US spying fears knock cloud computing off the agenda for the Bank of England

If we’re expecting the financial services sector to get over its hesitation about cloud computing any time soon, we can forget it according to a new report from Fujitsu and some downbeat word of mouth testimony from the Bank of England’s CIO.

According to Fujitsu’s ‘Financial Services Landscape’ report - which surveyed 176 IT decision makers at a range of financial sector firms, only 16% of banks have adopted cloud technologies, while 20% don’t see the cloud as a business enabler.

And what’s the number one reason for lack of adoption? All together now - security! Yes, 42% of respondents are still fretting about the security implications of the cloud.

Fujitsu’s report makes the point:

This presents cause for concern. While security should be a priority for any IT deployment, it shouldn’t be the blocker standing in the way of a technology with the vast potential of something such as cloud.

The report draws a sad conclusion:

Despite the numerous benefits it presents, and the increased recognition of those benefits, Cloud adoption appears to be slow with the financial services sector. Even over a two year period, gains have been slight. Overall, Cloud appears to have stalled.

The view from the Bank of England

Clearly there’s a long way to go, as the CIO of the Bank of England reminded us when he took the stand at the Cloud World Forum conference in London this week to issue some cautionary words about the cloud.

John Finch highlighted a combination of security concerns and scepticism about ROI and TCO as the main reasons his organization is not adopting the cloud, particularly the public cloud. He told delegates:

Will we ever be on the public cloud? I don’t know. I don’t want to say never, because that’s a really long time, but we have no plans right now.

One fear for Finch is the post-Snowden climate with concerns articulated about access to data by the US intelligence services:

Where is the company provisioning for you domiciled? Because even if that well-known cloud provider says 'don't worry, it won't leave Europe', if they are an American company, it is likely that your data and processing is now subject to the American Patriot Act.

And, if it is integrated to your infrastructure, it is likely that all of your services are subject to the Patriot Act.

So if the CIA or FBI want the data, they have got it. I am not saying it is necessarily a bad thing, but you need to think through very clearly what you are giving and when you are giving it.

Mind you, Finch is also skeptical about how much access European governments can have to data in the cloud, perhaps rightly so given the UK intelligence services admission this week that they feel they have a legal right to browse through data not held in UK data centers.

Finch’s advice is that even if a US provider says your data will stay inside the European Union, that’s no guarantee it will not be accessed:

One of the very well-known cloud providers in Europe will say 'don't worry, your data will never leave Europe, those boxes are in the Nordic countries'. But how many people understand the rights of Nordic countries’ governments to third-party data hosted on their servers?

Remember, when you go to a third-party provider you are placing some of your security posture in their hands. That may be a good thing if they have the expertise, but remember you are leasing part of their perimeter.

Cost doubts

Finch also urges caution when it comes to buying into cloud services providers promises of ROI and TCO:

Cloud providers out there will tell you they can change capex [capital expenses] to opex [operating expenses] to save IT costs, but you should work out the best thing for you.

All the vendors will be telling you ‘you don’t need IT teams, they’ll do the heavy lifting for you.’ That is sometimes true, and there are cases where cloud can be a real enabler, but that doesn’t mean it’s always right.

The vendors will also tell you there is a financial upside but my answer is, don’t let their bean counters tell you how to count your beans, go and see an external accountant.

It needs to be a case of buyer beware, he added, not ‘follow the latest fashion’:

Another thing to think about is your business model and whether cloud is right for you. Even if your nearest competitor does it, you have to assess whether it will work for you because one size does not fit all.

Look at the contract. Do you know what's in the contract? Sure it can save you money, but will the contract allow you to grow at diminishing market cost? Will it let you contract out? Will it let you get out of it when you want to? Think through the contract.

For all this negativity, Finch insists that he’s not anti-cloud:

I may sound like a bit of a bit of a 'cloud denier'. I am not. I think can deliver really great value for many use cases where this kind of capability can be a great enabler. Cloud does genuinely offer the opportunity to burst capabilities, to expand and contract, and it can remove link times and remove the need of building long and complex infrastructures.

Think about selling a new product to a new market. You no longer need to set up an office, someone can just go in with an iPad as long as they are connected to the cloud. You have got your CRM, your customers lists. This all-of-the-time connectivity can absolutely help.

But while the Bank of England may use some “cloud-like” services in the future, the institution wants to see more assurance and guidance from the  [regulator] Financial Conduct Authority (FCA) before there’s any real change in its stance:

There is no proper guidance at the moment for the financial industry around the cloud, but ourselves and the FCA are now beginning to think about it.

My take

It’s an interesting-  and bold - stand by the Bank of England to keynote at a major cloud computing event and be the lone voice in the wilderness urging more caution about cloud adoption.

I can understand the comments made by Finch - we have heard them before so many times.  It does remain somewhat depressing to hear them articulated at this point, when so many other sectors have managed to come to terms with the risk management aspects of the cloud.

The banking industry worldwide needs to rethink the entire way it operates and, as the Fujitsu report notes, it’s missing a trick if it doesn’t get to grips with cloud computing.