The trifecta of benefits promised by cloud computing -- cost savings, business flexibility and agility, and speed -- is perhaps the holy grail of bank IT organizations. But cloud-based services, particularly those that rely on the public cloud, have not seen widespread adoption by financial institutions, as security concerns continue to overshadow all other business drivers.
To help banks navigate the cloud more safely and profitably, the Federal Financial Institution Examination Council (FFIEC) in July released new recommendations to guide financial institutions when using third-party cloud services. The FFIEC said it considers cloud computing to be another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing. However, "Cloud computing may require more robust controls due to the nature of the service," the FFIEC noted.
"When evaluating the feasibility of outsourcing to a cloud-computing service provider, it is important to look beyond potential benefits and to perform a thorough due diligence and risk assessment of elements specific to that service," the council continued. "Vendor management, information security, audits, legal and regulatory compliance, and business continuity planning are key elements of sound risk management and risk mitigation controls for cloud computing. As with other service provider offerings, cloud computing may not be appropriate for all financial institutions."
The Evolution of Infrastructure
Financial institutions need to approach the cloud with caution, says Scott Dillon, EVP, CTO and head of technology services for San Francisco-based Wells Fargo ($1.3 trillion total assets). "Regardless of your size, the security concern is the same when it comes to the cloud," he stresses. "It is front and center."
[Cloud Computing Could Create 1.4 Million Banking Jobs by 2015]
According to Dillon, the security of its data should be paramount to any financial institution, and that should be the primary consideration for banks looking for a cloud services provider. "You have to understand how the service provider will protect your data and what's going on in its cloud," he says.
Dillon adds that banks also need to be careful of running too much in one cloud or with one cloud provider. "You have the concept of 'concentration risk' in cloud computing," he notes. "Imagine if all your compute processing is in one place that goes down. A step into the public cloud has to be thought out a lot."
For Wells Fargo, cloud computing is part of the ongoing process of virtualization and convergence of infrastructure. Dillion acknowledges that the bank uses a private cloud to run a "service-based" infrastructure, one that he says allows multiple services to be "wrapped around it." "We're committed to having a robust infrastructure, and cloud is just one part of that," he explains.
Dillon says Wells Fargo began to think about the future of its infrastructure about five years ago, and that intensified with the bank's acquisition of Wachovia in 2008. "Infrastructure is converging and needs to converge," he adds. "We began to build out capabilities to allow convergence to happen, and we're doing this with the customer at the center. Our approach to infrastructure convergence allows us to serve the customer in a channel-agnostic way."
Ultimately, Dillon says, using the cloud will become commonplace as banks continue to pursue virtualization to a greater degree. "It's an overused buzzword," he agrees. "But the cloud is here to stay."
Small banks that don't have the financial and operational wherewithal to build a private cloud infrastructure, however, need to work with third-party cloud providers in some capacity, something many smaller institutions have been reluctant to do, reports Randall Barker, director of channel strategy for the banking group at Falls Church, Va.-based CSC. "Smaller banks have avoided the whole conversation completely," he says. "They don't have that comfort level." .