Nascent Cloud Security Drives Hybrid Strategies

"Standardization and things like compliance are very nebulous in the cloud environment right now, especially on the public cloud side," says Iran Hutchinson, product manager at integration software provider InterSystems, who participated in a recent panel discussion at the Waters Power event last week in Manhattan, hosted by sibling publication Waters. "Our customers prefer the private cloud providers because the clients have full control over their infrastructure and can perform SAS 70 audits."

Knowing where a data trail ends in terms of auditing and logging is a major concern, says panelist Vijay Luthra, head of infrastructure at Artio Global Investors. Such issues have led his firm to work with more SAS 70-compliant providers than public cloud providers. "Their service level agreements (SLAs) define where exactly the data is sitting and what type of data is sitting with them," he explains. "There is a lot more control and we have warmed up to SAS 70-compliant applications. We currently are using Salesforce.com and a service management platform called Service-now.com."

Panel moderator Tsvi Gal, general partner at Exigen Private Equity, asked whether it is fair to expect public cloud providers to open their doors to legions of third-party auditors.

"Anyone who wants to provide a cloud environment to a large Wall Street firm is going have to understand that we are one of the most, if not the most, regulated industries on the planet," says Michael Ryan, senior architect and director at Bank of America Merrill Lynch (BAML). "Most of the providers get that."

To leverage the benefits of public cloud computing, firms need to adopt a hybrid approach of incorporating private as well as public infrastructure, according to Hutchinson. "The non-critical things tend to wind up on the cloud while the critical thing are pulled in-house."

Before BAML moves into any hosted environment, everyone in the firm's enterprise information management, risk organization and legal department must know what data is going to be stored in the environment and who will have access to it at all times, says Ryan. "You need to have that arrangement up front with the provider," he adds.

The bank divides its data between proprietary data, which it uses to run the bank, and confidential data, such as client records. "The difference between the two is that if there is a breach of proprietary information, it is reported in the pages of technology publications. If it is a breach of confidential information, it winds up on the front page of the The New York Times and The Wall Street Journal. We are not at the point where we will put confidential information on the cloud," says Ryan.

Although public clouds might not be ready to host mission-critical applications and data, the panelists agree that public clouds provide a good environment for grid computing and hosting of development environments.

"Development environments don't have the same regulatory requirements of a production environment," says Ryan. "It is simpler and cheaper to spin up a virtual environment in a matter of minutes, hours or days compared to procuring new hardware every time a new project comes along," he adds.

However, those savings aren't always guaranteed, adds Artio's Luthra. "We analyzed what would happen if we moved our development environment to an external cloud environment so that we could shut it down on Friday nights and bring it up Monday mornings. We found it was much cheaper for us to host it internally because we have certain internal IT capabilities, expertise and staff that makes it more cost effective to keep it internal."

Rob Daly