Are You Mixing with the Wrong Cloud?


Published on

Are you in the cloud? Or are you just making use of cloud technology? Understanding this subtle distinction could make the difference to how your financial services organisation approaches this disruptive technology.

Learn more at

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Are You Mixing with the Wrong Cloud?

  1. 1. Are you mixing with the wrong cloud? Understand how you can build the right cloud strategy for your financial services organisation
  2. 2. Are you in the cloud? Or are you just making use of cloud technology? Understanding this subtle distinction could make the difference to how your financial services organisation approaches this disruptive technology. Now to the cloud Today, many organisations are being asked the question “when are you moving to the cloud?” But this is the wrong question to ask, as it treats the cloud as a kind of ubiquitous computing capability, a mythical utopia with unparalleled benefits located somewhere in the computing ether. Instead, we need to see the cloud as a tool that can be hugely beneficial when deployed strategically alongside your existing computing assets. To some, ‘destination cloud’ is cheaper or more flexible or faster. But to others it presents specific and seemingly unbridgeable challenges, with security and compliance often top of the list of common obstacles to adoption. The result is that many organisations err on the side of caution and avoid cloud computing as an official strategy as the risks are seen as being too high. So what is the right question to ask? Security and compliance are always going to be important in financial services, but these must be tempered by other business needs, including cost, agility and new business opportunities. Simply focusing on the obstacles can result in opportunities being missed. And if that sounds like a risky attitude to take when you’re dealing with millions of account details, it isn’t – it is just a matter of balancing the business context. To illustrate this, cast your mind back ten or so years. Internet banking was a new, tentative and – for some people – dangerous business idea. Yet to others it was a new business opportunity that promised significant benefits. Today it seems almost laughable to question if this was a worthwhile strategy, as the benefits have far outweighed the challenges, heralding a service that is now a must-have capability for almost all consumers and financial institutions. 2
  3. 3. Looking at the cloud in a similar way, organisations need to consider the context for its adoption, and balance challenges against the benefits and opportunities. If this doesn’t happen then organisations will continue with the non-strategic adoption of cloud services. The failure to do this is often driven by an immediate business need which bypasses strategy due to the perception that enterprise IT is more focused on managing cost, regulation, security and risk than supporting the business. This is a point underlined by the increasing adoption of software as a service by individual departments as way to ‘get around’ the perceived lack of agility in the traditional enterprise IT functions. Given the above, perhaps the question should be: “is cloud technology (in its various incarnations) being exploited in a balanced way inside your organisation to realise benefits whilst minimising risk?” Or put more simply “what types of cloud service make sense where?” What is the cloud? Cloud computing can be described as: A computing capability provided in a consumption model, on-demand and pay-as-you-use. One thing you’ll notice is that this definition does not specify a location for where the data is stored – nowhere does it describe that cloud computing is ‘in the cloud’; out there in the computing no man’s land. Accepting this definition allows the enterprise IT world to deliver business benefits balanced against enterprise requirements as they utilise cloud-enabled platforms in different locations with varying characteristics. From on-premises corporate data centres to private hosted data centres and public commodity-based services (such as Office 365) the variety of cloud models provides organisations with the choice and opportunity to take advantage of the different models in a way that works for them. To understand this further, consider a set of simple definitions for the different flavours of cloud and enterprise computing: Non-cloud on-premises what exists today for existing apps in your data centre. Typically delivered with little transparency in costs, or any burst expansion capability. Private on-premises your own machines, on-site and only used by your organisation but delivered using cloud principles of on-demand and pay-as-you-use consumption. Private off-premises third-party servers located off-site. Almost certainly managed by a third party. Delivered using cloud principles of on-demand and pay-as-you-use consumption, often for commodity services but dedicated to a single organisation. Public off-premises the cloud as the public widely understands it. Run and managed by a third party on behalf of multiple organisations. Commodity-based, payas-you-consume. One thing the above do not share is location – and this is key – as location allows organisations to exact more control over compliance and risk. 3
