Introduction
Cloud computing (or “the Cloud” as it is sometimes referred to) is another emerging technology trend that is constantly mentioned which, while it does have many massive benefits, is complex to implement and support.
What Is Cloud Computing?
Cloud computing is an on-demand computing resource covering data storage and processing power. The theory is that a firm just pays for the storage and/or processing used without the need and fixed cost of an in-house complex infrastructure. It is similar in concept to pay-asyou-go utilities where the customer “turns on the tap” and only uses and pays for the water used (as opposed to having their in-house fixed cost water plant).
A cloud provider will have built a large, robust, and shared computing infrastructure. This will have massive processing power, solid resilience/ BCP, and a massive amount of disk storage. Connectivity is typically provided over the Internet. The provider can then divide this infrastructure into segments or containers (using tools such as virtualization) for each firm. The containers can be expanded or reduced depending on firms’ demands.
The advantages to the firm are that they do not have to support and maintain an infrastructure with associated fixed costs, technology complexity, and the overheads of having staff to support upgrades, monitor the infrastructure, deal with issues, and so on. While there are many challenges (see below), in effect everything is handed over to the Cloud provider to run with the cost model being moved to a variable basis which can match the firm’s activity much closer.
There are a variety of service models and care is needed when selecting the model to ensure it meets the business need.
• Infrastructure as a service (IaaS): The cloud provider will offer the basic infrastructure such as network connectivity, servers, storage, and processing power. However, the firm will be expected to implement and support the cloud themselves. For example, installing the operating system, installing the applications, running upgrades, overseeing security, performing back-ups, and so on. Therefore, the firm has the advantage of not running the infrastructure but will need still need to support the operating system and applications.
• Platform as a service (PaaS): The cloud provider will provide the infrastructure (as IaaS) but will also support the operating system, manage security, and perform backups. The firm will still be responsible for installing and maintaining any applications.
• Software as a service (SaaS): The cloud provider will provide and support the infrastructure (per IaaS), the operating system (per PaaS) but they will also provide and support all the application software. The firm is consequently not responsible for supporting any of the infrastructure, operating systems, security, backups, and applications.
• Mobile “backend” as a service (MBaaS): This is a cloud computing platform that allows mobile applications (such as phones, tablets, and IoT devices (see Chapter 9)) to be able to access a back-end technology without the need to implement a complex and costly infrastructure.
• Function as a service (FaaS): This cloud provider will provide and support a platform that will allow firms to develop software themselves without the need for building and supporting a complex and costly infrastructure.
(IaaS, Paas, and SaaS are at the time of writing (Winter 2021) the most commonly used service models).
Cloud computing can also be deployed in one of three ways:
• Private cloud (sometimes known as an Internal or Corporate Cloud): This is where the cloud built is solely dedicated to a single firm. The advantage is that the firm has sole control over the cloud and cannot be impacted by other cloud users. However, the costs for running this tend to be higher because it cannot take advantage of a shared infrastructure.
• Public cloud: This is where the cloud is used by multiple firms. The advantage is that the costs are lower because the firm is sharing the infrastructure but there are issues around security with other cloud users and being impacted by other cloud users.
• Hybrid cloud: This deployment model covers a combination of approaches where configuration could consist of in-house infrastructure, private clouds, and public clouds. The advantage of this model is it removes the need and cost to migrate all applications to the cloud but this model can be very complex and costly to support. It is not that uncommon for firms to use this as a part of a phased implementation as they are looking to migrate all their applications to either a private or public cloud.
Uses of Clouding Computing Within Financial Services
The usage of Cloud Computing is growing within Financial Services. According to IBM’s 2020 “Banking on open hybrid multicloud survey,” 91 percent of financial institutions are actively using cloud services today (or plan to in the next 9 months) which is double the figure from 2017.
There are two main uses of Cloud Computing within Financial Services.
