Financial services and the public cloud: Go or no go?

Question: Just how much mission-critical work do financial services firms and companies in other heavily regulated industries put on the public cloud?

Answer: It depends on whom you ask.

Chris Perretta, CIO of State Street Bank

Chris Perretta, CIO of State Street

IT execs in financial services — including Chris Perretta, CIO and executive vice president of State Street(s stt) — say they absolutely do not allow the use of Amazon(s amzn) Web Services at all.  Period. (For my purposes, public cloud for now pretty much means AWS). They deal not only with their own top-secret data but with that of clients, which makes a move into a cloud they don’t control a career-limiting decision.

But if you talk to others in the cloud services arena, the answer gets more nuanced. An earlier GigaOM post on this topic sparked a debate on Twitter about just how much CIOs really know about what their devs are doing. My feeling is that many developers even in risk-averse companies get around obstacles to do at least some test-and-dev work in AWS and perhaps even get re-imbursed for it. But when it comes to deployment and use of live data — all that work comes back in-house for deployment.

State Street builds its own cloud

This is not to say that big finance firms aren’t moving to cloud at all. Just look at State Street, the Boston-based financial services giant that has $23 trillion (that’s trillion with a “t”) worth of assets under management for customers including mutual funds, pension funds and non-profits.  Since it won’t use AWS, State Street built its own private cloud for internal use, using a lot of open-source software and racks of its own design. (Other than that Perretta won’t say much about the State Street cloud.)

The lack of public cloud adoption by companies like State Street boils down to concern about security and reliability — it would be hard for any CIO to argue for putting mission-critical stuff in AWS after last year’s outages. It doesn’t matter to the boss that some of those snafus may have been caused by customer deployment issues. But it also has to do with the industry’s own hide-bound resistance to change.

“You have to overcome a lot of resistence from regulated industries before moving their stuff to the public cloud … You’ll have a hard time with your auditors in the short term if you go to public cloud,” Perretta told me recently. But, he’s keeping his eyes open because the cost savings of the public cloud are too good to ignore if these other issues can be resolved.

“Certainly if you look at the economics that Amazon and Rackspace(s rax) are getting — that’s pretty impressive. But a lot still depends on how you build the application and you do have to build them differently to take advantage of the services they offer,” he said. In other words, forklifting existing applications  unchanged from an internal data center to the public cloud is not all that productive in his view. “We’re talking to the big cloud providers to understand how they run and what we’d have to do to make our systems run in that robust environment,” he said.

One goal of State Street’s cloud is to come up with new analytics that will let customers combine the data they keep themselves with data State Street keeps in their behalf and analyze it to get new insights. For that, State street needs to provide complete transparency so the clients can always see exactly what’s happening in their portfolio.

Barriers to public cloud falling

Public cloud gets a lot more compelling to companies like this if it can act as the foundation for what is really a secure private cloud. “If they can partition us off and give us a hard barrier around our stuff, that’s very interesting and we’ll always listen. But we’ll probably await the next-generation,” Perretta said.

That’s already starting to happen:  Amazon’s Virtual Private Cloud that lets business customers cordon off some infrastructure for their own use. In addition, Amazon which was built to meet security mandates of state and federal government entities could help prove that AWS is up for the task of running secure applications.  (This weekend Amazon added its  Relational Database Service (RDS) and DynamicDB to the services available via

Big enterprise systems integrators like Accenture, Deloitte, and Capgemini could also fill in some important check boxes for financial services companies wanting to go to the public cloud by providing the types of service level agreements (SLAs) corporations want and that AWS does not yet provide.

Joe Coyle, VP and CTO, CapGemini Structure 2012

Joe Coyle, VP and CTO, CapGemini
(c) 2012 Pinar Ozger, [email protected]

Joe Coyle, CTO of North America for Capgemini said more enterprise loads are “marching into public cloud but in the private mode of public cloud,” as seen in the AWS VPC model. “I see the compliance issues, the regulatory stuff as being resolved — I don’t see anything stopping that migration,” Coyle told me recently. (Of course, Capgemini which aids in such migrations has a vested interest in this being the case.)

As one GigaOM commenter on an earlier story about AWS traction in the enterprise pointed out:

“The first public cloud company to provide private cloud services is going to dominate the market for a while. A customer will then not need to worry about the tin, that will be provided and maintained by the public cloud company, who will provide their best-of-breed practices to the customer. The customer will be able to save costs by using a combination of private and public services offered by the provider. Enterprise software will move the same way as the smart phone environment and will be “apps” that run on this environment.”

There will be more third-party services coming that claim to bolster public cloud for use in sensitive industries  in that whole private-cloud-atop-public-cloud scenario. Startup CloudVelocity says it can take existing on-premises applications and put them on AWS and run them there securely.

Claims like that sound good as far as they go, Perretta said,although his company would spend “a pretty significant amount of time validating that claim.” More importantly, for him, wringing the most value from a cloud move would require re-building applications to get the most out of that expansive infrastructure.

“I can move a pig to the cloud but it’ll still run like a pig,” he said.

Feature photo courtesy of Shutterstock user AshDesign