“What happened to the generation of power a century ago is now happening to the processing of information. Private computer systems, built and operated by individual companies, are being supplanted by services provided over a common grid – the Internet – by centralized data processing plants. Computing is turning into a utility, and once again the economic equations that determine the way we work and live are being rewritten.” –Nick Carr, “The Big Switch,” 2008
Nick’s right. The question is how long it’s going to take the financial services industry to catch up with him. Cloud computing (or at least talking about it) is all the rage, and there are a host of providers offering services today. Your bank or credit union may not be procuring raw infrastructure from these providers, but it’s highly likely you’re using Software as a Service (SaaS) for one or more of your applications. Those SaaS applications are hosted “in the cloud” and are indeed a form of cloud computing.
Cloud computing is relevant to a variety of audiences within a bank or credit union. The cloud will allow CIOs to scale their infrastructure on demand, enable CFOs to deal with less capital investment, and help business unit leaders gain speed-to-market for desired system implementation efforts. The cloud is not without additional risk management demands vs. do-it-yourself, and these demands are the primary inhibitor of financial institutions fully utilizing cloud computing.
First, some quick definitions of key cloud computing terms are in order:
Savings, Speed and Skills Drive BenefitsFinancial institutions already understand the benefits that SaaS applications can offer over internally hosted solutions. How about the rest of the systems that banks and credit unions are still commonly deploying internally – what benefits will make the cloud a better option? Reduced capital outlays, reduced time-to-market and refocused I.T. resources are three key benefits.
Cloud computing reduces the waste associated with excess and unused capacity. Servers are provisioned and capacity is increased/decreased as needed, on a pay-as-you-go basis, without one-time capital outlays. Note that private clouds are more expensive than public clouds as servers are dedicated to a financial institution.
Ad hoc capacity planning frequently produces “gotcha” moments in in-house shops. With the cloud, financial institutions can add capacity almost instantly using self-service tools vs. having to order hardware and wait days or weeks for it to arrive, reducing delivery time for new systems and capacity.
By eliminating physical hardware on-site and utilizing virtualized cloud servers, commoditized infrastructure support functions are left to external providers, enabling the CIO to focus on developing higher-value architecture, business analysis and application integration skills. Don’t fall into the same trap many financial institutions buying ASP or SaaS applications run into: just because it’s outsourced doesn’t mean you don’t need anybody to install and maintain it – someone still has to integrate these applications!
Risk Management and Service Levels are Key ConsiderationsWhat must be addressed for a successful cloud deployment? Mitigating risks and ensuring high-quality service levels are at the top of the list.
Hosting standards have not yet emerged for cloud computing providers, although organizations like Trusted Cloud are working to change this with security certification programs. Banks must extend their audit process to cover cloud providers and secure access to details of the underlying infrastructure, relevant logs, etc. A big issue is uncertainty around just how much sensitive personal information about customers can be stored in the cloud and the level of security required to protect it. This is one of the reasons core banking applications will be among the last to be offered in a public cloud (if ever at all). Relationships with cloud providers can change, so institutions also must ensure they can get their data back from the cloud provider.
User provisioning, authentication, user profile management and compliance processes must all be in place to ensure only authorized users have access to hosted data. Banks must either deal with dual user security processes (very undesirable) or integrate the cloud service with their user security system (formally known as the identity provider).
To ensure a high service level, negotiating an appropriate service level agreement with the cloud provider and regularly monitoring performance are necessary. Hiccups are bound to occur just as they do with internally hosted systems – the SLA in the contract (and penalties) will incent the cloud provider to perform.
Bandwidth must be addressed both at the cloud provider and the financial institution. Single points of Internet connectivity failure must be eliminated and adequate bandwidth provisioned at the financial institution. While bandwidth can scale at the cloud provider, understanding expected bandwidth needs will avoid surprises when the cloud hosting bill comes.