Migrating In-House Data Centers to the Cloud
Firstly, many firms are moving their traditional data centers (which were traditionally hosted either internally or with a specialist external provider) into the Cloud. These have been driven by cost savings, greater reliability, access to perceived unlimited data storage, access to perceived unlimited processing power, and the removal of the overheads of running a data center (covering upgrades, back-ups, and disaster recovery).
Lots of Suppliers and Service Providers Using Cloud Computing
Secondly, many firms are being forced to use Cloud computing because many of their providers and suppliers are moving their technology onto the Cloud. For example, various trading platforms and software vendors are moving their deployment onto the Cloud and providing a common set of APIs for passing trades into the system and for requesting data extracts from the system.
Challenges of Implementing and Using Cloud Computing
Have a Clear Business Reason to Implement Cloud Computing
As with a large number of the technologies covered in this book, there are many stories of firms implementing new technology for the sake of the technology as opposed to implementing technology to meet some type of business or strategic need. Therefore (like any big change), this means before embarking on any Cloud Computing implementation, a firm must have a clear business reason to implement the technology. Please refer to Appendix B for a list of the areas to be investigated when completing a Business Case.
Think About the End State Before Starting Any Expensive Work
Before embarking on the actual implementation then it is important to remember that implementing Cloud Computing is a challenging activity and it will require a large amount of pre-planning and a firm will need to have some sort of clear vision of how their technology infrastructure will look once the implementation has been completed.
The following key points need careful thought:
• How will the firm’s technology infrastructure look once the project has been implemented? For example, what applications will move to the Cloud, what service model will be used and what deployment model will be employed (see above)?
• Once the list of applications to migrate has been agreed then it is important that the applications can run on the Cloud. For example, the Cloud deployed could have different operating system or database versions or have network delays which could cause issues with the applications’ running.
• Also if any of the selected applications are supported by an external vendor then it is important to study any software licensing or support contract to ensure that the application is allowed to run in the Cloud. Some software vendors are not always keen on their applications running in the Cloud because they are worried that their software, source code, and/ or intellectual property will be stolen. It is not uncommon for software vendors to request further legal assurances before allowing firms to run their applications in the Cloud.
• It is extremely unlikely that a firm will be able to move all its applications into the Cloud which means proactive thought is required regarding what happens to the applications that are not or cannot be moved to the Cloud? These will need to be hosted either by the firm themselves or by an external data center provider. Thought will also need to be given to how these applications integrate with the applications moved to the Cloud and how Disaster Recovery could be run across the full range of applications.
• While it is not uncommon but some firms will have more than one Cloud provider, Cloud service models, or Cloud deployment models (especially if the firm consists of several acquisitions). Therefore, any integrations between them must be carefully thought about.
• Robust connectivity will be required between the firms’ offices, the Cloud(s), and other data centers because if connectivity is lost then the firms will lose immediate access to all their applications. Sufficient backup communications lines will need to be in place and tested regularly.
Choose Your Cloud Provider(s) With Care
As the Cloud will support some (if not most) critical applications then a large amount of care and attention must be taken when selecting the preferred provider (or providers). Similar to many technology providers, the Cloud provider(s) will become a key strategic supplier.
Appendix A provides a list of the activities and areas to be covered when selecting a supplier.
Understand Where Your Data Is Being Held
One of the key benefits of the Cloud is that a firm will “hand over” its data and the issues associated with managing it to a supplier who will then store this data on a large robust infrastructure which is spread across many locations (for resilience and strength). However, having data spread around the world solves the problem of resilience but it creates material issues in ensuring firms comply with location data regulation.
Most jurisdictions will have their local or national data protection laws. For example, both the European Union (EU) and the United Kingdom (UK) have implemented General Data Protection Regulation (GDPR). The State of California in the United States has its California Consumer Privacy Act (CCPA). Japan has its Act on the Protection of Personal Information (APPI).
Therefore, when using a Cloud solution then the firms must understand and comply with these regulations. This means that the firm will need to ensure that the Cloud Provider(s) employed can comply with these regulations which will add more complexity, risk, and cost.
