Are you mixing with the wrong cloud?Understand how you can build the right cloud strategy for your financial services organisation

22

Now to the cloud Today, many organisations are being asked the question “when are you moving to the cloud?” But this is the wrong question to ask, as it treats the cloud as a kind of ubiquitous computing capability, a mythical utopia with unparalleled benefits located somewhere in the computing ether.

Instead, we need to see the cloud as a tool that can be hugely beneficial when deployed strategically alongside your existing computing assets. To some, ‘destination cloud’ is cheaper or more flexible or faster. But to others it presents specific and seemingly unbridgeable challenges, with security and compliance often top of the list of common obstacles to adoption.

The result is that many organisations err on the side of caution and avoid cloud computing as an official strategy as the risks are seen as being too high.

So what is the right question to ask? Security and compliance are always going to be important in financial services, but these must be tempered by other business needs, including cost, agility and new business opportunities.

Simply focusing on the obstacles can result in opportunities being missed. And if that sounds like a risky attitude to take when you’re dealing with millions of account details, it isn’t – it is just a matter of balancing the business context. To illustrate this, cast your mind back ten or so years.

Internet banking was a new, tentative and – for some people – dangerous business idea. Yet to others it was a new business opportunity that promised significant benefits.

Today it seems almost laughable to question if this was a worthwhile strategy, as the benefits have far outweighed the challenges, heralding a service that is now a must-have capability for almost all consumers and financial institutions.

Are you in the cloud? Or are you just making use of cloud technology? Understanding this subtle distinction could make the difference to how your financial services organisation approaches this disruptive technology.

3

requirements as they utilise cloud-enabled platforms in different locations with varying characteristics. From on-premises corporate data centres to private hosted data centres and public commodity-based services (such as Office 365) the variety of cloud models provides organisations with the choice and opportunity to take advantage of the different models in a way that works for them.

To understand this further, consider a set of simple definitions for the different flavours of cloud and enterprise computing:

Non-cloud on-premises what exists today for existing apps in your data centre. Typically delivered with little transparency in costs, or any burst expansion capability.

Private on-premises your own machines, on-site and only used by your organisation but delivered using cloud principles of on-demand and pay-as-you-use consumption.

Private off-premises third-party servers located off-site. Almost certainly managed by a third party. Delivered using cloud principles of on-demand and pay-as-you-use consumption, often for commodity services but dedicated to a single organisation.

Public off-premises the cloud as the public widely understands it. Run and managed by a third party on behalf of multiple organisations. Commodity-based, pay-as-you-consume.

One thing the above do not share is location – and this is key – as location allows organisations to exact more control over compliance and risk.

Looking at the cloud in a similar way, organisations need to consider the context for its adoption, and balance challenges against the benefits and opportunities. If this doesn’t happen then organisations will continue with the non-strategic adoption of cloud services.

The failure to do this is often driven by an immediate business need which bypasses strategy due to the perception that enterprise IT is more focused on managing cost, regulation, security and risk than supporting the business. This is a point underlined by the increasing adoption of software as a service by individual departments as way to ‘get around’ the perceived lack of agility in the traditional enterprise IT functions.

Given the above, perhaps the question should be: “is cloud technology (in its various incarnations) being exploited in a balanced way inside your organisation to realise benefits whilst minimising risk?”

Or put more simply “what types of cloud service make sense where?”

What is the cloud? Cloud computing can be described as:

A computing capability provided in a consumption model, on-demand and pay-as-you-use.

One thing you’ll notice is that this definition does not specify a location for where the data is stored – nowhere does it describe that cloud computing is ‘in the cloud’; out there in the computing no man’s land.

Accepting this definition allows the enterprise IT world to deliver business benefits balanced against enterprise

4

Until recently enterprise IT typically managed all enterprise and business applications from commodity systems, ranging from email to key business applications such as trading systems or corporate transactional websites. All of these systems, with the exception of a few outsourced services, were located in the same data centre, albeit with different sets of SLAs as determined by application type, and the vast majority managed by enterprise IT within the company firewall. In essence, organisations have been restricted to one way of doing things.

