A MURKY PICTURE.
While no one refutes the benefits of the cloud, fears remain. Heather McKenzie reports.
Financial service firms may be increasingly adopting the cloud to manage their vast reams of data but there are still underlying concerns. It is not only the much talked about security of the information but also the stability of the cloud service provider.
In fact, in April, US-based international affairs organisation the Atlantic Council and global insurer Zurich issued a report warning of the implications of such a breakdown. A ‘Lehman moment’, as the report characterises it, will result in data being “there on Friday, and gone on Monday”. The report, Beyond data breaches: global interconnections of cyber risk, says such failures have the potential to ripple through the real economy leading to a collapse similar to that seen during the financial crisis of 2008.
The global aggregations of cyber risk are analogous to those risks that were overlooked in the US sub-prime mortgage market, according to the report. The problems in that market segment eventually spread far beyond the institutions that took the original risks and reverberated throughout the global economy. For example, banks and regulators before 2008 tended to assess risk as though every organisation was self-contained.
“In hindsight, it was folly to examine risks one organisation at a time, while ignoring the interconnections,” says the report. “Yet this is just how cyber risks are looked at today. Obviously the internet has been incredibly resilient (and generally safe) for the past few decades, but as with securitisation, the added complexity that has made cyberspace relatively risk-free can – and likely will – backfire. Cyber-risk management needs to look beyond the internal IT enterprise to other aggregations of risk, such as outsourcing and contractual agreements, supply chain, upstream infrastructure, and external shocks.”
Among the report’s recommendations to address the potential of widespread collapse is to borrow ideas from the finance sector. For example, internet governance should be expanded and fortified by the creation of a G20+20 Cyber Stability Board (like the Financial Stability Board). Also, globally significant internet organisations should be recognised and the idea of cloud service providers being “too big to fail” should be addressed.
Raising the alarm
Other red flags have been waved regarding cloud computing. The revelations by former US National Security Agency (NSA) contractor Edward Snowden that the Agency operates extensive global surveillance programs, mining data and allegedly engaging in industrial espionage have alarmed some companies.
A report issued by US-based research and education think tank, the Information Technology and Innovation Foundation, said the allegations would “likely have an immediate and lasting impact on the competitiveness of the US cloud computing industry if foreign customers decide the risks of storing data with a US company outweigh the benefits”. The 2001 Patriot Act and the 2008 Foreign Intelligence Surveillance Act have given US intelligence agencies the power to carry out mass information gathering.
Others have also suggested the NSA spying is a problem: in July 2013 Neelie Kroes, the then European commissioner for digital matters warned that European businesses were likely to abandon the services of US internet providers because of concerns about the security of their data. “If businesses or governments think they might be spied on, they will have less reason to trust cloud, and it will be cloud providers who ultimately miss out,” she said. “Why would you pay someone else to hold your commercial or other secrets if you suspect or know they are being shared against your wishes?”
Switzerland is hoping to take advantage of the NSA scandal by providing highly secure and private cloud services in much the same way that it provides private banking services. National telco Swisscom says its ‘Swiss Cloud’ can offer security from the prying eyes of other governments. This is, however, possibly only for data kept within Switzerland as once it moves across borders it is open to be accessed by other parties.
However, as financial institutions are required to collect, store, analyse and report on ever increasing volumes of data, cloud computing, or managed services, are attractive options. Market data clouds, for example, enable firms to bypass the sizeable investments in infrastructure, hardware, software and maintenance that are typically associated with traditional data feeds. Utilising this new type of market data solution helps firms gain economies of scale, lower costs and increase agility. A cloud-based market data solution allows firms to instantly enrich their regulatory and investor reporting with comprehensive coverage of real-time, historical and reference data, without maintaining an infrastructure to do so.
Still investing
Technology consultancy Ovum released research in October 2013 that found both buy and sellside firms were investing heavily in cloud services. Other financial market firms are also set to increase spending on IT infrastructure. Buyside firms were leading the way in cloud adoption, mainly because these firms are smaller and have limited budgets, says Ovum. Moreover, recent improvements to cloud security and a wider variety of applications are fuelling further growth.
Another consultancy, TABB Group, says as trading firms continue to offload commoditised activities, adoption of cloud offerings and other managed services will be among the leading manoeuvres to combat costs. In parallel with this adoption, “we see solid-state, multi-disk appliances and other high-performance computational solutions leading the production of analytics for better navigation of the market landscape,” says Paul Rowady, a principal at the firm.
Rowady says legal and security issues regarding cloud always will be top concerns for companies operating in the capital markets. “One of the issues that has come to our attention recently is that banking firms operating in particular countries may be required by law to keep the data within the country it pertains to. That would present significant impediments to cloud solutions that are multinational on a virtual basis,” he says. This is a challenge that would limit certain types of datasets being put into anything other than a private or hybrid (a private cloud operated by a third party) cloud offering.
Ralph Achkar, product director at market data company Marketprizm (above) says financial firms are becoming more concerned about the jurisdiction in which their data is held. They are asking questions such as how secure is my data, who has access to it and to whom does it belong? He agrees with Rowady that national data protection laws – Switzerland, Singapore and Poland for example require customer data to reside within their borders – need to be considered when looking at cloud solutions for data management.
When it comes to security, Neil Smyth marketing and technology director at portfolio analytics company Statpro (above), says a distinction should be made between “real” software as a service (SaaS) systems and what he calls ‘cloudwash’ systems. The latter are traditional applications given a new, web-based interface. While the interface may be secure, he argues that the back end database may not. Secure cloud solutions should operate secure back end databases and encrypt data. “Legacy applications that have been migrated to the cloud always add security as an afterthought,” he says.
“It wasn’t baked in from the beginning. Security in pure SaaS applications is paramount because of the multi-tenant features and the fact that they are designed to be internet facing.”
Firms concerned about cloud services and the legal and security issues should implement good data governance regimes, says Adam Cottingham, vice-president, data management services at IT company SmartStream. “The key to cloud and managed services is a governance structure that recognises the data being processed and is reviewed regularly in order to ensure that it is keeping pace with both global and national data regulations,” he says.
© BestExecution 2014
[divider_to_top]
