Financial services regulations holding banks back from public cloud, says UBS IT security chief

Regulations are holding back adoption of public cloud services in financial institutions, according to Chris Swan, CTO of security at UBS.

Regulations are holding back adoption of public cloud services in financial institutions, according to Chris Swan, CTO of security at UBS.

Financial services companies will be able to make greater use of public cloud platforms in the future, according to Swan. But while IT has more or less resolved the security issues of the public cloud, a hybrid approach may be the only way around financial services regulations.

Banks have traditionally controlled IT in-house, keeping data behind firewalls. They generally operate sophisticated datacentre facilities, and connect to inter-banking systems such as Swift, the payment messaging platform, cash machine networks and BACS (banker's automated clearing system). But financial services firms could soon make more use of public cloud platforms with shared infrastructure such as Microsoft Azure, Google App Engine and Amazon Web Services.

Chris Swan, CTO of security at UBS, says financial services companies are already using public cloud for non-core activities and will make greater use of public cloud infrastructures through industry utilities.

"If you look at core business activities, there is an emergence of industry utilities that aren't pure public cloud but a form of cloud computing split between public and private," Swan told Computer Weekly.

But Swan says this is different to a typical hybrid cloud model.

"The hybrid cloud model expands into public cloud from a private cloud. Industry utilities is a different kind of hybrid because it looks much more like a public cloud usage model purely for industry participants. We saw one trading venue recently introduce this type of service with a service provider," said Swan.

The New York Stock Exchange (NYSE) launched the financial service industry's first cloud platform at the start of June. The NYSE Technologies Capital Markets Community Platform was developed with VMware and EMC, and is expected to go live on 1st July 2011 after being beta-tested.

The use of a hybrid cloud architecture allows companies to have greater control of the security of customer and company data.

Swan was previously CTO at technology investment banking boutique Capital SCF, which operated a cloud-only infrastructure. He wrote on the company's blog in January 2011, explaining the contradiction of enterprises refusing to move to the cloud due to security concerns - compared to some moving security to a cloud-based managed security services (MSS).

Swan said infrastructure, platform and software as-a-service clouds bring the same security benefits as a MSSP cloud.

But he said security is no longer the greatest stumbling block for cloud adoption amongst financial services firms. Regulations are preventing cloud adoption within the financial services sector. "Financial services are heavily regulated. Although the main concern is security, in practice some of the jurisdictional and regulatory issues are more of a practical barrier."

"If a regulator says the data must stay within a country and there are few or no service providers in that country, you can't start dealing with those concerns," he added.

Swan thinks the public sector G-cloud project will create cloud capabilities in a broader range of jurisdictions than currently available.

Companies like Dell admit it's difficult for large businesses to adopt public cloud models, which allows data to be located anywhere. Dell hopes to address data location concerns with a UK datacentre, which will be turned on soon.

Despite service provider efforts, overcoming data location obstacles and other user requirements could be years away.

As a committee member, Swan says the Open Data Center Alliance (ODCA)'s first IT user requirements for cloud computing will be adopted over the next few years.

The ODCA, formed by 70 business members including BMW, Shell, Deutsche Bank and UBS, published its first set of IT user requirements for cloud computing in a bid to accelerate adoption at the beginning of June.

Usage models include consistent service level agreements (SLAs) as well as frameworks and standards for secure federation, automation, policy management and services transparency.

"Timescales for when the ODCA job will be complete are yet to be defined. There is discussion around adoption of some usage models being staged over the next two or three years, though many aspects are ready to be used now," said Swan.

He added: "We expect existing usage models to be refined and we're beginning to work on new usage models. The process has begun in selecting the next topics for the next tranche of usage models."

Ultimately, Swan puts the onus on service providers adapting cloud offerings.

"When service providers move from a traditional service base to cloud-like services then we'll have a capability to be exploited," he said.

Read more on IT legislation and regulation