Asia-Pacific enterprises across various verticals are warming up to cloud computing as an alternative delivery platform but one industry segment that remains slow in its adoption is the financial services sector, due to several challenges including government policies and security concerns.
Sudev Bangah, senior research manager at IDC Asean, noted that regulatory policies and the need for control over data have posed as key inhibitors toward cloud adoption in the financial services industry (FSI).
In an e-mail interview, Bangah explained that factors such as local law, jurisdictional issues, data security and confidentiality are of the utmost importance, and are pushing many CIOs in the FSI sector to lean toward the private, rather than the public cloud model.
"While the returns on investment (ROI) discussion on whether it makes economic sense [to adopt cloud] is still debatable, regulatory policies on cloud computing within the FSI sector have not been clearly defined," he said.
The analyst added that as demand for cloud deployment within this sector heightens, clear guidelines for the FSI will need to be established.
Arun Chandrasekaran, research director for Asia-Pacific ICT Practice at Frost & Sullivan, concurred, noting that the FSI is the most regulated sector worldwide, where various laws governing the industry include Basel II and Anti Money Laundering Acts (AML).
"Apart from global regulations, the FSI sector needs to adhere to country-specific privacy acts and central bank directives that place strict emphasis on confidentiality and integrity of information," Chandrasekaran told ZDNet Asia in an e-mail.
Noting that the legislative fine print is often hazy with a lack of clarity in guidelines on what is the right thing to do, he said most C-level executives err on the side of caution and limit the usage of external services.
"The central banks and privacy agencies need to issue clear directives to IT decision makers to minimize the ambiguity that [currently] exists," he said.
Rik Turner, senior analyst with Ovum, that the FSI will embrace the public cloud in a limited manner. "We've seen investment banks in Europe use the public cloud on an ad-hoc basis to do huge number-crunching and simulation work," he said in a phone interview. "Much of the time, this does not involve sensitive customer data and banks can still derive the scalability benefits of the public cloud."
Turner said he expects Southeast Asia to follow suit and to only deploy the use of public cloud services in a test-and-development environment or allow banks to try out certain scenarios for marketing campaign purposes.
Security remains key
According to Anderson Ding, head of solutions advisory at SAP Malaysia, security is still one of the main challenges in the adoption of cloud computing, where risk factors involving security and infrastructure within an agreed set of service level agreements (SLAs) are the main obstacles.
Ding said in an e-mail: "Cloud services for the FSI should include frameworks for data management so that the cloud provider can meet regulatory and organizational reporting requirements in a timely manner."
Data should be segregated especially when in a multi-tenanted environment, ensuring regulatory compliance and that information is not shared with competitors, he suggested, adding that policies should also include infrastructure procedures such as data storage, backup and retrieval.
Laurent Lachal, senior analyst at Ovum, pointed out that the use of public cloud infrastructure requires a new thinking on the part of FSI players.
"It's no longer about disallowing data to get out in the open but about controlling the data as it moves around [the cloud] through the usage of encryption," Lachal said in a phone interview.
The FSI must change its approach to security and one that is dynamic and follows the data application as it moves across different boundaries, he explained, noting that this requires a more proactive data management strategy that does not treat data merely as a single entity.
"To do this effectively, the sector needs a mix of technology and new processes and a completely new approach to security," he said.
Best industry practices
According to Steve McWhirter, senior vice president for Salesforce.com Asia-Pacific, FSI players looking to deploy public clouds should be mindful of the targeted objectives from such deployments.
In an e-mail interview, McWhirter said: "For instance, FSI companies should ask themselves if the cloud is able to reduce cost and other resource burdens such as licensing updating, patching and the disruptive upgrade of complex software stack.
"And, does deploying the cloud radically speed up the creation and improvement of customized applications and offer advanced capabilities with social apps like customer community creation? Is it able to deploy customized applications to new mobile devices such as the iPad2, iPhone, or Blackberry without additional or redundant coding?"
Chandrasekaran advised that FSIs carefully scrutinize the ISMS (information security management system) and SLAs offered by public cloud players.
"Don't assume that having an SLA guarantees adherence to regulatory compliance and legal mandates," he noted. "If you aren't satisfied, it's better to invest in private clouds as cost shouldn't be the only objective in choosing public clouds.
"Also, constantly monitor and improve your cloud infrastructure, and invest some of the cost savings reaped from cloud deployment in tools that can enhance [data] visibility, reporting, security and privacy."
Edwin Yapp is a freelance IT writer based in Malaysia.