While the potential benefits of cloud computing, such as resource flexibility, are appealing to many IT executives, security and regulatory concerns are either limiting or preventing its use by Wall Street financial firms.
That was the consensus of many attendees at the High Performance Computing in Financial Markets Conference held here Monday.
Mats Andersson, CTO of Nasdaq's OMX Exchange, said Nasdaq uses cloud computing systems, but only inside the company's firewall and only to access historical market data. Exchange IT officials aren't yet ready to trust "the cloud" with transactional data, he added.
Dan Hall, manager of systems design and engineering at IntercontinentalExchange (ICE), said his company is running Amazon's S3 cloud computing service only in a test environment mostly due to security concerns.
"We only use it once in a while for load testing," he said. "The biggest challenge is effectively controlling utilization. People would spin up a machine and not think to spin it down. We'd be like, why do we have all these hours of computing time. We only used it for two days."
Along with ICE, Deutsche Bank was one of the few organizations at the conference that are using cloud computing in some way. Over the past year and a half, the financial services firm has deployed a hybrid private/public cloud computing infrastructure that's used so far for testing and development, but not for mission critical data.
Tony Pizi, head of next generation infrastructure at Deutsche Bank, said top executives at the firm have been very forward thinking about cloud and its benefits, but they also recognize the challenges the technology can present to large companies. "It's difficult for any large institution where there are processes in place and individuals that have done a particular job well over the years to accept change," Pizi said.
Even though Deutsche Bank is limiting use of its cloud infrastructure to testing and development functions, all data is protected by the company's strongest security measures. For example, all data that passes through the cloud is encrypted and any data at rest is masked.
Pizi noted that the bank's audit and security teams recognized that the very technologies they had hoped to implement within Deutsche Bank came to pass as a byproduct of rolling out the cloud technology.
Like others deploying cloud computing, Deutsche Bank was interested in leveraging its various promised benefits, such as self service, convenience and lower computing costs.
"What we were really after was promoting reference implementations which would allow us to leverage standard services, reduce time to market [for products], become much more agile and increase server utilization," he said.
By deploying it only for testing and development, it put even the internal critics of the technology at ease, though Pizi said he expects that one day cloud computing will become a "game changer. I don't think anyone thinks the Internet didn't fundamentally change the world. This is of the same magnitude," he said.
When Deutsche Bank first began implementing cloud computing technology, Pizi said he thought its deployment would be the most difficult task for IT workers. Instead, he said deployment was the easiest part of the project.
Far more difficult -- and time consuming -- were dealing with licensing issues. Each license must to be closely evaluated by managers, he said.
Policy governance, or ensuring that controls were in place to control access to various parts of the cloud through policies, was also a major issue for the bank when turning to the cloud. "Each developer across an organization may have very different access rights. You don't want the developers to be able to check things into testing or development groups without controls," Pizi said.
Richard Sharp, a partner in the law firm of Millbank, Tweed, Hadley & McCloy in New York, said that the application development benefits of cloud computing can be enormous in the broker-dealer business, a marketplace processes millions of transactions a day and that thrives when its quick to deploy new products for customers.
Even so, Sharp said, ensuring regulatory compliance must be the top concern of companies considering the use of public cloud computing services.
Sharp, who prior to joining the law firm was head of trading practices at the U.S. Securities and Exchange Commission, said regulators view cloud computing services at "outsourcing," and apply regulations based on that belief. "The first thing regulators are going to say is: 'You're going to give up control of your IT infrastructure? We need to talk,' " he said.
Financial services firms need to speak the language of regulators in terms of proposed cloud computing or outsourcing projects to ensure they understand that only "back office" functions are being moved into cloud computing infrastructures.
In recent months, the SEC and the Financial Industry Regulatory Agency (FINRA) have been moving toward taking a position that broker-dealers cannot move funds and securities through the cloud. "These are viewed as off limits," Sharp said. "So there's a very active debate going on and new rules are expected shortly from FINRA that will regulate cloud computing."
One thing that won't change no matter where regulators settle on cloud computing is that the firm generating the data will continue to be responsible for data that is exposed or lost.
Broker-dealers should construct a plan for due diligence to continue supervising data it manages via an external cloud service, which should include detailed service-level agreements that allow firms access to a vendor's records and the right to audit and inspect its data center facilities.
"The bottom line is that the regulated entity remains responsible for compliance," he said. "There's no finger pointing allowed."