Cloud Computing in Banking, the Big Debate

Gartner estimate cloud computing will grow from a market worth $36 billion in 2009 to over $160 billion by 2015, with around a fifth of all firms relying on the cloud for significant parts of their technology operations by 2012.

A recent FS Club debate on the current state of cloud computing for the financial services industry drew an oversubscribed and enthusiastic audience of over 130 attendees. Cloud computing is hot, but what was the interest and why?

Cloud computing in financial services has been discussed for a while now, but has only just got onto the mainstream agenda thanks to the increasing adoption of cost saving ‘as a service’ software such as Salesforce.com.

Compared to two years ago when the FS Club surveyed over 200 financial professionals worldwide and found financial institutions still lacked a clear vision and way forward in the cloud.

Today, there is a wide range of applications from general hardware clouds, application clouds for CRM, HR, and financial management to specific banking applications. For example mint.com brought Personal Financial Management to sizable community of five million users using Software-as–a-Service as its business model and offering.

The Cloud Debate

The debate began with opening statements from four prestigious keynotes from:

• Christopher Clack, Director, Financial Computing MSc Programme
• Matt Wood, Technology Evangelist, Amazon
• Tony Emerson, Banking Industry Director, EMEA, Microsoft
• Steve Ross Talbot, European Technology Officer, Cognizant

Defining the Cloud

Matt Wood said Amazon sees the cloud as an opportunity to deliver highly scalable computer services provisioned by the Web. Amazon offer Elastic Compute Cloud (Amazon EC2) for computing power that also includes storage, middleware and database, provisioned quickly and in an agile way over the Internet. This service is available on demand and based upon pay-as-you-go pricing, with no initial costs or upfront obligations. Gigabytes are charged per month for storage, and servers are charged by time - about two cents per hour.

Steve Ross-Talbot of Cognizant spoke next, and outlined the background to cloud being based upon grid computing and virtualisation, where complex analytics were required. He suggested that if the CPU power of desktop machines of banks were underutilised, it made sense to link all that compute power together.

The move to cloud really progressed when VMware, Microsoft, Data Synapse and others first offered hosted services to support computing operations.

Christopher Clack of UCL viewed cloud computing as a development beyond utility computing but it is important to distinguish between Hardware as a Service (HaaS) and Software as a Service (SaaS). They provide solutions to different business problems.

Using the Cloud

Platform-as-a-Service (PaaS) is an equaliser for small to medium sized companies to compete, as they can target large firms with the same level of technology capability, without having to invest in the infrastructure and capital expenditure they would have required in the past. They just purchase as they go.

For large firms, it is equally important to use PaaS, as it allows them to make more efficient use of their own resources through flexible project teams.

Start-ups also favour cloud computing as they don’t have to invest a lot of capital to get set up. That’s how Mint grew their business, from zero in November 2006 to 4.5 million users in December 2010, when they were acquired for $170 million.

Tony Emerson of Microsoft stated that over sixty percent of Microsoft’s development resources are now focused upon cloud enabling Microsoft products and the Windows Azure range of services. Hotmail for example has been running in the cloud since it started, it just wasn’t called cloud back then. Similarly, if you run Office 2010 many of the features are downloaded as you ‘Click-to-Run’ from the cloud.

Capital markets have been a key growth market where Microsoft has seen the biggest uptake of cloud, driven by regulatory changes, the need to compete and curtail costs. For example, Misys and Temenos now offer core banking applications through the cloud. In investment markets, firms such as Wall Street Systems manage all their trade settlement through the cloud.

One of the challenges, however, is how clients can get their internal systems to run seamlessly with the cloud. To help them, Microsoft developed Windows Azure AppFabric, a cloud middleware platform for developing, deploying and managing applications on the Windows Azure Platform. In particular, it enables bridging of existing applications to the cloud, through secure connectivity across network and geographic boundaries. That’s critical for banks; because many internal applications were written before the need for cloud computing arose, some even decades before.

Matt Wood also underscored that cloud is a major area to improve innovation and enable business agility. Cloud computing is a great way to test and trial services without feeling any limitation of scale. As a result, you can have an idea over breakfast and it can be live and available by lunchtime. That’s why Amazon is able to rollout major new features and updates twice a week.

The discussion moved on to examples of where cloud is being used by banks. Bankinter in Spain uses Amazon cloud computing as an integral part of their credit-risk simulations where complex algorithms simulate diverse scenarios to evaluate the financial health of their clients. It is an area that requires high computational power, running over 400,000 simulations to get realistic results. Previously, it was CPU-limited and time critical, running once a day and requiring about 23 system hours to process. Now it runs in approximately twenty minutes.

Similar stories can be heard elsewhere. For example, Visa analysed two years of customer records, or 73 billion transactions amounting to 36 terabytes of data, in 13 minutes when processing time would have taken a month using traditional methods.

Securing the Cloud

One area that came up regularly throughout the night was the issue of data security.

Tony Emerson said Microsoft is asked about Security all the time. Companies want to know how you protect the data, where you’re located, what standards you use and so on. Microsoft is heavily geared towards security and is one of the largest firms in the development space in this area.

