Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Are banks ready for the cloud?
1. Are Banks ready for
the Cloud?
Paul Hinton
PAUL.HINTON@KEMPLITTLE.COM
+44 (0)20 7710 1623
2. Prediction is very difficult, especially about the future…”
services
Mid ‘60s to early ‘80s:
IBM heyday
‘80s:
rise of the PC
‘90s to mid-00’s:
Wintel heyday
Mid ‘00s onwards:
Google heyday
Utility Computing
The rise of service based computing
Cloud Computing
SaaS
ASP adoption
internet
Outsourcing ITO
LPO, etc
2000s onwards: broadband
replaces dial up internet
1995: Netscape
IPO ; Bill Gates’
‘Internet tidal
wave’ memo
software
hardware
BPO
1969: the
software
industry is born
as IBM
unbundles
hardware &
software
1940s:
Adoption of
programmable
computer
1940s
1957: IBM
introduces
FORTRAN
programming
language
1950s
2001: .com bust
1981:
Microsoft
develops
MS-DOS
1970: UNIX
released
by AT&T
1964: IBM
introduces
System 360
computer family
1960s
2004: Google, salesforce.com IPOs;
‘web 2.0’ coined
1971: Intel 4004
– the first microprocessor
developed
1970s
1990:
1985:
Microsoft
open
1993:
launches
source
Linux
Windows 3.0
FSF set
up
1981: IBM
‘90s: rise of
launches PC
laptops
1980s
mid ‘00s
onwards: open
source (OSS) in
the mainstream
‘00s: rise of
PDAs
1984: Apple
Mac launched
1990s
2000s
2008:
Google Chrome, Microsoft
Windows ‘in the Cloud’
(Azure) launched
2007: IPO of
hypervisor
developer
VMware
‘anytime
anywhere’
devices
2010s
Smartphones
iPad, etc
3. Types of Cloud
Custom
Private Cloud
Private Cloud
Community
Private Cloud
User Z
Virtual
Private Cloud
Provider X
Managed
Company B
Company A
Company A
Company A
Company A
Company B
Open Public
Company A
Closed Private
Public
Cloud
Owner
Company
Provider
Provider
Provider
Operator
Company
Provider
Provider
Provider
Provider
Service Access
Closed
Closed
Closed
Limited group
Open
Level of Control
Full
High
High
Low
None
Security/Location
As selected by
Company
As selected by
Company
As selected by
Company
As described by
Provider
As described by
Provider
Legal Terms
_3
Company
Bespoke
Bespoke
Negotiable but clear
impact on price
changes
Limited outside of
standard agreed
terms
Standard terms only
– non-negotiable
5. Company A
Custom
Private Cloud
_5
Managed
Private Cloud
Provider X
Provider X
Trading , Customer,
sensitive , regulated,
valuable time- critical data
Lower value,
unregulated,
not time
critical data
Company A
Virtual
Private Cloud
Community
Private Cloud
User Z
User Z
What are you using the cloud for?
Public Cloud
6. SYSC Rule 8 Material Outsourcing PRA/FCA Control
(2) establish methods for assessing the standard of performance of the service provider;
(3) supervise and adequately manage the risks associated with the outsourcing;
(5) the firm must retain the expertise to supervise the outsourced functions and to manage the risks associated with
the outsourcing ,and must supervise those functions and manage those risks;
(7) the firm must be able to terminate the arrangement for the outsourcing where necessary without detriment to the
continuity and quality of its provision of services to clients;
(8) the service provider must co-operate with the relevant competent authority in connection with the outsourced
activities;
(9) the firm, its auditors, the relevant competent authority must have effective access to data related to the
outsourced activities, as well as to the business premises of the service provider; and must be able to exercise those
rights of access;
(10) the service provider must protect any confidential information relating to the firm and its clients;
(11) the firm and the service provider must establish, implement and maintain a contingency plan for disaster
recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or
activity that has been outsourced.
_6
7. Cloud Risks
Potential loss of control –retain sufficient control over critical data and services
Availability and access to Data – what if the internet is down? Normally a customer risk
Data Security - Adequate security measures in place and can you monitor them?
Data location
– Data Protection – tougher regulation 2015
– Keeping track of exact location of Data
– Customer consent?
Global law, tax and regulation
Auditing
– Both rights for customer and Regulator
– Distinction between effective access to data and premises?
Exit - Can you and if so how quickly/safely to ensure certainty of service and data transfer
_7
8. FS Enabled Cloud: Cloud management standards
vApp
vCloud
Nimbus
_8
Open Cloud
Standards
Incubator
OVF
9. FS Enabled Cloud
Increasing awareness and sophistication of banks in utilising
cloud
Software tools to increase control over data and security of data
in cloud
Cloud providers offering:
–Services
–higher levels of control: security, audit, geographic control and
availability designed to meet bank requirements
_9
11. Mastering a hybrid IT environment
High performance companies are
adopting mixed cloud and traditional
IT systems much more quickly than
their lower performing competitors
Accenture survey “High Performance
IT Research November 2013”
_11
12. Transitioning to and from the cloud
Just another form of outsourcing?
Outsourcing procurement rule number one : Never outsource unresolved
problems
Cloud is just another outsourced managed service:
- In a private cloud or managed service,
- the infrastructure may be shared, and the resources can live anywhere, but
process and storage resources are dedicated to your needs.
- In a public cloud structure
- you don't really know where your services are, or who is managing it. You buy
access to resource or an application, normally on a pay as you use basis..
_12
13. Transitioning to and from the cloud
Standards
- Make sure that you understand the data protection, ETSI, TOSCA and other
standards that you need to consider.