Finally, some applications are better suited for the cloud than others. Those with heavy input and output demands will cost more. Some vendors may also not allow their systems to be used in a cloud environment per their licensing agreements (if they are architected in a way that supports the cloud at all). So, bandwidth-intensive applications like imaging may not be ready for prime time in the cloud.
Let’s take out our trusty crystal ball and see which categories of applications are going to gain cloud deployment traction. You’re not going to hold me to this, right?
| Today: 2010 | Prediction: 2013 | |
|---|---|---|
| Core | Core applications are commonly outsourced today in an ASP (not SaaS) model. | Core won't yet be offered in a SaaS model due to lingering concerns around protection of confidential data, despite improvements in encryption and authentication technology. |
| Electronic Delivery | Internet banking, mobile banking, public Web sites, account opening/funding and online lending solutions are all widely deployed in a SaaS model. | The percentage of institutions deploying these applications in-house will continue to decline in favor of the SaaS model. Deployment of call center/telephony applications in the cloud will increase (voice response units, for example). |
| Infrastructure | Branch and local file servers are widespread, and desktop operating systems and office suites are installed in workstations. | My my, hey hey. File and print is here to stay. Branch servers are on the decline, but your corporate "shared drive" isn't going anywhere (yet). But, deployments of Windows 7 virtual desktops via internal cloud will have occurred in a material (>10%) number of institutions. |
| Internal clouds are being utilized for testing and disaster recovery infrastructure, with private clouds under consideration. | The percentage of institutions utilizing either internal or private clouds vs. dedicated infrastructure for testing and disaster recovery will increase. | |
| Email/Archive and enterprise collaboration (e.g. SharePoint) solutions are offered with competitive per user pricing, but financial services companies have been slow to get on board. | Data protection, data retention guideline enforcement and eDiscovery challenges will be resolved and the race will be on to get rid of Exchange and other internally hosted email solutions. Outsourced collaboration solution deployments will begin. | |
| Banks and credit unions are making huge investments in internal storage and data replication. | These investments will continue, but costs will decline as pricing for backup to private cloud providers continues to improve, making that option more attractive as internal application storage demands decline. | |
| Strategic Systems | HR and customer relationship management (CRM) applications were early to the SaaS party; applications failing to gain SaaS traction include: * Data warehouses * Financial systems * Loan origination systems (non customer-facing) * Imaging and workflow systems Note that some of the above applications are deployed in private cloud and ASP models today. | For the same reasons as core applications, data warehouses will not yet make it into the public cloud, but private clouds will host warehouses or handle heavy processing cycles in a hybrid internal/private cloud model. Financial and loan origination systems will begin to see cloud deployments. Because of the input/output demands and associated costs, imaging and workflow solutions will be slow to migrate to the public cloud, although private cloud deployments will increase. |
Don’t Worry, This Cloud Won’t Rain on Your ParadeAs new applications and infrastructure are considered in the coming years, CIOs should consider the opportunities that cloud deployment can bring. Starting with application testing and disaster recovery, banks and credit unions can move beyond basic SaaS application delivery and internal virtualization used today. IT shops can then work to understand how to integrate public, private and internal cloud applications and move more production applications outside of their internal cloud. Just as the manufacturers found benefit in ditching their internal power-generating systems over the past century in favor of electric utilities, banks will find ditching internal infrastructure in favor of computing utilities will provide great benefit.
-QS
Managing a financial institution’s growing and complex technology environment can present a significant challenge for senior management.
Cornerstone Advisors’ Strategic Technology Planning services can help you:
Our Integrated Business and Technology Approach is backed by a team of professionals that specialize in communicating an integrated strategic and technology vision appropriate for senior management, board members, regulators and vendor partners.
Contact Cornerstone today to discuss how to best leverage your technology investments.
Great article !!
I want to comment on the Core and Strategic Systems line items in the Today:Prediction table. You have mentioned that these systems will not make it to public cloud due to ‘lingering concerns about protection of confidential data’. Could you provide some insight on what specific concerns are these and why aren’t these covered by the SAS 70 Type II compliance?