Are banks ready for the cloud?

  • 1,900 views
Uploaded on

Presentation by Kemp Little to the Financial Services Club, 28th November 2013

Presentation by Kemp Little to the Financial Services Club, 28th November 2013

More in: Business , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,900
On Slideshare
0
From Embeds
0
Number of Embeds
8

Actions

Shares
Downloads
0
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Cost savings of Public v Private Cloud
  • SYSC 8.1.8 06/05/2009 A common platform firm must in particular take the necessary steps to ensure that the following conditions are satisfied: (1)  the service provider must have the ability, capacity, and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally; (2)  the service provider must carry out the outsourced services effectively, and to this end the firm must establish methods for assessing the standard of performance of the service provider; (3)  the service provider must properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing; (4)  appropriate action must be taken if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements; (5)  the firm must retain the necessary expertise to supervise the outsourced functions effectively and to5 manage the risks associated with the outsourcing ,55and must supervise those functions and manage those risks; (6)  the service provider must disclose to the firm any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements; (7)  the firm must be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services to clients; (8)  the service provider must co-operate with the FSA and any other relevant competent authority in connection with the outsourced activities; (9)  the firm, its auditors, the FSA and any other relevant competent authority must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the FSA and any other relevant competent authority must be able to exercise those rights of access; (10)  the service provider must protect any confidential information relating to the firm and its clients; (11)  the firm and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced. [Note: article 14(2) second paragraph of the MiFID implementing Directive]
  • EU Strategy: The Commission decided on 27th Sept that they wanted to “Unleash the potential of cloud computing in Europe”. EU justice commissioner Viviane Reding said: "Europe needs to think big. The cloud strategy will enhance trust in innovative computing solutions and boost a competitive digital single market where Europeans feel safe. That means a swift adoption of the new data protection framework, which the EC proposed earlier this year, and the development of safe and fair contract terms and conditions.". The chat about model contract terms in the strategy paper being particularly interesting…. Plans for commission to develop these model terms by end of 2013.However: any model terms would have to interact with proposed Regulation on Common European Sales Law (which it seems every member state opposes) which deals with:“data which are produced and supplied in digital form, whether or not according to the buyer's specifications, including video, audio, picture or written digital content, digital games, software and digital content which makes it possible to personalise existing hardware or software” (digital content) which can be stored, processed or accessed, and re-used by the user but excludes “electronic communications services and networks, and associated facilities and services” as well as ”the creation of new digital content and the amendment of existing digital content”.Industry may develop competing set of terms to increase their input
  • SYSC 8.1.8 06/05/2009 A common platform firm must in particular take the necessary steps to ensure that the following conditions are satisfied: (1)  the service provider must have the ability, capacity, and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally; (2)  the service provider must carry out the outsourced services effectively, and to this end the firm must establish methods for assessing the standard of performance of the service provider; (3)  the service provider must properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing; (4)  appropriate action must be taken if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements; (5)  the firm must retain the necessary expertise to supervise the outsourced functions effectively and to5 manage the risks associated with the outsourcing ,55and must supervise those functions and manage those risks; (6)  the service provider must disclose to the firm any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements; (7)  the firm must be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services to clients; (8)  the service provider must co-operate with the FSA and any other relevant competent authority in connection with the outsourced activities; (9)  the firm, its auditors, the FSA and any other relevant competent authority must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the FSA and any other relevant competent authority must be able to exercise those rights of access; (10)  the service provider must protect any confidential information relating to the firm and its clients; (11)  the firm and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced. [Note: article 14(2) second paragraph of the MiFID implementing Directive] SYSC 8.1.8 06/05/2009 A common platform firm must in particular take the necessary steps to ensure that the following conditions are satisfied: (1)  the service provider must have the ability, capacity, and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally; (2)  the service provider must carry out the outsourced services effectively, and to this end the firm must establish methods for assessing the standard of performance of the service provider; (3)  the service provider must properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing; (4)  appropriate action must be taken if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements; (5)  the firm must retain the necessary expertise to supervise the outsourced functions effectively and to5 manage the risks associated with the outsourcing ,55and must supervise those functions and manage those risks; (6)  the service provider must disclose to the firm any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements; (7)  the firm must be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services to clients; (8)  the service provider must co-operate with the FSA and any other relevant competent authority in connection with the outsourced activities; (9)  the firm, its auditors, the FSA and any other relevant competent authority must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the FSA and any other relevant competent authority must be able to exercise those rights of access; (10)  the service provider must protect any confidential information relating to the firm and its clients; (11)  the firm and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced. [Note: article 14(2) second paragraph of the MiFID implementing Directive]

