Moving IT operations to the “cloud” offers substantial benefits, but many banks are reluctant to embrace cloud computing because of concerns about information security, data reliability and regulatory compliance. These concerns are legitimate, particularly when outsourced cloud services are provided over the Internet. Banks exploring these services should conduct thorough due diligence and take other steps to manage the risks.
New term is old concept
Although the term is relatively new, the concept isn’t. Essentially, cloud computing means pooling computing resources (servers, processing, memory and network bandwidth) to provide centralized services, such as software, platforms and infrastructure, to users.
Banks that have worked with service bureaus or similar third-party providers already are familiar with “private” clouds, which offer the greatest security. Here, the cloud infrastructure is provisioned for exclusive use by a single bank. It’s owned, managed and operated by the bank or a third party (or both) and may be located on or off the bank’s premises.
A “public” cloud infrastructure is provisioned for open use by the general public and is owned, managed and operated by the cloud provider on the provider’s premises. Other options include “community” clouds, which are designed for use by groups with shared concerns, and various hybrid approaches.
Benefits stack up
Cloud servers run applications and store data. Individual users can tap this computing power with scaled-down PCs using a Web browser or other interface software. Because the cloud infrastructure delivers the applications, processing power and storage capacity, the bank can enjoy reduced IT costs.
IT personnel also spend less time installing, maintaining and upgrading individual computers.
Centralized resources allow the bank to deliver new applications quickly and enhance performance and efficiency by providing users with access to applications and up-to-date data from anywhere and at any time. Centralization also can make backup easier, cheaper and faster.
Outsourced solutions offer additional benefits, including:
Greater cost savings. By spreading costs among multiple customers, cloud providers take advantage of economies of scale, which can reduce a bank’s IT costs and help them save on maintenance costs and energy consumption.
Pay-as-you-go. Banks can avoid large up-front capital investments in favor of a pay-per-use or subscription model. When properly configured, the scalability of cloud computing allows banks to adjust their service levels upward or downward to meet their needs.
Business agility. Additional capacity, software and other computing resources are available on demand, which may enable banks to respond more quickly to customer demand for new products and services, such as online and mobile banking.
Business continuity. Cloud computing provides a high level of redundancy and the ability to move data around rapidly, which can result in enhanced business continuity and disaster recovery protection at a lower cost.
Public cloud computing offers the greatest benefits, but its shared data environment raises significant security concerns. With properly vetted cloud partners and other precautions, however, banks can minimize these concerns or even achieve greater security than they could on their own. For example, a cloud provider may be better equipped to implement multifactor authentication and other controls designed to prevent hackers from obtaining customer information.
Risks must be managed
Financial institutions are subject to a variety of laws and regulations designed to protect sensitive customer information. And while certain IT services may be outsourced, complying with these laws is the bank’s responsibility.
Banks that use cloud providers should conduct thorough due diligence. (See the sidebar “Due diligence tips.”) Their contracts should clearly spell out vendors’ responsibilities with respect to how and where customer data is stored and transmitted. They should also have procedures for evaluating vendors’ internal controls and monitoring vendor performance.
Testing the waters
To get started with cloud computing, consider using a public cloud for activities that don’t involve confidential customer information — such as marketing or back-office applications — while using a private cloud or traditional systems to handle more sensitive applications.
As the banking industry becomes more comfortable with the cloud and vendors respond to the industry’s unique information security needs, public cloud computing will likely grow in popularity.