Financial firms embrace the cloud
FaithLife Financial recently took the leap into cloud computing services. The Waterloo, Ont.-based insurance and investment firm needed a software and hardware upgrade, partly to protect the sensitive data on the laptops of its 100 field agents.
Although FaithLife was using an encryption algorithm, it had no real backup mechanism, recalls Joe Alvarez, vice-president for business development and operations. A highly regulated financial institution subject to federal privacy laws, the Christian non-profit started looking for better safeguards.
"We wanted to make sure that we protected our intellectual property, yes, but more importantly our members' privacy," says Mr. Alvarez, whose firm administers about $640-million in assets and holds more than $2.4-billion of in-force insurance on behalf of its 33,000-plus members.
So FaithLife turned to No Panic Computing Inc., a Markham, Ont.-based IT consulting company that offers what it calls "Notebook as a Service" (NaaS). As of January, all of FaithLife's career field agents had leased laptops from No Panic. In addition to technical support, the NaaS program includes encrypted cloud-based backup and constant monitoring for malware attacks.
Data protection and backup is just one option for FaithLife and other financial institutions as they adapt to the cloud. Mindful of security concerns and regulatory compliance, they're tapping vendors for everything from customer relationship management software to in-house private clouds.
To meet sovereignty requirements, FaithLife's backup data resides on secure Canadian servers operated by Autonomy Corp., a division of Hewlett-Packard Co. If a laptop gets lost, No Panic can instantly pull the encryption certificate that allows the user to read its data - or destroy the device remotely.
Within 48 hours, the agent receives a new laptop with all of the data and applications restored. "Their downtime is absolutely minimal," says No Panic president and chief executive officer Larry Keating. "While they're waiting for that replacement, if they can get to any Web browser, they can securely access their data files so they can keep themselves working."
Providers of cloud software, infrastructure and platforms for financial institutions serve a rapidly growing market. By the end of this year, global financial industry spending on cloud computing will reach $21.9-billion (U.S.) compared with just $4-billion in 2010, according to research and advisory firm CEB TowerGroup.
"The financial services market is actively looking at leveraging cloud computing - private, hybrid or public," says Eran Farajun, executive vice-president of Toronto-based Asigra Inc., which makes backup and recovery software for cloud services providers around the world.
Smaller players use cloud services to reduce their operational costs, explains Mr. Farajun, whose clients serve several thousand financial institutions. "Midmarket and smaller customers are more open to public cloud computing services, as long as it's secure and it meets specific security credentials," he says. "The big guys are deploying primarily private clouds because they have pre-existing giant teams of people that can operate their own clouds."
Cloud adoption has hit a tipping point, says Jim Lambe, Google Canada's Ottawa-based head of enterprise. "That's starting to bleed over into the financial institutions," Mr. Lambe notes.
During the past few years, FaithLife's Mr. Alvarez has seen smaller firms like his gain access to cloud solutions that were previously available only to big players. "There's a lot more choice now," he says. FaithLife is in the midst of outsourcing its administration system to a cloud services provider.
Financial institutions must remember that a cloud is a physical infrastructure, says Laura Stevenson, Toronto-based director of product management at Primus Business Services. "The first thing they need to understand is where is that infrastructure housed and what are the security parameters around that," adds Ms. Stevenson, whose company does cloud assessment and cloud migration.
When it comes to cloud data backup and protection, financial firms may be under the impression that the provider assumes the burden of complying with privacy laws, Mr. Farajun says. That's a big mistake.
"If the data ever gets compromised in any way, you're not going to be able to stand up in a court and say, 'Oh, it wasn't me that exposed the data. It was my ... cloud service provider that did it,'" Mr. Farajun warns. "The burden of the responsibility doesn't shift."
QUESTIONS TO ASK
Eran Farajun, executive vice-president of Toronto-based cloud backup and recovery software developer Asigra Inc., suggests that financial firms ask these questions when shopping for a cloud services provider.
Where does the cloud reside?
"In many cases, these cloud service providers that are promoting themselves all over the world keep the data in American data centres. If you're a financial services company, you need to validate that the data is being kept in Canada because you want Canadian laws to regulate the use and exposure of that data."
What security processes are in place?
"What are the mechanisms and technologies that they're using? Are the technologies themselves secure, and do they have industry certification as opposed to [internal] corporate certification?"
Is the cloud provider actually the cloud provider?
"Cloud computing services is sometimes a shadowy world where somebody that purports to be your cloud provider is really a cloud service broker. ... They've subcontracted elements of the cloud."