Cloud providers yet to bend to banking regulations

 

Panel: Most international data centres still closed to inspection.

Most large-scale, ‘public’ cloud computing services do not currently comply with Australia’s banking regulations – but are likely to in the future, a financial services panel heard this week.

Three senior technologists who had worked at Telstra, Westpac, Perpetual, Standard Chartered, RailCorp and Resimac discussed their dealings with cloud providers at the BankTech summit in Sydney yesterday.

Stephen Smith, Perpetual’s senior architecture and governance manager, recalled considering “quite compelling [cloud computing] offerings”.

But those were “taken … off the table” due to providers’ non-compliance with the Australian Prudential Regulation Authority’s (APRA) outsourcing standard, APS 231 (pdf).

Under requirement 15 of APS 231, financial services organisations’ outsourcing agreements should include a clause “giving APRA access to [relevant] documentation … and the right to conduct on-site visits to the service provider” if necessary.

APRA’s advice resounded with comments made earlier at the conference by Westpac’s head of operational risk Matthew Woodrow, who said the bank was “not doing a lot in the [external] cloud space”.

“A cloud is not a good enough description of where data is,” he said, calling for more information about providers’ network and storage infrastructure.

“I don’t think you ever lose accountability regardless of your outsourcing model. There is a need for technology groups to understand their environment, regardless of where it is.”

Smith, who was Westpac’s chief architect between 2002 and 2006 before taking on a role at Perpetual, noted that providers’ willingness to share technical information about their data centres varied widely.

Perpetual’s implementation of a Salesforce.com customer relationship management (CRM) system last year has been its sole public cloud deployment to date, he told iTnews.

For transit technology company Vix ERG, outsourcers’ unwillingness to share technical details was a dealbreaker, CIO Pierre de Villecourt told the conference.

“It’s simple; move to somebody else who does provide that information,” he said.

De Villecourt noted that his previous employer, mortgage provider Resimac, was even more cautious about the cloud, highlighting concerns with cross-border laws and trust.

An April 2011 study of the security of cloud computing providers by the Ponemon Institute (pdf), found that a majority of providers surveyed did not view the security of their cloud services as a competitive advantage.

Conference attendees also raised concerns about availability and the likelihood of service outages.

Telstra CIO Patrick Eltridge, formerly head of strategy at the Standard Chartered Bank, argued that operators of large data centres were likely to be more technically competent than “amateurs doing it internally”.

However, both Eltridge and Smith noted that cloud vendors still had a way to go in building standards for information assurance and the management of workloads.

The panellists were largely supportive of APRA’s cloud computing guidance, noting that the regulator had to balance its concerns with the risk of being seen to be accountable for companies’ decisions.

“Providers will get use to the [APRA] requirements,” Smith mused. “I expect we’ll see [the non-compliance of cloud providers] change.”

Copyright © iTnews.com.au . All rights reserved.


Cloud providers yet to bend to banking regulations
 
 
 
Top Stories
Matching databases to Linux distros
Reviewed: OS-repository DBMSs, MariaDB vs MySQL.
 
Coalition's NBN cost-benefit study finds in favour of MTM
FTTP costs too much, would take too long.
 
Who'd have picked a BlackBerry for the Internet of Things?
[Blog] BlackBerry has a more secure future in the physical world.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  70%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  12%
 
Denial of service attacks
  6%
 
Insider threats
  10%
TOTAL VOTES: 711

Vote