Like any new tool, cloud computing promises vast utility and savings-and casts almost as much uncertainty.
BTN polled a group of technology, analysts and financial pros on what they think banks should ask themselves and cloud providers before taking the plunge. The following checklist is based on their answers:
Is it safe?
The future adoption of cloud computing is dependent on bank confidence in systems and data security, as well as user authentication. Since cloud computing involves sharing of some functions and information, it raises obvious questions about how data in the cloud can be secured, as well how user IDs are vetted. Cloud experts say banks should look for specific data protection measures and user verification strategies.
"People need to be talking about the tradeoff between security and services," says Jim Van Dyke, founder of Javelin Strategy & Research, who suggests the growth of cloud computing could play a role in the renewed debate over federated identity, or the use of authentication process shared across multiple IT systems or organizations.
Safety also plays a role in one of the most basic choices banks have when considering cloud computing, that of whether to use a private cloud or a public cloud. "As you move from the more public clouds to private clouds, the cost structure gets higher, and you want to weigh the costs versus the security," says Bernard Golden, CEO of HyperStratus, a consultant that helps firms create a comprehensive cloud strategy.
How do get what I need?
"You need to understand how quality is going to be managed," says Ravi Balwada, svp for staff operations at Dorado. While cloud computing promises myriad efficiencies, it can also raise worries over maintenance, capacity and individualized access to service providers. Experts suggest agreements that spell out reliability and accountability.
"How do I get [a provider's] attention in a multi-tenant environment? Cloud computing pays off when [a provider] gets a lot of clients, but how does [a bank] get attention?" asks Ellen Carney, a senior analyst at Forrester Research.
Joe Larizza, chief administrator of Fieldpoint Private Bank, which recently placed some CRM functions in the cloud, says it's also important to make maintenance part of the deployment. "My goal is to not just get rid of software and hardware expense, but maintenance too."
What if it does break?
Breakdowns are inevitable, and John Blakeney, evp and CIO of Commerce Bank in Missouri, says it's important to ask about disaster recovery and business continuity, and how data is going to be retrieved in such an event. "There's a number of cloud computing vendors in the storage arena," he says, noting many of the storage facilities reside outside the United States. "When you ask where is my data going to be stored, and they say 'somewhere in the complex' that can be anywhere. And the [storage and archiving] regulations are different in different places.
What are the limitations?
There are still things cloud computing literally cannot do, requiring IT teams to figure out how non-cloud and cloud functions interact with each other. Cloud computing can't accomplish PCI compliance yet, for example, forcing banks to integrate a cloud solution that manages general marketing information on payments products with transactional payment capabilities that require PCI compliance. Andy Schroepfer, vp of enterprise strategy for Rackspace, a firm that offers cloud hosting and virtualization, says that a "hybrid" structure is available that "splits" consumer traffic in a payments platform, so banks don't need two different code bases for its cloud and "non-cloud PCI payment" functions.
What goes in the cloud first?
There are a number of areas in which most banks can enjoy short-term benefits of cloud computing with minimal security and compliance concerns, particularly through the identification of servers and processes in which utilization volume is highly variable. Ric Telford, vp of cloud solutions for IBM, says costs can be saved through using the cloud for development work and testing. Virtualizing desktop work stations is also a candidate. "There's a standard set of applications that don't require special security and don't have data that follows a compliance path. And there's a spike in terms of when it's used. It's a waste to buy fixed assets for those purposes," says Rackspace's Schroepfer.