  4. 4. So what does this all mean for financial services IT? and how the various models support the organisational Until recently enterprise IT typically managed all requirements. Given the above, it is imperative that enterprise and business applications from commodity enterprise IT departments start to look at defining a systems, ranging from email to key business applications cloud categorisation strategy; such as trading systems or assessing where applications can corporate transactional websites. be deployed to generate the most All of these systems, with the Enterprise IT departments benefit and least risk. exception of a few outsourced should define services, were located in the same By doing this it is possible to take a cloud categorisation data centre, albeit with different advantage of new cost models, strategy sets of SLAs as determined by greater flexibility (without application type, and the vast compromising regulations), majority managed by enterprise and the reassurance of high-quality enterprise-grade IT within the company firewall. In essence, organisations security. have been restricted to one way of doing things. More specifically, organisations should start to consider With the advent of the cloud computing model and the two ends of their application landscape: from associated technologies, enterprise IT departments now differential apps to commodity, and develop a view on have the capability to adopt the right computing model what fits where. for their organisation and the departments within it, all To bring this alive, consider email within a bank. The based on the enterprise’s needs. One size no longer fits initial view might well be “it’s a commodity so put it in all, as most organisations are looking to adopt all four the cloud”. Others may say “we’re a bank, we can’t put cloud models to varying degrees. The key to selecting the data in the cloud”. ratio will be in understanding the enterprise landscape So who is right? The answer is more complicated than you might think. From different points of view both opinions are equally as right as they are wrong. For parts of the bank that are using email for external marketing, the public cloud might be the right option, but for risk and compliance and customer interaction it might well be that remote off-premises services will simply not support the current regulatory frameworks. Until recently, the choice has been binary Until recently the choice has appeared to be binary, resulting in many organisations choosing to stay onpremises and adopting a highest common denominator approach; favouring compliance and reduced risk over cost and flexibility. Whether this is the right approach I will leave to you the reader to debate, but one thing is clear: the ‘cloud’ model is providing more and more opportunities to deliver a balanced approach. 4
  5. 5. Cloud categorisation: Fixed or hybrid? Hybrid deployment Fixed platform Based on overall enterprise architecture requirements delivering a single platform. Providing choice and flexibility. Public cloud Cloud or local server solution Marketing CRM data Marketing Non-cloud on-premises Customer data CRM data Internal financial data How Avanade can help Avanade is the leading business technology solutions and managed services provider, connecting insight, innovation and expertise in Microsoft technologies to help customers realize results. Specific to the cloud, Avanade has the capability to help organisations deliver cloud strategy, deliver cloudenabled applications both on-premises and in the commodity space, and finally to manage full commoditybased services including email, messaging, enterprise voice and collaboration, as well as specific offerings covering digital marketing. Our strategy is to assist organisations in the development of cloud delivery models capable of supporting all stakeholder needs, from risk management, security and compliance through to business and IT. This is achieved through the combination of the various cloud deployment options, which when wrapped up with Avanade’s management and support layer delivers a fully managed service. This model is illustrated by Avanade’s Communication and Collaboration Managed Service – a unique service that delivers a complete managed solution, across the Microsoft collaboration and communication platform. It is unique in the industry providing a range of services that can be delivered in a per-user cost model across a spectrum and mix of configurations from on-premises to hosted to cloud. As an example, consider a situation Private on-premises cloud Customer data Internal financial data where an organisation would like to deliver email and instant messaging via a managed service at the lowest price point, but a third of the users need secure email retention, to allow for auditing. The remaining two-thirds of users are internal and do not deal with customer issues. Additionally, the organisation deals with a range of third parties who each need external access to collaboration sites. Finally, the whole organisation requires IM for collaboration, despite strict policies in place to ensure access to sensitive data is not shared via IM. Whilst this may not be an everyday scenario, what it does illustrate is that different parts of the same organisation have very different needs. In this instance Avanade has the ability to deploy and manage an on-premises mail solution based on Exchange, with integrated single sign-on and federation with Office 365. The service also offers on-premises managed SharePoint for internal collaboration linked to SharePoint in Office 365 all utilising Lync on Office 365. From a user’s perspective these deployment differences are opaque, access is controlled by a federated Active Directory across public and on-premises cloud – all managed by Avanade to deliver proactive support. This model, when integrated with other cloud applications in both public and private deployments, can achieve significant benefits in terms of speed to market, flexibility and cost.
