Reinventing the Wheel: Due Diligence Takes on Greater Importance in the Cloud

As MacKay Shields' license with a vendor was expiring, IT head Anthony Vigilante figured it would be a good opportunity to upgrade to the vendor's software-as-a-service (SaaS) solution. The teams hopped on a conference call to hammer out some of the parameters. After a few questions, Vigilante asked about data security. The call got suddenly quiet. Right then, he knew that MacKay Shields would not be switching to SaaS, and its data would be staying safely tucked behind its own four walls.

For as long as it feels like it's been around, cloud for financial services is still a nascent field. Basic questions go routinely unanswered, or insufficiently answered. "There's a great lack of standards in that space," says Lord Abbett CTO Nathan Boylan, "and it almost seems like we're reinventing the wheel for each and every SaaS product that we use."

Without standards, due diligence takes on even greater importance. Boylan, Vigilante, and Financial Information Forum program director Arsalan Shahid gave some tips on how to pick the right cloud service provider at the Buy-Side Technology North American Summit last week.

First off, find out how new they are to the cloud, and to financial services. Are they just rebranding an old hosted service as cloud? Do they have multiple financial clients on board already? Do they understand the unique needs of the industry, especially surrounding data security?

Boylan asks questions about the level of security being provided in a multi-tenancy environment. Many vendors are providing single-tenancy options for businesses too apprehensive about multi-tenancy. He also uses questions about US Securities and Exchange Commission (SEC) Rule 17a-4, regarding data retention requirements, as a barometer of readiness. Some backup storage and archiving vendors have never heard of the SEC, he laughs, much less Rule 17a-4.

When dealing with an SQL database, Vigilante asks how the company handles service accounts on that database, who has admin rights, and how often the password is changed. He'll check on the number and location of datacenters and whether they have backup tapes. He makes a point of visiting the datacenters, to know the exact physical location where he can see and touch his data.

Reading the vendor literature is not enough. Having tangible contact with the data not only gives more confidence should that data need to be delivered upon, but also because different countries carry different territorial requirements about where it can be housed. Shahid pointed out that data is acted upon for longer periods these days, and vendors must be willing to keep it accessible.

Perhaps the most fundamental question to ask oneself─the vendor cannot give a good answer, for obvious reasons─is whether the vendor will still be in business tomorrow. "I think it's even more important when you're dealing with cloud services as opposed to a vendor where you can just change them," Vigilante says. "With cloud services it's not as easy to move on."

Shahid pointed to the new Amazon/Nasdaq joint cloud venture, FinQloud, as a new frontier in the space, and a different approach than NYSE Euronext's traditional mega-datacenter model. Now, he says, even established broker-dealers can save data in the cloud, which was not necessarily the case in the past.

"They're talking about this being a private virtual cloud because you're not going to have access via traditional internet," Shahid says. "You're going to have private lines, virtual private networks (VPNs). So how does that change the game? Do you still, if you're a major player, want to save that data internally? Or do you want to use Nasdaq's solution?"

Vigilante isn't ready to jump in yet. He's taking a wait-and-see approach. "Just because its Nasdaq doesn't mean they'll automatically treat the data exactly the way I want it to be treated," he says. "But it definitely makes me feel more comfortable than going with another provider that's an unknown."

The Bottom Line
Although it feels like we've been talking about cloud experimentation for years, the field is still not mature when it comes to servicing financial firms. Some companies understand the security and data retention needs and others just pretend.

The only way to find out which is which is to ask a lot of questions. Even trusted providers like Nasdaq need to be given the third degree before a firm entrusts them with so much as the cafeteria menu data.