Security of the Firm’s Data in the Cloud
The Cloud Provider will be holding a firm’s data which means there will need to be sufficient and robust security measures in place. This will need to cover the following areas:
• Segregation of data between different Cloud providers’ different customers. A firm would not want their data to be merged or accidentally contaminated with other users’ data. Therefore, controls and processes need to be in place to ensure the data is not accidentally shared with other Cloud users.
• Sufficient encryption on the data held within the Cloud. Therefore, if the data was stolen or accidentally sent out then it would take a long time for the hacker to decipher it.
• Sufficient encryption on the communication links between the Cloud provider, the firm’s offices, other Cloud Providers, data central, customers, suppliers, and so on. This will help ensure that if data is intercepted then it would take the hacker a very long to unencrypt it.
• Password protection to stop unauthorized access. This access would need to cover access to the data as well as access to the processes that control the data. For example, password controls need to be in place to allow certain users to create records, other users to amend records, and further users to view the data.
• Processes in place to immediately highlight, escalate and address any security issues. This means that in the event of a problem then it is immediately trapped so its impact can be assessed straightway and escalated appropriately.
• Ongoing robust oversight and governance of security processes need to be in place to ensure that the above is in place and constantly reviewed and updated for completeness.
Ensure That There Is Sufficient Oversight and Governance Is in Place for Living Running
Like all critical processes and vendors a firm will need to ensure that there is suitable oversight and governance in place to monitor the process when it goes into live running. This is essential because any issues or problems will need to be “trapped” immediately so they can be escalated and managed appropriately.
The areas that need to be covered are as follows:
1. Ensuring that all service providers are providing the services that they have contracted and committed to on a day-to-day operational level.
This will cover the Cloud provider (or providers) but could also cover software vendors, network providers, running costs as well as any internal providers. This oversight can be provided by collecting regular performance metrics which can be combined into some sort of monthly report and overseen by a forum of relevant stakeholders. Any material issues or ongoing problems can be escalated and managed accordingly.
2. It would be advantageous to form some sort of senior management forum between the firms and the Cloud provider.
This would act as an escalation point for operational issues that need senior management support but it would also act as a long-term planning forum. The firm would make the Cloud provider aware of their long-term business plans (e.g., opening new offices or launching new products) so the provider can make necessary arrangements. Likewise, the Cloud provider would let the firm know about their plans (such as enhancements or new products) which may be interesting to the firm.
3. Thirdly, it will be necessary to conduct ongoing due diligence of the Cloud provider to ensure the provider is still fit-for-purpose.
The coverage of this due diligence will be wide. It will cover reviewing any operational issues that are impacting performance but will also cover many other areas such as technology, processes, people, management, governance, risk management, finances, cyber-securities, the supplier’s suppliers plus any other relevant areas.
4. Finally, the firm will need to ensure they regularly test Business Continuity Recovery (BCP) and Disaster Arrangements (DR) to ensure they work and are fit-for-purpose.
This testing can be viewed from two different points of view. Firstly, the firm will want to perform their testing and this will require the Cloud provider to be involved. Secondly, the Cloud provider will want to perform their testing and will need the firm to be involved and possibly review and sign off the tests.
Ensuring the Firm Has Sufficiently Skilled Staff to Support Cloud Once the Project Completes
During the implementation of the Cloud migration, a dedicated project team will have been formed. This will have consisted of senior management to provide oversight and steer plus many “on the ground” people who would perform the developments, integrations, and so on required. This group of people would have been sourced from in-house staff, contractors, and possibly staff from the platform vendor. Once the project is completed then this project team will be disbanded.
Therefore, firms must develop the necessary skills to be able to support the migrated Cloud platform once the project closes because otherwise, they will be reliant on external contractors and platform vendor staff.
This means that senior management will need to be educated on understanding Cloud and its benefits at a general level.
Also, more junior staff will need to be trained on Cloud, the specific platform selected, the integration with the applications not the Cloud, security implications, and any other as well as any other changes made as part of the project. This training can be done by training existing staff but it may also be necessary to recruit new permanent staff with the required skillsets.
