Cloud providers yet to bend to banking regulations

 

Panel: Most international data centres still closed to inspection.

Most large-scale, ‘public’ cloud computing services do not currently comply with Australia’s banking regulations – but are likely to in the future, a financial services panel heard this week.

Three senior technologists who had worked at Telstra, Westpac, Perpetual, Standard Chartered, RailCorp and Resimac discussed their dealings with cloud providers at the BankTech summit in Sydney yesterday.

Stephen Smith, Perpetual’s senior architecture and governance manager, recalled considering “quite compelling [cloud computing] offerings”.

But those were “taken … off the table” due to providers’ non-compliance with the Australian Prudential Regulation Authority’s (APRA) outsourcing standard, APS 231 (pdf).

Under requirement 15 of APS 231, financial services organisations’ outsourcing agreements should include a clause “giving APRA access to [relevant] documentation … and the right to conduct on-site visits to the service provider” if necessary.

APRA’s advice resounded with comments made earlier at the conference by Westpac’s head of operational risk Matthew Woodrow, who said the bank was “not doing a lot in the [external] cloud space”.

“A cloud is not a good enough description of where data is,” he said, calling for more information about providers’ network and storage infrastructure.

“I don’t think you ever lose accountability regardless of your outsourcing model. There is a need for technology groups to understand their environment, regardless of where it is.”

Smith, who was Westpac’s chief architect between 2002 and 2006 before taking on a role at Perpetual, noted that providers’ willingness to share technical information about their data centres varied widely.

Perpetual’s implementation of a Salesforce.com customer relationship management (CRM) system last year has been its sole public cloud deployment to date, he told iTnews.

For transit technology company Vix ERG, outsourcers’ unwillingness to share technical details was a dealbreaker, CIO Pierre de Villecourt told the conference.

“It’s simple; move to somebody else who does provide that information,” he said.

De Villecourt noted that his previous employer, mortgage provider Resimac, was even more cautious about the cloud, highlighting concerns with cross-border laws and trust.

An April 2011 study of the security of cloud computing providers by the Ponemon Institute (pdf), found that a majority of providers surveyed did not view the security of their cloud services as a competitive advantage.

Conference attendees also raised concerns about availability and the likelihood of service outages.

Telstra CIO Patrick Eltridge, formerly head of strategy at the Standard Chartered Bank, argued that operators of large data centres were likely to be more technically competent than “amateurs doing it internally”.

However, both Eltridge and Smith noted that cloud vendors still had a way to go in building standards for information assurance and the management of workloads.

The panellists were largely supportive of APRA’s cloud computing guidance, noting that the regulator had to balance its concerns with the risk of being seen to be accountable for companies’ decisions.

“Providers will get use to the [APRA] requirements,” Smith mused. “I expect we’ll see [the non-compliance of cloud providers] change.”

Copyright © iTnews.com.au . All rights reserved.


Cloud providers yet to bend to banking regulations
 
 
 
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
 
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  26%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 337

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  57%
 
No
  43%
TOTAL VOTES: 140

Vote