Some issues do arise however with regulators in key markets, particularly in finance. For example, in Turkey, they regulate that data must be held on bank premises. That’s hard to overcome but is a key reason Microsoft continues to provide on premise solutions banks can implement while regulations catch up.

Private and Public Clouds

Steve Ross-Talbot pointed to the delineation between public and private clouds. Private clouds are the internal computing architectures used to process information behind a firewall. The point of the private cloud is that it uses spare internal compute capacity to manage sensitive data, and you can therefore mix and match public and private cloud infrastructures to suit the organisation’s needs.

In other words, you might use public clouds for most of the processing and compute power, but use intelligent switches to ensure that encrypted sensitive data is sent via the private cloud when you need to. If this is the case, cloud computing does not pose a risk, as it is secure.

To emphasize this point, consider audit and accounting. If an auditor comes into the office and asks to see your data, you might take them into a data centre and point to a disk. Does he actually ask to see the data or just believe it’s there? Does it actually matter if it’s on a disk in your data centre or in the data centre of a supplier? What is important, however, is that you have the security and management processes in place to show the auditor you manage that data effectively.

There was some debate around this point, before the concept of ‘cloud bursting’ was introduced. Cloud bursting is when you use internal resources until they reach maximum capacity, and then seamlessly move into the public cloud when needed.

The problem is that it is not seamless, as you need to encrypt data that moves into the public domain to make it secure. The challenge is that if the data is fully encrypted, you probably wouldn’t want to spend that much time and effort managing encryption policies, checking what encrypted data is being transacted through public versus private clouds. Is it worth the cost of effort, particularly when you’re trying to avoid costs?

Strategies for the Cloud

When building a cloud strategy, Steve Ross-Talbot said it is important to decouple business capabilities from the hardware and infrastructure. It’s all about the services that run a business: sales, pricing, service etc. decoupled from the systems upon which they run so you only pay for what’s used and have infinite scalability.

Adopting this view, firms should first look at cloud computing as a grid that clearly shows what is In-sourced versus outsourced. Functions that are in-sourced tend to be core business processes where the organisation adds value, whereas functions that are outsourced tend to be non-core processes such as: Finance and Accounting, HR, Procurement, IT infrastructure, Administration and so on.

Non-core services are better suited to outsourcing to either public, hybrid or community clouds subject to the level of sensitivity of the data and regulatory constraints. However core services are more readily associated with private clouds.

This is likely to result in far more Business Process Outsourcing (BPO) based upon cloud. Service providers will be able to offer pay-as-you-process capabilities at a far lower price point than ever before.

The Cloud Debate Q & A

What strategy should you adopt to ensure cloud data is secure?

Steve Ross-Talbot believes data can be made safe, as long as you approach it in the right way.

Finance companies should read the small print from their cloud provider and ensure SLAs and guarantees are in place and that they are honoured. Encryption will also make data more secure, as well as an enterprise architecture that is built for security and approved by the FSA and auditors.

Often the perceived fear around security is more about loss of control than anything else. The real issue is that there is no standard contract for cloud. It would be easier if there was.

Tony Emerson pointed out that banks including Commonwealth Bank of Australia, Bank of America and Deutsche Bank were part of an alliance (Enterprise Cloud Leadership Council) to create some standards to compare apples with apples when buying cloud services.

In Amazon’s case, they operate a shared responsibility model. Amazon take responsibility for running and hosting back office services, but the responsibility for securing the data lies with the customer.

It is often difficult to justify a move to cloud computing.

Many banks have spent time and money building an internal infrastructure which makes it hard to cost justify moving that infrastructure to an outside provider. There may be long-term savings but in the short-term, the issue is how to justify current investment that you’re trying to remove, that you should be exploiting. In addition, moving to a cloud-based platform has a cost in itself which makes it even less attractive and harder to justify.

Christopher Clack said that a banks’ technology infrastructure is often only 10% used, but then there are periods of 100% usage. This is the issue, in that when the bank need the 100% usage, it is critical that it is there, available, secure and resilient, so it is perfectly understand that banks have a reluctance to downsize their internal resource.

Tony Emerson pointed out that was why start-ups move to the cloud first, whilst for larger established firms it is more challenging.

Steve Ross-Talbot took a different view. As a bank you could offer your underutilised systems out. Therefore, if you cannot justify moving out to the cloud, maybe offer your infrastructure as a secure cloud to your clients?

Matt Wood pointed out that Amazon has hundreds of customers who peak and trough in usage. In aggregate however, such usage is predictable. They have on-demand services, but if you know your capacity a little bit ahead of time then you can get savings by, for example, having a contract for your basic capacity and reserve that ahead of time. Then use on-demand capacity to cover the rest. You can save between 30% and 60% of your costs by reserving in advance for a month or year.

Conclusion

The overall conclusion of the cloud debate was that banks and financial institutions are ready for the cloud, however, there are still some concerns such as security of data, creating contracts that satisfy risk, quality and performance needs as well justifying the business case to transition given current investment in infrastructure.