The Pros and Caveats of the Enterprise Cloud
The cloud is rapidly becoming a preferred method of delivering on-demand computing resources. Research firm IDC predicts that 45.5% of corporate Information Technology (IT) will be delivered via the cloud by the end of this year. Gartner estimates that more than 60% of banks will process the majority of their transactions in the cloud by 2016.
Based on all the interest, one would think that cloud computing is something new and innovative. Not so: Banks have been outsourcing technology for many years and cloud computing is just a different outsourcing deployment model. That said, cloud computing does present unique security and regulatory challenges from other outsourcing models. And while cloud computing is not a silver bullet, for most financial institutions, the pros of this outsourcing model significantly outweigh the cons. The key is to embrace the pros and manage the operational, risk, and governance considerations.
The business case for moving applications to the cloud typically revolves around three strategic drivers:
Financial. Since applications and services are delivered over a shared infrastructure consisting of servers managed by a third-party provider, the bank does not incur the capital expenses of hardware and software. Instead of Capex, the bank moves to an Opex model that doesn’t require amortization of expenses or a long-term financial commitment. Since the bank only pays for its usage at any given time and can contract for volume increases without ramping up internal infrastructure, cloud computing is very attractive for cyclical businesses such as mortgage lending.
Business agility. Cloud computing allows financial institutions to focus on their core business rather than wasting valuable resources on non-value added utilities. Time and money that was spent on commodity technology such as core processing or data storage can be reallocated to customer-facing systems. Cloud provides banks more flexibility to enter and exit new product spaces quickly without investments in technology or people. In addition, the interoperability of most cloud computing applications allows banks to choose from many best-of-breed components to deliver a unique final offering.
Increased competitive advantage. The ability to “rent” rather than buy technology levels the playing field for smaller banks since they now have access to the same capabilities as larger banks and can take advantage of new products and innovations without a capital expenditure. And the ability to access distributed capabilities from anywhere expands the geographic reach of a bank without an investment in brick and mortar.
While the benefits of the cloud are compelling, there are a variety of caveats banks must address:
Data control. The U.S. has well-established data privacy and security standards, but those standards do not apply across the globe. Since data stored in the cloud could be located anywhere in the world, banks must work with the cloud provider to ensure that data controls are adequate to meet U.S. compliance regulations, keeping in mind that the bank is ultimately responsible for any data breach regardless of where that breach occurred.
Determining where the data resides, who “owns” the data, and whether or not appropriate controls are in place can be a resource-intensive, on-going task. As banks source more data to the cloud, they’ll need to streamline processes and procedures to manage cloud data governance. To achieve economies of scale and ensure data management compliance, it usually makes sense to centralize the vendor management function at the bank.
Security and privacy. Ensure that the cloud provider adheres to established requirements around data loss protection. Outsourced data should reside in a SSAE16 environment. It is important, however, that the bank establish and retain policies and standards around user entitlements to applications and data.
Audit and assurance. Adopt more audit processes and incorporate additional vendor management capabilities for a cloud computing initiative.
Vendor “lock in.” Make sure that the vendor works well with others. Not only does that mean ensuring that the vendor solution is interoperable with both internal solutions and solutions from other third-party providers but that the bank has unrestricted access to its data. Some vendors will try to hold data hostage by charging the bank for access to its own data. Contracts should clearly state the vendor data access policy.
IT operations. Each bank, depending on their current technology infrastructure, staffing, bank culture, and risk assessment, will answer the question of which IT services and applications are best suited to the cloud differently.
For most banks, the core accounting system has become a commodity but for others, customization of the core system is a differentiator. Only the bank can make the determination whether outsourcing to a cloud model makes sense. Because bank strategy evolves over time based on market, economic, and competitive issues, revisit the cloud strategy on a yearly basis.
IT readiness. Alignment with enterprise risk and governance strategy will help financial services institutions address the operational hurdles of cloud computing adoption and ensure that the pros of cloud computing significantly outweigh the cons.
Almost all banks could benefit by moving some applications to the cloud even though deploying cloud computing for enterprise applications is not without risk. However, banks can manage these risks with a strong data governance policy, vendor due diligence and a clear understanding of how cloud computing fits into the bank’s overall IT infrastructure. For the vast majority of banks, the pros of cloud computing will outweigh any negatives.