Cloud providers yet to bend to banking regulations

Most large-scale, ‘public’ cloud computing services do not currently comply with Australia’s banking regulations – but are likely to in the future, a financial services panel heard this week.

Three senior technologists who had worked at Telstra, Westpac, Perpetual, Standard Chartered, RailCorp and Resimac discussed their dealings with cloud providers at the BankTech summit in Sydney yesterday.

Stephen Smith, Perpetual’s senior architecture and governance manager, recalled considering “quite compelling [cloud computing] offerings”.

But those were “taken … off the table” due to providers’ non-compliance with the Australian Prudential Regulation Authority’s (APRA) outsourcing standard, APS 231 (pdf).

Under requirement 15 of APS 231, financial services organisations’ outsourcing agreements should include a clause “giving APRA access to [relevant] documentation … and the right to conduct on-site visits to the service provider” if necessary.

APRA’s advice resounded with comments made earlier at the conference by Westpac’s head of operational risk Matthew Woodrow, who said the bank was “not doing a lot in the [external] cloud space”.

“A cloud is not a good enough description of where data is,” he said, calling for more information about providers’ network and storage infrastructure.

“I don’t think you ever lose accountability regardless of your outsourcing model. There is a need for technology groups to understand their environment, regardless of where it is.”

Smith, who was Westpac’s chief architect between 2002 and 2006 before taking on a role at Perpetual, noted that providers’ willingness to share technical information about their data centres varied widely.

Perpetual’s implementation of a Salesforce.com customer relationship management (CRM) system last year has been its sole public cloud deployment to date, he told iTnews.

For transit technology company Vix ERG, outsourcers’ unwillingness to share technical details was a dealbreaker, CIO Pierre de Villecourt told the conference.

“It’s simple; move to somebody else who does provide that information,” he said.

De Villecourt noted that his previous employer, mortgage provider Resimac, was even more cautious about the cloud, highlighting concerns with cross-border laws and trust.

An April 2011 study of the security of cloud computing providers by the Ponemon Institute (pdf), found that a majority of providers surveyed did not view the security of their cloud services as a competitive advantage.

Conference attendees also raised concerns about availability and the likelihood of service outages.

Telstra CIO Patrick Eltridge, formerly head of strategy at the Standard Chartered Bank, argued that operators of large data centres were likely to be more technically competent than “amateurs doing it internally”.

However, both Eltridge and Smith noted that cloud vendors still had a way to go in building standards for information assurance and the management of workloads.

The panellists were largely supportive of APRA’s cloud computing guidance, noting that the regulator had to balance its concerns with the risk of being seen to be accountable for companies’ decisions.

“Providers will get use to the [APRA] requirements,” Smith mused. “I expect we’ll see [the non-compliance of cloud providers] change.”