As the titular "notable" author of the group, I lead off with a few comments on how consumer financial services will flow out of cloud. The conventions of the cloud and upcoming user interfaces will allow a wide range of interactions between a bank and its customers, such as putting together an integrated investment plan for retirement through rich, intelligent interactions between the end user and the institution.
What I didn't say was that I lack real insight into financial services. I don't really know how cloud computing is going to impact the field. It could be much more disruptive than what I described. Furthermore, I'm not notable for anything other than having gotten a manuscript done at a time when a cloud computing happens to be gaining interest. My claim to notoriety is that I survived the process. Rob Davis, VP of security services and single sign-on integration at Bank of America, chimed in. Cloud computing was enticing for its potential economies of scale, but it required using "shared infrastructure. J.P. Morgan (a competitor) might be located on the same rack, the same portion of the network that Citigroup is using. We want to be sure we're not exposed to cross contamination," he said.
Decamp started to reach his stride and kept the discussion moving. "What do the regulatory bodies have to say about the prospect of financial services using the cloud?" he asked Doug Johnson, VP of risk management policy for the American Bankers Association.
"The Federal Financial Institutions Examination Council, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency have been watching cloud developments. Their most frequently cited opinion is, 'not ready for prime time,'" Johnson said. "It's not the cloud's fault," I interjected. "The cloud could be made as secure as any other computing environment, sometimes more so. But we haven't perfected the means." Not everybody in the room seemed to agree, so I proceeded to an example of what I thought the real problem was.
"If you're a financial services firm storing data in the cloud and some is lost, you can go to the nth degree in meeting the notification requirements of the state in which you're doing business. But unknown to you, your cloud supplier moved your data to a back up facility across the state line. Notification in the neighboring state is more stringent than the one you're geared up to meet. Now you're open to consumer complaints, attorney general investigations, even lawsuits." When I quit talking, I realized I hadn't done much to reassure the room that the cloud was ready for prime time.
Said the ABA's Johnson: "It's Tuesday morning. Do you know where your data is? You might not be able to influence your agreement with your cloud vendor enough to know where your data is...(or get a guarantee of location).
When it comes to privacy and notification of a breach, "There needs to be a national standard, not a state by state standard," he added.
Pavel Vaynshtok, workload automation consultant in the Data Operations unit of Citigroup (and president of the NYC Workload Automation User Group) said the problem was larger than that. "I encounter sovereign country regulations all the time. Some countries, such as Germany, don't let data be shared across their borders."
The panel agreed that there were obstacles to running workloads in a cloud data center that had nothing to do with technical security. They were regulatory and tied to international borders.
Said the BOA's Davis: "I'm inclined to think financial services, when it talks about the cloud, is talking about 'private cloud.' I can see how 20,000 servers can be converted into a private cloud. Call it inertia, but asset management, even internal furniture asset management, will all be inside, not in the public cloud."
Decamp decided it was time to obtain an additional "notable" point of view, so he asked what I thought of the prospects for the private cloud.
"I'm hearing a contradiction," I said. "Financial services want to do more with less, they want the economies of scale, but they want to do it in a private cloud." The real gains come, I claimed, when you combine use of public cloud infrastructure with your private data center to even out your peak loads.
Warming to the subject, I continued: "Amazon's EC2 can absorb your company's spikes because it constantly adds capacity ahead of demand, and Amazon is expert at getting a return on that capacity. It's started allowing customers to bid a price at which they want their jobs to run. It has workloads waiting in the wings for some slack period, say the middle of the night, when EC2 servers were underutilized. You can't do that inside your own data center." But BOA's Davis and Citigroup's Vaynshtok stuck to their guns.
"I think you need to know where the infrastructure you're using is. We're not going to put a large application out there on faith. Risk is a concern," said Davis.
Vaynshtok said: "I see thousands of computers idling all the time. There are inefficiencies in managing them. The number one issue is doing more with less and I can see how we could manage our servers more efficiently" as a private cloud, evening out internal spikes by distributing them across a pool of virtualized servers. His Citigroup unit works with 10,000 servers, enough to build out a private cloud, he asserted.
Decamp said that was an untested architecture compared to the tried and true enterprise data center with its carefully documented run book. Does there need to be a run book for private cloud operation, he asked the fifth panel member, Pinaki Roy.
Roy, managing director of Financial Services CIO Advisory of Pricewaterhouse Coopers, said an ITIL-status runbook and runbook automation were definitely needed and sure to come for the emerging private cloud.
I really enjoyed this panel, which took place May 19. I thought from start to finish it drew out a variety of points of view, with each member taking a stand and defending it. Those stances reflected the emerging state of cloud computing. My main takeaway was to rethink the possibilities of the private cloud, which Davis and Vaynshtok ably advocated.
Also, in case you're interested, look over a chapter of the book, Management Strategies for the Cloud Revolution.
Download the first issue of InformationWeek's Boardroom Journal, with our cover story on how to explain your plan for SaaS to the top brass in your company. Also in this issue: Five areas where SaaS can trip you up; what SaaS really delivers; and why HR departments must take extra care when using SaaS. Get it here. (Registration required.)