Questioning cloud computing for the finance industry
The financial industry, as well as the market at large, has latched onto the term "cloud computing" with a vengeance, and you have to admit that the basic premise (datacenter on-demand) is pretty sexy. However, all may not be as it seems.
Cloud computing is not a new concept. The vision of the on-demand datacenter has been around in one shape or another for more than 20 years, and (for good reason), is usually described as the "holy grail" of datacenter architectures. Like the grail, it has always been sought after, but remained out of reach. Virtualisation has changed all this and has brought the vision almost into our grasp.
As you consider the use of clouds, the first thing you need to consider is, "how can they be used effectively?" The biggest challenge is that a cloud is an amorphous infrastructure, owned and operated by someone else. So what subset of your financial data could safely run in this kind of environment?
Clearly, there are some applications that you would probably never want out of your control, including those you need to pass an audit (i.e. SOX, PCI, GLBA, etc.). A cloud translates into the physical somewhere. But can you audit, with absolute certainty, its security, file systems and access control?
Today's cloud tools barely manage provisioning and mobility management; security and audit capabilities are still a long way off. In fact, most auditing groups still haven't even come to grips with the impact of virtualisation (the underlying infrastructure of the cloud), on basic datacenter auditing, let alone cloud governance.
Ultimately, the cloud as it exists today is just not ready for any application of real importance, which suggests that it's a place for applications of little importance. In fact, if you read the Amazon user agreement, it describes just that: a service that should not be used for anything critical or sensitive.
The Amazon cloud model is based on selling unused capacity on its own systems. The business may be revenue generating, but it is not standalone. Amazon recognises the security, management and compliance issues, and its resource needs come first. The user agreement states that neither security nor uptime is guaranteed, and that it can suspend the service pretty much at any time it wishes, without liability to its customers.
This may be OK for non-critical, low-usage applications, but it's definitely not the environment in which you want to run anything important.
A pragmatic approach to cloud computing
Cloud computing is a vision that has the potential to increase the overall flexibility and responsiveness of your financial IT organisation. But despite the current hype, the fact is that the technology is simply not where it needs to be yet.
There are some practical things you can do today to get ready for when the clouds come rolling in:
» The use of virtualisation in the datacenter is creating what is termed "internal clouds"; it's the same basic technology, but everything stays under your control. So discuss with your auditors how virtualisation is impacting their requirements, and if you haven't done so already, add these new requirements and new policies to your internal audit checklists.
» Ensure that you have the right automation and control systems to both efficiently implement and enforce those policies, as well as meet the new audit requirements. Once you know what you need internally, it will become a lot easier to extend that to the cloud.
» Test external clouds with low priority workloads, which will provide a better understanding of what role they can ultimately play in your overall business architecture.
Pragmatically, now is the time to start moving your financial organisation from "some virtual server use" to building out "internal clouds" and understanding and mitigating some of the unknowns regarding this technology.
Let's face it; if you can't manage, control and audit your internal virtual environment, you won't have a chance of managing, controlling and auditing an external cloud connection.
David M. Lynch is vice president of marketing of Embotics. He is a dynamic, successful and well rounded 30-year veteran of the high-tech marketplace. With international expertise, David has spent the past 11 years in the high tech industry, working, writing commenting on technologies and trends and their impact on the industry. Subjects have included authentication, access control, public key infrastructure (PKI), deperimeterization, compliance and virtualisation.