With the advent of the cloud computing model and associated technologies, enterprise IT departments now have the capability to adopt the right computing model for their organisation and the departments within it, all based on the enterprise’s needs. One size no longer fits all, as most organisations are looking to adopt all four cloud models to varying degrees. The key to selecting the ratio will be in understanding the enterprise landscape

Enterprise IT departments should define

a cloud categorisation strategy

and how the various models support the organisational requirements. Given the above, it is imperative that enterprise IT departments start to look at defining a

cloud categorisation strategy; assessing where applications can be deployed to generate the most benefit and least risk.

By doing this it is possible to take advantage of new cost models, greater flexibility (without compromising regulations),

and the reassurance of high-quality enterprise-grade security.

More specifically, organisations should start to consider the two ends of their application landscape: from differential apps to commodity, and develop a view on what fits where.

To bring this alive, consider email within a bank. The initial view might well be “it’s a commodity so put it in the cloud”. Others may say “we’re a bank, we can’t put data in the cloud”.

So what does this all mean for financial services IT?

So who is right? The answer is more complicated than you might think. From different points of view both opinions are equally as right as they are wrong.

For parts of the bank that are using email for external marketing, the public cloud might be the right option, but for risk and compliance and customer interaction it might well be that remote off-premises services will simply not support the current regulatory frameworks.

Until recently the choice has appeared to be binary, resulting in many organisations choosing to stay on-premises and adopting a highest common denominator approach; favouring compliance and reduced risk over cost and flexibility. Whether this is the right approach I will leave to you the reader to debate, but one thing is clear: the ‘cloud’ model is providing more and more opportunities to deliver a balanced approach.

Until recently, the choice has been binary

How Avanade can help Avanade is the leading business technology solutions and managed services provider, connecting insight, innovation and expertise in Microsoft technologies to help customers realize results.

Specific to the cloud, Avanade has the capability to help organisations deliver cloud strategy, deliver cloud-enabled applications both on-premises and in the commodity space, and finally to manage full commodity-based services including email, messaging, enterprise voice and collaboration, as well as specific offerings covering digital marketing.

Our strategy is to assist organisations in the development of cloud delivery models capable of supporting all stakeholder needs, from risk management, security and compliance through to business and IT. This is achieved through the combination of the various cloud deployment options, which when wrapped up with Avanade’s management and support layer delivers a fully managed service.

This model is illustrated by Avanade’s Communication and Collaboration Managed Service – a unique service that delivers a complete managed solution, across the Microsoft collaboration and communication platform. It is unique in the industry providing a range of services that can be delivered in a per-user cost model across a spectrum and mix of configurations from on-premises to hosted to cloud. As an example, consider a situation

where an organisation would like to deliver email and instant messaging via a managed service at the lowest price point, but a third of the users need secure email retention, to allow for auditing. The remaining two-thirds of users are internal and do not deal with customer issues.

Additionally, the organisation deals with a range of third parties who each need external access to collaboration sites. Finally, the whole organisation requires IM for collaboration, despite strict policies in place to ensure access to sensitive data is not shared via IM.

Whilst this may not be an everyday scenario, what it does illustrate is that different parts of the same organisation have very different needs.

In this instance Avanade has the ability to deploy and manage an on-premises mail solution based on Exchange, with integrated single sign-on and federation with Office 365. The service also offers on-premises managed SharePoint for internal collaboration linked to SharePoint in Office 365 all utilising Lync on Office 365.

From a user’s perspective these deployment differences are opaque, access is controlled by a federated Active Directory across public and on-premises cloud – all managed by Avanade to deliver proactive support. This model, when integrated with other cloud applications in both public and private deployments, can achieve significant benefits in terms of speed to market, flexibility and cost.

Fixed platform Based on overall enterprise architecture requirements delivering a single platform.

Hybrid deployment Providing choice and flexibility.

Public cloud

Private on-premises cloud

Non-cloud on-premisesCloud or local server solution Marketing

CRM data

Internal financial dataCustomer data

Internal financial data

Customer dataMarketing

CRM data

Cloud categorisation: Fixed or hybrid?

6

Clouded judgement Some organisations, particularly in the financial services sector, limit the use of public cloud due to concerns over the regulation and the rules surrounding data location, security and access – in addition to the fear of reputational risk if data is lost. While these concerns should not be ignored, it’s worth considering the regulations, implications and technology provision at a level that will enable informed decisions to be taken.

The Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and associated regulations do not prohibit the use of cloud services. However, they do require organisations to take reasonable steps to avoid undue operational risk when entering into material outsourcing arrangements. Looking at this more carefully means that financial services firms need to categorise their estate; analysing their systems to allow them to make informed decisions and looking at their critical platforms carefully to understand what systems and data should be classified as critical.