Transcript

  • 1. Are Banks ready for the Cloud? Paul Hinton PAUL.HINTON@KEMPLITTLE.COM +44 (0)20 7710 1623
  • 2. Prediction is very difficult, especially about the future…” services Mid ‘60s to early ‘80s: IBM heyday ‘80s: rise of the PC ‘90s to mid-00’s: Wintel heyday Mid ‘00s onwards: Google heyday Utility Computing The rise of service based computing Cloud Computing SaaS ASP adoption internet Outsourcing ITO LPO, etc 2000s onwards: broadband replaces dial up internet 1995: Netscape IPO ; Bill Gates’ ‘Internet tidal wave’ memo software hardware BPO 1969: the software industry is born as IBM unbundles hardware & software 1940s: Adoption of programmable computer 1940s 1957: IBM introduces FORTRAN programming language 1950s 2001: .com bust 1981: Microsoft develops MS-DOS 1970: UNIX released by AT&T 1964: IBM introduces System 360 computer family 1960s 2004: Google, salesforce.com IPOs; ‘web 2.0’ coined 1971: Intel 4004 – the first microprocessor developed 1970s 1990: 1985: Microsoft open 1993: launches source Linux Windows 3.0 FSF set up 1981: IBM ‘90s: rise of launches PC laptops 1980s mid ‘00s onwards: open source (OSS) in the mainstream ‘00s: rise of PDAs 1984: Apple Mac launched 1990s 2000s 2008: Google Chrome, Microsoft Windows ‘in the Cloud’ (Azure) launched 2007: IPO of hypervisor developer VMware ‘anytime anywhere’ devices 2010s Smartphones iPad, etc
  • 3. Types of Cloud Custom Private Cloud Private Cloud Community Private Cloud User Z Virtual Private Cloud Provider X Managed Company B Company A Company A Company A Company A Company B Open Public Company A Closed Private Public Cloud Owner Company Provider Provider Provider Operator Company Provider Provider Provider Provider Service Access Closed Closed Closed Limited group Open Level of Control Full High High Low None Security/Location As selected by Company As selected by Company As selected by Company As described by Provider As described by Provider Legal Terms _3 Company Bespoke Bespoke Negotiable but clear impact on price changes Limited outside of standard agreed terms Standard terms only – non-negotiable
  • 4. Cost savings of Public v Private Cloud _4
  • 5. Company A Custom Private Cloud _5 Managed Private Cloud Provider X Provider X Trading , Customer, sensitive , regulated, valuable time- critical data Lower value, unregulated, not time critical data Company A Virtual Private Cloud Community Private Cloud User Z User Z What are you using the cloud for? Public Cloud
  • 6. SYSC Rule 8 Material Outsourcing PRA/FCA Control  (2) establish methods for assessing the standard of performance of the service provider;  (3) supervise and adequately manage the risks associated with the outsourcing;  (5) the firm must retain the expertise to supervise the outsourced functions and to manage the risks associated with the outsourcing ,and must supervise those functions and manage those risks;  (7) the firm must be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services to clients;  (8) the service provider must co-operate with the relevant competent authority in connection with the outsourced activities;  (9) the firm, its auditors, the relevant competent authority must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and must be able to exercise those rights of access;  (10) the service provider must protect any confidential information relating to the firm and its clients;  (11) the firm and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced. _6
  • 7. Cloud Risks  Potential loss of control –retain sufficient control over critical data and services  Availability and access to Data – what if the internet is down? Normally a customer risk  Data Security - Adequate security measures in place and can you monitor them?  Data location – Data Protection – tougher regulation 2015 – Keeping track of exact location of Data – Customer consent?  Global law, tax and regulation  Auditing – Both rights for customer and Regulator – Distinction between effective access to data and premises?  Exit - Can you and if so how quickly/safely to ensure certainty of service and data transfer _7
  • 8. FS Enabled Cloud: Cloud management standards vApp vCloud Nimbus _8 Open Cloud Standards Incubator OVF
  • 9. FS Enabled Cloud  Increasing awareness and sophistication of banks in utilising cloud  Software tools to increase control over data and security of data in cloud  Cloud providers offering: –Services –higher levels of control: security, audit, geographic control and availability designed to meet bank requirements _9
  • 10. Transitioning to the Cloud JIM ODELL JIM.ODELL@KEMPLITTLE.COM +44 (0)20 7710 1607
  • 11. Mastering a hybrid IT environment High performance companies are adopting mixed cloud and traditional IT systems much more quickly than their lower performing competitors Accenture survey “High Performance IT Research November 2013” _11
  • 12. Transitioning to and from the cloud Just another form of outsourcing? Outsourcing procurement rule number one : Never outsource unresolved problems Cloud is just another outsourced managed service: - In a private cloud or managed service, - the infrastructure may be shared, and the resources can live anywhere, but process and storage resources are dedicated to your needs. - In a public cloud structure - you don't really know where your services are, or who is managing it. You buy access to resource or an application, normally on a pay as you use basis.. _12
  • 13. Transitioning to and from the cloud  Standards - Make sure that you understand the data protection, ETSI, TOSCA and other standards that you need to consider.  Intellectual Property - Cloud services also have unique third party IP, audit and data usage issues which may well require re-evaluation of existing software agreements _13
  • 14. Transitioning to and from the cloud Rule number two: Retain the ability to manage your supplier and your resources Supplier Management Issues:  Make sure your IT team have a strong grasp of the supplier and his support organisation  Ensure the users and their leadership enjoy the same service levels delivered by in house applications or resources  Ensure your supplier understands the security, data access and portability, IP, risk and regulatory issues that are specific to you 14
  • 15. Transitioning to and from the cloud Rule number three: Review and manage your data before transitioning to cloud  Big Data –keep what’s needed, delete the rest  Big Data Storage is low cost, but big data can mean big storage bills.  Retain control over data in cloud to ensure not storing unnecessary things for ever (Cost + DP compliance + risk!) – Data Categories - Some data can go in public cloud - Some can only go into private cloud - Some can never leave the building _15
  • 16. Transitioning to and from the cloud Rule Number four: For good or bad, plan for exit: Post negotiation, make sure that you have a detailed transition support plan. Identify and address key risks around porting of services to your supplier And  Monitor your suppliers’ ability to meet clear exit arrangements should this be needed and make sure that you exercise that plan on a regular basis. Make sure that your IT and user departments (and their leadership) understand the implications of change _16
  • 17. Mastering a hybrid IT environment High performance companies are adopting mixed cloud and traditional IT systems much more quickly than their lower performing competitors Accenture survey “High Performance IT Research November 2013” _17