  6. 6. Clouded judgement Some organisations, particularly in the financial services sector, limit the use of public cloud due to concerns over the regulation and the rules surrounding data location, security and access – in addition to the fear of reputational risk if data is lost. While these concerns should not be ignored, it’s worth considering the regulations, implications and technology provision at a level that will enable informed decisions to be taken. The Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and associated regulations do not prohibit the use of cloud services. However, they do require organisations to take reasonable steps to avoid undue operational risk when entering into material outsourcing arrangements. Looking at this more carefully means that financial services firms need to categorise their estate; analysing their systems to allow them to make informed decisions and looking at their critical platforms carefully to understand what systems and data should be classified as critical. This can be done using tools to scan content for critical information such as personal identifiable information (PII). By understanding the data, the implications and risks associated with it, along with the systems that process it, organisations will be better able to make decisions on what outsourced services are applicable. When considering public cloud, we see the following three concerns: 1. Right to audit Any organisation needs to ensure that the supplier of the outsourced or cloud service is willing and able to work with regulators in an open and cooperative fashion. This is no different with cloud than it is with any other outsourced service. Specifically this relates to the ability to access and audit the provider’s business premises. The problem with this statement is the definition of ‘audit’ varies. For example, on one hand, it may mean a complete ‘drains up’ review of technology and services, which is costly. On the other hand, a third-party report may be suitable. Either is possible for traditional on-premises data centres, but for cloud providers with many clients the costs can be prohibitive. As such some public cloud providers, including Microsoft, provide the right to examine their auditor’s reports rather than providing access directly to the physical locations. This approach is sufficient for many auditors as public cloud providers are not seen as hosts -- the data centres are secure with only the provider capable of getting physical access to add, remove and maintain hardware or deploy software. Given this, we have seen regulators such as the FCA becoming more comfortable with the right to examine audit reports in the UK. 2. Security The second concern is security. Like any platform this is a key consideration and is no different with public clouds. As such we expect all cloud providers to give clear statements on their security procedures. In fact, many cloud providers have in place security mechanisms significantly more capable than traditional hosts or outsourcers, utilising biometric air-locked security with access limited to very few individuals. Yet despite the investment the concern remains. As such, users need to again consider the data being stored, categorising risks associated against the opportunities, developing appropriate mechanisms to mitigate issues as they arise. 3. Data sovereignty Cloud concerns There is a climate of concern around public cloud services, but really there should be no more mis-givings than for any other new technology. So boiling it all down we can see the key to adoption is for organisations to understand their data, their systems and the risks and opportunities associated with the use of technology. Only then can an informed choice be made, and the cloud is no different in this respect to any other platform or technology. The final major concern is data sovereignty. Where is my data and who can get access? Much of this worry is borne out of the US Patriot Act, which gives the US government access to data located within US geographical territory. While this is true, it is important to remember that many governments around the world already have these types of powers, irrespective of location or private, public or traditional data centres. Safe Harbour agreements between the US and EU protect much of the data from unauthorized access and certainly many providers, including Microsoft, subscribe to this. But given the range of choice on offer from cloud service providers, organisations have a choice of where data and services are located to allow them to avoid some of these issues. 6
  7. 7. Where to find out more Contact us today To take advantage and exploit these new models requires product knowledge, skilled resources, and experienced delivery, as well as infrastructure and services needed to provide a complete service. Avanade has plenty of experience helping enterprises and financial services organisations plan and implement cloud strategies. Avanade has worked with many organisations to define and deliver cloud strategies. This includes on-premises management and deployment of bespoke cloud applications on the Microsoft Azure cloud platform and managed cloud services. Avanade has the skills and technology to define the cloud service model that’s right for you. We’ve already helped financial services companies like Aviva, RSA and National Australia Bank make better use of their technology — we’d love you to join them. 020 7025 1000 @AvanadeUK Who we’ve worked with Call, email or tweet us 020 7025 1000 About Avanade Avanade provides business technology solutions and managed services that connect insight, innovation and expertise in Microsoft® technologies to help customers realize results. Our people have helped thousands of organizations in all industries improve business agility, employee productivity and customer loyalty. Additional information can be found at ©2014 Avanade Inc. All rights reserved. The Avanade name and logo are registered trademarks in the US and other countries. @AvanadeUK North America Seattle Phone +1 206 239 5600 Asia- Pacific Singapore Phone +65 6592 2133 South America Sao Paulo Phone +55 (11) 5188 3000 Europe London Phone +44 0 20 7025 1000 Africa Pretoria Phone +27 12 622 4400 7