge is around control. One of the major benefits of the public cloud is not having to worry about the implementation details - servers, storage, networks etc - which are all managed directly by the cloud vendors; the end user just has to manage demand. The downside is how to ensure the correct level of security; resilience; disaster recovery; data protection and access. These all need to be provided under any model. A contract that says they will be is of little use if there is a regulatory breach - it will be the firm’s responsibility anyway so the FS provider rolling out a cloud solution has to bear this in mind and act accordingly.
The bar to introducing the cloud, in terms of satisfying internal guarantees of safety and proof, could be very high and while an organisation might be happy in principle to have data in the cloud, many would be cautious about putting their payments processing or accounting platform (and data) into an external environment.
Fundamentally this comes down to an issue of trust and firms’ ability to properly audit the cloud vendors’ solutions. Until the FS industry tackle these issues we will never get key customer services into a public cloud in a way which satisfies all stakeholders. Implementing the cloud ahead of this resolution makes one a hostage to fortune, as the fallout from stability / resilience and security issues for all market players is very impactful when just one of them has a serious issue. If there was ever a breakdown of data segregation with a cloud provider, all other such solutions would inevitably come under scrutiny and potentially need rewinding at vast cost. This is why getting it right from the beginning is crucial as there is no room for trial and error here.
To avoid or postpone the headache of having to unwind cloud solutions or to prove the infrastructure’s security and reliability, the obvious first step would be to adopt a public cloud for development and testing purposes. On the face of it seems an easy and safe step to take. Processes are exercised, strategy takes shape and progress is made consensually - everyone is happy. However, the controls needed for a public cloud environment for many firms would need to be much stricter than they are today on internal networks. In fact one would need an equivalent level of control as is maintained on a production site (e.g. locked down access control, stringent change control processes, etc). The apparent financial / speed benefits could be compromised by the additional controls. In the end we could end up making things slower by attempting to make them faster because we believe we can generate efficiency.
The selection and adoption of public cloud technologies is a challenging undertaking and has yet to really take off in the FS industry, except for some niche areas. The cloud will eventually come to the sector but we do have many obstacles to overcome first, before it can truly deliver on its potential promise of speed and efficiency.
• For further stimulating technology discussions, viewpoints and blogs please visit our new bobsguide blogger (aka contributing editor) landing page, where you can view a selection of blogs about mobile financial services (MFS), information security and capital markets from the Mobey Forum, ISACA and the FIX Trading Community respectively. Other BG Bloggers on transactional banking and a range of other topics can be viewed here.