Banking’s ‘Sweet Spot’ in the Cloud

Cloud may be just the latest point in outsourcing’s long arc, but for banks, it promises to be one of the most significant, if complex. Significant because cloud’s value is proving to be vast and varied at the precise time that banks are eager to lower costs increase capital and move fast on IT. Complex because cloud formations come in as many shapes and sizes as there are bank strategies. Rampant cybercrime only adds to that complexity.

The cloud conversation at many banks has been reenergized by regulators’ latest demand for higher bank capital levels. Cloud offers the tempting opportunity to shrink capital expenditures on technology and shift them to operating expenditures.

Agility and time-to-market also augur for a more aggressive cloud strategy. When a competitor ups the ante on your mobile application and your bank wants to quickly match it to avoid losing customers, saying “months or weeks” is unacceptable. If cloud can answer “hours and minutes,” cloud is where that application is going.

And cost remains a powerful force behind cloud. At 14.3%, banks’ Information Technology (IT) spending as a percent of total costs (14.3%) is highest of all industries. Measured another way, as a percentage of revenues, banks’ IT costs (7.3%) are about twice the average across all industries surveyed (3.7%).

According to our research, U.S. financial institutions are steadily committing more firmly to advancing their cloud commitments in the interest of performance and cost. Many tell us, “We are already cloud-enabled and proactively growing more so.”

Others say, “Private cloud only for us. Even though we are still on the hook for the capital expenditures, we think a good partner can help us operate it efficiently without our sacrificing control.”

Others are adamant but for a different reason: cybercrime. “It’s going to take a pretty convincing security arrangement for us to put much more than mail and web services out there. We’re not saying never – after all, security keeps advancing. Just not now.”

With so little settled science on the matter, making the right decisions for your bank’s cloud strategy calls for a three-pronged re-examination involving selection, securing and managing.

Selecting the Sweet Spot 

Aging tennis greats are known to adopt bigger racquets for a more generous sweet spot so that more of what they touch demonstrates their shot-making brilliance. In the same way, as cloud’s capabilities expand, banks are finding that they can get the performance they need from more and more applications.

Even the most avid cloud advocates acknowledge that banking’s core applications will probably not reside on public clouds any time soon. But currently their transition to private clouds is inexorable for cost and agility reasons, if cautious for security reasons.

Hardly any bank of any size objects to putting its least sensitive non-core applications like web services, marketing brochures, print file servers, and even customer-facing apps like mortgage rate calculators out on a public cloud. And for speed, they are shifting application development and testing there, too.

But between core and non-core is where banks are increasingly taking advantage of cloud’s widening sweet spot for carefully chosen applications. One major consumer of IT resources is email, for example, clearly a business-critical application that most banks would claim needs 100% availability all year around but few see it on a security par with the DDA system. That’s why email is often a good candidate for a secure cloud – public and private, depending on the bank.

Contrast that with an app for employee healthcare enrollment, where usage spikes in November and plummets for the rest of the year. With all the sensitive employee information it contains, that’s high-security but middling availability most of the time. Likewise, the corporate tax application: peak availability in March and April, low the rest of the year, but high security requirements. Those characteristics might indicate private cloud, but with substantially lower resource requirements. The key is to migrate your applications based on your business needs of security, availability and performance.

Not all your apps require the highest degree of security but security is always a prime consideration. Last year, 88% of attacks initiated against financial services companies were successful in less than a day and 34% were successful within seconds, according to a Verizon study. Yet only 21% of these attacks were detected within a day and only 40% of those attack detections were restored within a day.

Identity and credentialing is a key line of defense in preventing unauthorized access. Every new breach and every new warning make it clear that traditional identity checks are insufficient. Only with multiple factors of authentication, including more sophisticated biometrics that emerge every day, combined with multiple security layers, can you be confident that the person conducting any transaction in or around your bank is the right person.

But even before access comes awareness. If cybercriminals can be prevented from even detecting your activity or transactions (and they can), then they won’t even try to gain access. Organizations with the most sensitive functions and data stores in the world, including law enforcement, are increasingly protected by this “cloaking” technology that makes your data communication endpoints “dark” on a network.

Cloud raises the bar for effective IT management, even while complicating it. IT still needs the same information – performance, cost, security – but with cloud they need to assemble it from different sources with mismatched dashboards, such as their own data centers, their private cloud and multiple public cloud providers.  The moment they venture into cloud, they need to set up a mechanism for assembling the information that answers this question quickly, no matter how diversely the separate units report it: “Are we making optimal use of the cloud and non-cloud resources we are paying for?”

There are also governance and financial control matters to consider. Who is permitted to see and access which applications on which clouds? Who is permitted to acquire cloud resources, what are their spending limits, and how are those monitored and controlled? Back to our example of the HR health benefits enrollment application: suppose HR provisions public cloud resources on its own? The bank ends up with a large block of resources barely utilized most of the year but IT is unable to track the resources or make them available to other apps during non-peak usage. Poor governance of your cloud model creates “shadow IT” in data silos, along with cost and security issues.

As the practice of “cloud bursting” – dynamically shifting a private cloud app to a public cloud when computing capacity peaks – becomes more prevalent, management will need to be diligent in staying on top of the security, regulatory, and compatibility issues that attend to such a hybrid environment.

Mr. Olson is vice president, Global Financial Services, Mr. Lacey is vice president, Data Center Transformation Solutions & Services, and Ms. Almad is senior global marketing manager for Cloud Solutions for Blue Bell, Penn.-based Unisys Corp. They can be reached at [email protected], [email protected], and [email protected]