This can be done using tools to scan content for critical information such as personal identifiable information (PII). By understanding the data, the implications and risks associated with it, along with the systems that process it, organisations will be better able to make decisions on what outsourced services are applicable.

When considering public cloud, we see the following three concerns:

Cloud concerns There is a climate of concern around public cloud services, but really there should be no more mis-givings than for any other new technology. So boiling it all down we can see the key to adoption is for organisations to understand their data, their systems and the risks and opportunities associated with the use of technology. Only then can an informed choice be made, and the cloud is no different in this respect to any other platform or technology.

1. Right to audit Any organisation needs to ensure that the supplier of the outsourced or cloud service is willing and able to work with regulators in an open and cooperative fashion. This is no different with cloud than it is with any other outsourced service. Specifically this relates to the ability to access and audit the provider’s business premises. The problem with this statement is the definition of ‘audit’ varies. For example, on one hand, it may mean a complete ‘drains up’ review of technology and services, which is costly. On the other hand, a third-party report may be suitable.

Either is possible for traditional on-premises data centres, but for cloud providers with many clients the costs can be prohibitive. As such some public cloud providers, including Microsoft, provide the right to examine their auditor’s reports rather than providing access directly to the physical locations.

This approach is sufficient for many auditors as public cloud providers are not seen as hosts -- the data centres are secure with only the provider capable of getting physical access to add, remove and maintain hardware or deploy software. Given this, we have seen regulators such as the FCA becoming more comfortable with the right to examine audit reports in the UK.

2. Security The second concern is security. Like any platform this is a key consideration and is no different with public clouds. As such we expect all cloud providers to give clear statements on their security procedures. In fact, many cloud providers have in place security mechanisms significantly more capable than traditional hosts or outsourcers, utilising biometric air-locked security with access limited to very few individuals. Yet despite the investment the concern remains.

As such, users need to again consider the data being stored, categorising risks associated against the opportunities, developing appropriate mechanisms to mitigate issues as they arise.

3. Data sovereignty The final major concern is data sovereignty. Where is my data and who can get access? Much of this worry is borne out of the US Patriot Act, which gives the US government access to data located within US geographical territory. While this is true, it is important to remember that many governments around the world already have these types of powers, irrespective of location or private, public or traditional data centres.

Safe Harbour agreements between the US and EU protect much of the data from unauthorized access and certainly many providers, including Microsoft, subscribe to this. But given the range of choice on offer from cloud service providers, organisations have a choice of where data and services are located to allow them to avoid some of these issues.

7

About AvanadeAvanade provides business technology solutions and managed services that connect insight, innovation and expertise in Microsoft® technologies to help customers realize results. Our people have helped thousands of organizations in all industries improve business agility, employee productivity and customer loyalty. Additional information can be found at www.avanade.com. ©2014 Avanade Inc. All rights reserved. The Avanade name and logo are registered trademarks in the US and other countries.

North America Seattle Phone +1 206 239 5600 America@avanade.com

South America Sao Paulo Phone +55 (11) 5188 3000 latinamerica@avanade.com

Africa Pretoria Phone +27 12 622 4400 SouthAfrica@avanade.com

Asia- Pacific Singapore Phone +65 6592 2133 AsiaPac@avanade.com

Europe London Phone +44 0 20 7025 1000 Europe@avanade.com

020 7025 1000 ukmarketing@avanade.com @AvanadeUK www.Avanade.com

Call, email or tweet us

Who we’ve worked with

Contact us todayAvanade has plenty of experience helping enterprises and financial services organisations plan and implement cloud strategies.

We’ve already helped financial services companies like Aviva, RSA and National Australia Bank make better use of their technology — we’d love you to join them.

020 7025 1000

ukmarketing@avanade.com

@AvanadeUK

www.Avanade.com

Where to find out moreTo take advantage and exploit these new models requires product knowledge, skilled resources, and experienced delivery, as well as infrastructure and services needed to provide a complete service.

Avanade has worked with many organisations to define and deliver cloud strategies. This includes on-premises management and deployment of bespoke cloud applications on the Microsoft Azure cloud platform and managed cloud services. Avanade has the skills and technology to define the cloud service model that’s right for you.