Migrate to the Cloud in a Safe and Risk-Free Manner
As previously mentioned, migrating applications to the Cloud is not an easy process. Therefore, a firm must employ a thoughtful and pragmatic approach to migrating applications across. This can be split into the four following phases:
What Needs to Be Done?
Before any actual implementation or migration work is started or even any planning activity is progress, firms must think deeply about what needs to be done to allow the firm to migrate from its current technology infrastructure to the future state defined (see above). This thinking can cover the following areas:
• What technology issues need to be addressed?
For example, what applications are migrating?, what applications are not migrating?, are application changes required?, do any system integrations need enhancing?, what security issues need addressing?, where will the data be held on the Cloud?, what BCP/ DR changes are needed? plus many other issues.
• What legal issues needed to be addressed?
For example, contracts will need to be put in place between the firm and the Cloud Providers(s) but there could also be legal issues around existing application providers, ensuring compliance with data protection laws, ensuring compliance with financial regulation laws, and possible terminating existing arrangements if they are not required (such as terminating data centers).
Finally, it may be necessary to either inform or ask for consent to migrate clients to the Cloud. If so then this will need to be factored in.
• Firms will need to build a capability to support Cloud computing.
While this is covered in more detail (in “Ensuring the Firm Has Sufficiently Skilled Staff to Support Cloud once the Project Completes” on page 159 above), firms will need to ensure they have the sufficient skills and capabilities to support Cloud computing once the project is completed. Otherwise, firms will be very reliant on external contractors and suppliers.
• Finally, firms will need to ensure they develop the required oversight and governance processes to monitor the Cloud computing environment once it goes live.
This is discussed in more detail (under “Ensure that there is sufficient oversight and governance is in place for living running” on page on 157 earlier) but it will cover ensuring the Cloud providers are providing the service that they have committed to, holding senior management forums to plan strategically, performing ongoing due diligence of Cloud providers, and ensuring BCP/DR tests are completed regularly.
Created a Phased Plan
Once this list of “things that need to be done” is completed above then these activities need to be sequenced into some sort of implementation plan.
Due to the complex and critical nature of migrating applications to the Cloud then it is strongly recommended that a phased approach is used for the migration. Using a “big bang” approach would be too risky for the firm. The earlier phases would focus on the less complex and less critical applications initially with all other applications being covered by later phases. Although it is not that uncommon for the first phase to only cover a single application and to be called a pilot migration.
The advantage of the phased approach is that it allows the firm to review progress at the end of each phase and make corrections for the next phase. For example, is the business case still valid?, were there unexpected technology issues?, were there any unforeseen legal issues?, is the firm still on track to develop its in-house capability to support Cloud computing?, does the sequence of application migrations need to be changed?, and so on.
Migrate or Execute the Plan
Once the phased plan has been designed then it can be implemented although it could change if issues are found as part of the review points mentioned earlier.
Finally, once the migration is complete then the firm will move to a steadystate with the above-developed governance and oversight processes.
People Are Nervous About Their Data Being Stored on the Cloud
Customers (and staff) may be nervous, unhappy, or uncomfortable with their personal and financial details being migrated to the Cloud. They may be worried about whether the data will be stolen, subpoenaed by foreign governments, or generally misused. Therefore, any client communication must be managed carefully.
