Before you jump into the Cloud...

Written by Johnny Wong on Wednesday July 4, 2012

There has been much hype about cloud computing but when it comes to breaking into the Financial Institutions (FI) here in Singapore, it seems to have hit a roadblock. Why? Well, simply because it touches something that is very crucial to an FI – data and control!

Cloud computing uses a network of remote servers hosted on the internet to store, manage, and process data. Traditionally, companies build their own IT infrastructure, and applications are hosted on servers and networks they own and manage. Cloud relieves companies of that burden, and offers them a means to access the infrastructure and applications on a pay-per-use or utility model.

Here, I list down some of the key considerations when contemplating a move into adopting Cloud for FI.

Why the Cloud?

• Are you trying to solve something with the Cloud? Is it a cost reduction exercise, a need to increase capabilities like reducing the time-to-market or you are just taken in by the hype? Also bear in mind that Cloud is not actually new technology, it is actually a re-brand of an old technology
• Who is driving the adoption of Cloud? Is it IT or the business? A pragmatic approach should involve both IT and the business. Beyond the costs, benefits and security that Cloud providers are trying to sell to you, you have to determine whether it works for you at all

Where is my data?

• Almost every service you can put on the Cloud needs data, therefore the data will be in the Cloud too. Cloud is a pool of computing resources that is physically located outside your organisation. Your data is no longer on your server, within your premises anymore.
• Data in the Cloud can be replicated easily and the copies will exist on other resources, such as backup tapes, disaster recovery sites, and every computing resource it touches. You have to accept that in the Cloud, you lose control and oversight of your data on resources that you do not even own
• Your data may end up in a location that is outside your country’s jurisdiction, for example, the Cloud provider may have an overseas backup site. That may violate cross-border laws or regulations if the data is customer or personal data
• Your relationship with a Cloud provider may not last forever, so when the relationship ends, how will the provider assure you that your data will be completely removed from their resources. And are you comfortable with that?
• Your data is owned by someone in your organisation. The data owner needs to approve any change in the data custodianship i.e. agreeing and accepting the Cloud provider as the custodian
• Your data could end up on a server that holds other customers’ data, and even your competitors’. Can you live with that?

Can I audit the Cloud?

• You want to be able to audit the Cloud provider but you cannot stop another customer requesting the same right to audit. How will the provider assure that your data and services are out-of-bounds to another customer’s auditors?
• When a security incident happens, for example hacking or unauthorised data disclosure, will the provider allow you to perform a forensic investigation on their premises? Will your investigation or another customer’s investigation subject your data to inadvertent risk?

What about regulatory obligations?

• Will going into the Cloud impact any regulatory obligations that you have? In Singapore, MAS needs to be informed if you intend to outsource any IT services, and Cloud is outsourcing. MAS Outsourcing Guidelines and Notices (e.g. 634) stipulate the rights of the MAS to carry out its supervisory functions on the Cloud provider
• You also need to be aware of any potential consequences if a Cloud provider, as a company, falls under the jurisdiction of another country. For example, can that country’s law force the Cloud provider to disclose its customers’ details? Consider the worst case that your data may be disclosed to a foreign government beyond your control and rights

Is the Cloud secure?

• Can you extend your organisation’s standards and policies into the Cloud? Will you be worse off going into the Cloud?
• You do not move your responsibility into the Cloud - you are still responsible for whatever you put in the Cloud. Is the Cloud provider responsible to you as much as you are responsible to your customers?