Intellectual Property
- Cloud services also have unique third party IP, audit and data usage issues which
may well require re-evaluation of existing software agreements
_13
14. Transitioning to and from the cloud
Rule number two: Retain the ability to manage your supplier and your resources
Supplier Management Issues:
Make sure your IT team have a strong grasp of the supplier and his support
organisation
Ensure the users and their leadership enjoy the same service levels delivered by in
house applications or resources
Ensure your supplier understands the security, data access and portability, IP, risk and
regulatory issues that are specific to you
14
15. Transitioning to and from the cloud
Rule number three: Review and manage your data before transitioning to
cloud
Big Data –keep what’s needed, delete the rest
Big Data Storage is low cost, but big data can mean big storage bills.
Retain control over data in cloud to ensure not storing unnecessary things for
ever (Cost + DP compliance + risk!)
– Data Categories
- Some data can go in public cloud
- Some can only go into private cloud
- Some can never leave the building
_15
16. Transitioning to and from the cloud
Rule Number four: For good or bad, plan for exit:
Post negotiation, make sure that you have a detailed transition support plan.
Identify and address key risks around porting of services to your supplier
And
Monitor your suppliers’ ability to meet clear exit arrangements should this be
needed and make sure that you exercise that plan on a regular basis.
Make sure that your IT and user departments (and their leadership) understand
the implications of change
_16
17. Mastering a hybrid IT environment
High performance companies are
adopting mixed cloud and traditional IT
systems much more quickly than their
lower performing competitors
Accenture survey “High Performance IT
Research November 2013”
_17
Notas del editor
Cost savings of Public v Private Cloud
SYSC 8.1.8 06/05/2009 A common platform firm must in particular take the necessary steps to ensure that the following conditions are satisfied: (1) the service provider must have the ability, capacity, and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally; (2) the service provider must carry out the outsourced services effectively, and to this end the firm must establish methods for assessing the standard of performance of the service provider; (3) the service provider must properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing; (4) appropriate action must be taken if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements; (5) the firm must retain the necessary expertise to supervise the outsourced functions effectively and to5 manage the risks associated with the outsourcing ,55and must supervise those functions and manage those risks; (6) the service provider must disclose to the firm any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements; (7) the firm must be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services to clients; (8) the service provider must co-operate with the FSA and any other relevant competent authority in connection with the outsourced activities; (9) the firm, its auditors, the FSA and any other relevant competent authority must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the FSA and any other relevant competent authority must be able to exercise those rights of access; (10) the service provider must protect any confidential information relating to the firm and its clients; (11) the firm and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced. [Note: article 14(2) second paragraph of the MiFID implementing Directive]
EU Strategy: The Commission decided on 27th Sept that they wanted to “Unleash the potential of cloud computing in Europe”. EU justice commissioner Viviane Reding said: "Europe needs to think big. The cloud strategy will enhance trust in innovative computing solutions and boost a competitive digital single market where Europeans feel safe. That means a swift adoption of the new data protection framework, which the EC proposed earlier this year, and the development of safe and fair contract terms and conditions.". The chat about model contract terms in the strategy paper being particularly interesting…. Plans for commission to develop these model terms by end of 2013.However: any model terms would have to interact with proposed Regulation on Common European Sales Law (which it seems every member state opposes) which deals with:“data which are produced and supplied in digital form, whether or not according to the buyer's specifications, including video, audio, picture or written digital content, digital games, software and digital content which makes it possible to personalise existing hardware or software” (digital content) which can be stored, processed or accessed, and re-used by the user but excludes “electronic communications services and networks, and associated facilities and services” as well as ”the creation of new digital content and the amendment of existing digital content”.Industry may develop competing set of terms to increase their input
SYSC 8.1.8 06/05/2009 A common platform firm must in particular take the necessary steps to ensure that the following conditions are satisfied: (1) the service provider must have the ability, capacity, and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally; (2) the service provider must carry out the outsourced services effectively, and to this end the firm must establish methods for assessing the standard of performance of the service provider; (3) the service provider must properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing; (4) appropriate action must be taken if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements; (5) the firm must retain the necessary expertise to supervise the outsourced functions effectively and to5 manage the risks associated with the outsourcing ,55and must supervise those functions and manage those risks; (6) the service provider must disclose to the firm any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements; (7) the firm must be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services to clients; (8) the service provider must co-operate with the FSA and any other relevant competent authority in connection with the outsourced activities; (9) the firm, its auditors, the FSA and any other relevant competent authority must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the FSA and any other relevant competent authority must be able to exercise those rights of access; (10) the service provider must protect any confidential information relating to the firm and its clients; (11) the firm and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced. [Note: article 14(2) second paragraph of the MiFID implementing Directive] SYSC 8.1.8 06/05/2009 A common platform firm must in particular take the necessary steps to ensure that the following conditions are satisfied: (1) the service provider must have the ability, capacity, and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally; (2) the service provider must carry out the outsourced services effectively, and to this end the firm must establish methods for assessing the standard of performance of the service provider; (3) the service provider must properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing; (4) appropriate action must be taken if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements; (5) the firm must retain the necessary expertise to supervise the outsourced functions effectively and to5 manage the risks associated with the outsourcing ,55and must supervise those functions and manage those risks; (6) the service provider must disclose to the firm any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements; (7) the firm must be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services to clients; (8) the service provider must co-operate with the FSA and any other relevant competent authority in connection with the outsourced activities; (9) the firm, its auditors, the FSA and any other relevant competent authority must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the FSA and any other relevant competent authority must be able to exercise those rights of access; (10) the service provider must protect any confidential information relating to the firm and its clients; (11) the firm and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced. [Note: article 14(2) second paragraph of the MiFID implementing Directive]