Regulators Are Now Starting to Take a Real Interest in Cloud Computing
Unlike some of the other technologies covered in this book, financial regulators are now starting to take a real interest in Cloud computing. The reasons for this are probably because Cloud computing is becoming more and more mainstream across firms. In particular, the UK regulator (Financial Conduct Authority) has issued a large amount of guidance which can be summarized as follows:
• Legal and Regulatory Considerations: covering having a business case, ensuring the service is fit-for-purpose, ensuring regulatory compliance, and so on
• Risk Management: covering ensuring the implementation is risk reviewed, all legal risks are understood, all operational risks are understood and processes are in place for monitoring, reporting, and escalating breaches
• International Standards: Ensuring that if the supplier used is internationally based then they are compliant with all local regulations
• Oversight of the Service Provider: Ensuring there is sufficient governance and oversight of the arrangements
• Data Security: Ensuring data is protected and both the firm and supplier complies with the required regulations
• Effective Access to data: Ensuring the firm can easily access their data
• Access to business premises: Ensuring that firm can access the physical offices of the Cloud Provider to meet management, see their operations, and perform audits
• Change Management: Ensuring there are clear processes in place to make and test changes
• Business Continuity: Ensuring there are testing and robust arrangements in place to cope with the loss of the service
• Resolution: Ensuring there are arrangements in place to effectively manage any material or legal issues between a firm and the Cloud Provider
• Exit Plan: Firms need to ensure that they can exit the arrangement with minimal disruption to the operation and regulatory obligations
Future Challenges
Table 12.1 Future challenges of cloud computing
Case Study
This case study relates to an Asset Manager who has a complex technology infrastructure with many different overlapping applications and multiple data centers (some in-house and others outsourced to vendors). This entire infrastructure was complex, costly to manage, and very challenging to make changes to.
Therefore, this firm looked to move their entire technology infrastructure into the Cloud. The perceived benefit was that it would make the technology infrastructure easier to operate, cheaper to manage, and much quicker and easier to change if required.
The firm completed a Cloud vendor selection process. This covered creating a list of possible suppliers, completing an assessment of each provider’s capabilities, selecting a preferred vendor, completing contract negotiations (with due diligence), and then building a migration plan. This migration plan was phased with the initial focus on migrating noncritical applications first to test how well the Cloud works and learn lessons from the migrations. The later stages of the plan contained more critical and complex business applications.
However, as soon as the project started, the firm hit material problems. Some of the applications that were due to be migrated had technical issues with working on a Cloud-based environment. Also, some of the external suppliers who developed and supported these applications were extremely unhappy and nervous about their software being migrated onto a Cloud. Therefore, they insisted on strict legal demands to be included in contracts to protect their intellectual property.
If the firm had performed proper up-front assessment then these issues would have been highlighted so the implementation plan would have taken them into account.
The result is that the project ground to a standstill and at the time of writing (Winter 2021) these material issues are still outstanding.
Summary
Cloud computing is now becoming more and more common across the Financial Services industry. Its increased usage has been triggered (a) by firms migrating their traditional internal and external data centers to the Cloud with associated cost savings and (b) by the services being used by firms (such as trading platforms) being migrated to the Cloud by their providers. (As discussed above, the usage of Cloud Computing is growing within Financial Services. According to IBM’s 2020 “Banking on open hybrid multicloud survey,” 91 percent of financial institutions are actively using cloud services today (or plan to in the next 9 months) which is double the figure from 2017.)
However, migrating to the Cloud is not an easy activity and care must be taken.
There are a variety of possible service models (such as IaaS, PaaS, SaaS, MBaaS, and FaaS) and deployment models (such as Private, Public, and Hybrid). Each of these has its own set of distinct advantages and disadvantages.
Therefore firms need to have a clearly defined business case outline the business benefits (linked to the strategy of the firm), the costs required to implement Cloud computing, the potential costs savings as well as what the end state will look like (bearing in mind that not all applications will be able to be moved onto the Cloud).
Firms will also need to carefully select their Cloud provider to ensure they provide the required functionality, they have suitable costs, their legal contracts are acceptable, and (because they will become a strategic supplier) there is a good cultural fit between the firm and the provider.
Detailed thought and planning are then required around what needs to be done to perform the migration. For example, applications to be moved, applications that cannot be moved, changes to applications, security implications, oversight for live running, ensuring there are sufficiently skilled people within the firm, legal implications, client trust issues, and regulatory demands.
Once this is completed then a phased implementation plan should be followed to migrate the applications across in a secure and risk-free manner with regular review points to allow lessons learned to be implemented.
Finally, once this is completed then the Cloud is fully live.