Analysis: Grey clouds hang over Australia's finance sector

Australia's finance industry is struggling to adopt public cloud computing, governed by a conservative regulator that judges every offshoring deal on a "case by case" basis.

The industry - watched over by the Australian Prudential Regulatory Authority (APRA) - is among those most keen to drive down IT costs using cloud models, under which computing resources are outsourced in an on-demand, pay-per-use model.

Among the industry's biggest cloud advocates is Michael Harte, CIO at the Commonwealth Bank, who predicts he could save his organisation up to 80 percent of its IT costs if purchased in an elastic, on-demand fashion.

"For too long infrastructure, software and some service providers have had the upper hand of lock-in, term deals, high pricing and underperformance," Harte told The Australian late last year.

"The traditional licensing business model is worn out and somewhat broken in the new cloud context.

"We can use our market-making presence to get services that are standardised, openly contestable and paid for on a unit price and per-unit consumption basis."

But to date, Harte and his peers have had little joy moving to this new model. The reality of cloud computing - as it stands today - is that the only players able to offer truly elastic cloud computing of a scale suited to the finance or Government sectors are hosting servers, storage and software in the United States or Singapore.

Australia's largest organisations - especially in Government and the finance sector - face regulatory difficulties when attempting to host applications and data hosted overseas.

Bruce McCabe, research analyst at KPMG said that among large organisations surveyed for his research, "every large ASX100 company struggles with the regulatory aspects of cloud computing."

The finance sector, he said, is "the most sensitive" to the issue.

First, organisations are worried about Australian law, such as PCI compliance for the storage of credit card information, or adherence to the National Privacy Principles, which requires an organisation's management to be accountable for where customer data is residing.

In the cloud, data can be shifted from virtual machine to virtual machine or even across data centres. CIOs would struggle to be able to vouch for exactly where a given file resides under such a model.

Domestic regulations aside, McCabe says organisations are just as concerned about the local regulations of any country where data resides under a cloud outsourcing agreement.

"CIOs are just as concerned about things like the [United States] Patriot Act," McCabe said. "The U.S. Government could access this data at any time and plenty of other countries have similar regulations.

"It's challenging as hell."

Subsequently, while Westpac, ANZ and the Commonwealth Bank have both looked at proof of concept trials for cloud computing technologies, none of the large finance sector organisations have taken to the public cloud model.

Bruce White, chief information officer at the Greater Building Society said commodity items like email or CRM "could certainly be put into the cloud and it would operate quite well."

But data sovereignty and security issues are holding him back.

"Certainly, in my position, I'm not able to put anything into the cloud at this stage."

Regulation

There are no explicit regulations preventing a financial services organisation from having its applications or customer data hosted by a third party data centre, regardless of international borders.

But APRA has published a series of guidelines as to the management of risk in any outsourcing agreement (see APS 231 [PDF], GPS231 [PDF], LPS 231 [PDF], PPG231 [PDF] and PPG 234 [PDF] for further reading) which renders the use of public clouds extremely difficult.

Broadly speaking, APRA asks that deposit-taking institutions (banks and other financial organisations) have a board-approved policy on outsourcing, and a risk management framework in place that includes provisions for country, compliance, contractual, access and counterparty risks.

If an organisation outsources to a local provider, it needs to notify APRA of a new outsourcing agreement within 20 business days. But if it wishes to outsource to a data centre hosted offshore, it must notify APRA first to "demonstrate" to the regulator that appropriate risk management procedures are in place.

The financial company must also include a clause in its service agreement with an outsourced provider that allows APRA access to the third party - a difficult barrier if a company is hosting data offshore or can't verify which data centre a particular data set is hosted in.

While fairly prescriptive, these guidelines leave the regulator in a position to determine whether a financial services organisation can outsource to a cloud provider on a case-by-case basis.

"It is a bit of a grey area at the moment, there's not a lot of black and white," says Bob Hayward, chief technology officer at IT services player CSC.

Hayward believes that the rate of uptake of cloud computing has "taken APRA by surprise."

"A year ago nobody is doing this, then one day all these customers are looking to the cloud," he said.

Read on to Page 2 to learn about how how an IT manager was gagged over a cloud computing project...