For some, cloud computing is ‘perfect solution,’ but vendors may not be ready for risks

One of the chief attractions of cloud computing is that firms don’t have to worry about where or how their processing work gets done, but that is also its biggest risk.

A high-profile example of cloud computing comes from Google, which allows small businesses to host e-mail, word processing, spreadsheets and presentations on its free application servers. Users can collaborate and share documents from any computer with an Internet connection.

With models such as Google’s, “processing power is located all over the world,” says Stephen Catanzano, CEO of Safecore, a Burlington, Mass.-based provider of hosted e-mail storage. Before adopting the technology, he says, financial firms should find out where their files will be stored and how access is controlled.

Safecore is audited regularly by customers-it has about 100 financial services clients-and by outside vendors. But even small firms that can’t afford to do full-scale security audits should ask potential cloud providers tough questions.

Rich Schuette, partner at boutique financial planning firm MJL Advisors, did just that when his firm decided to stop managing its own technology infrastructure and move everything to cloud. “One morning my partner and I looked at each other and said, “‘This network is a pain-we should do something about that,’” explains Schuette

Schuette decided to start with e-mail, getting rid of the Santa Barbara, Calif.-based firm’s Microsoft Exchange server, which used to sit in his office. “There were cleaning people and building people who had access to my office, and ultimately had access to that server box,” he says. The computers that handle MJL’s e-mail are now in a secure facility operated by Thousand Oaks, Calif.-based Cloudworks. “The servers reside in a locked room with video camera surveillance, passwords,” says Schuette.

According to Cloudworks, which also provides automatic backups and disaster recovery, its severs sit in a raised-floor room with an uninterruptable power supply, backup diesel generators and contracts that ensure fuel for the generators. The facility is guarded, door locks require both access cards and hand prints, and clients can request that their data is encrypted or kept on different servers than other customers’. There’s also built-in resiliency-if a server goes down, another one immediately takes over.

Schuette says the cloud-based e-mail system is an improvement, offering BlackBerry capabilities and superior Web mail, and Cloudworks works with the compliance department to ensure proper supervision of communications.

Since migrating its e-mail last summer, MJL has moved all of the company’s IT functions to Cloudworks. “They’re maintaining all of our software licenses now, upgrading all our software, including the proprietary stuff,” he says.

“We run all their applications and manage all of their data,” explains Mike Eaton, CEO of Cloudworks. “The browser image becomes your entire computing environment-calendar, accounting system, e-mail.” Cloudworks, whose typical clients are small to midsized brokerage firms and financial advisers, is used to working in highly regulated environments, says Eaton. Founded in 1997 as consulting firm Atticus, the company launched its hosted computing offering three years ago and in November rebranded itself.

Though Cloudworks is addressing areas such as physical safety, the logical security of the data, and regulatory and compliance issues, other cloud computing risks can be trickier to identify. Vendors can say that they keep customer data isolated, but programming holes could allow access to private data.

Consistent Encryption

With a generalized framework, “there are a number of processes going on, and use of shared resources,” says Jack Danahy, founder and CTO of London-based Ounce Labs, which helps customers-including more than two-dozen financial firms-find security holes. “Is this data consistently being encrypted? Are there controls in place to manage access to the data? Are all uses authorized and is access being logged? In order to answer any of these questions you have to look at the source code.”

Moving applications to a cloud environment brings additional risks. Programs that run behind a company firewall offer more room for error, given the additional layers of security outside the application and other mitigating factors, says Danahy. “When that information is sent outside, you have no control over those potential mitigating factors.”

Keeping applications in-house and sending out encrypted data is one solution to the security dilemma. With encryption, a firm can be certain that no outside users-or vendor employees-can read sensitive data. “Encryption does slow things down,” acknowledges Jeff Kalwerisky, chief security strategist at Burlington, Mass.-based database solutions provider Alpha Software, but “the technology is improving, and an environment like Amazon or IBM has the computational power to absorb the encryption.”

Encryption also allows companies to more closely track who accesses the data and when, and what changes they make, says Kalwerisky, adding that he doesn’t expect many financial institutions to hand over their applications, which-security issues aside-would also need to be rewritten to run in a cloud environment.

As more analytical tools become available through public computing networks like Google, employees will be tempted away from their in-house, IT-approved systems. For example, Panorama Software, known as a provider of on-premises analytical applications for tier-one Wall Street firms, recently launched a free gadget for Google spreadsheet users.

“The goal is to be a disruptive technology, to change the paradigm of how things are done,” says Oudi Antebi, VP of marketing and strategy at Toronto-based Panorama. Antebi expects Panorama’s charting application to spread virally, like the rest of the Google tool set, and instant messaging and Web-based video conferencing before them.

Panorama is also selling an enterprise version of its cloud computing product, which it says combines Wall Street-level security with Google’s ease of use. “It offers companies the ability to combine data from inside the firewall with data that sits in the cloud,” he says.

IM vendors followed the same path-after firms’ employees adopted the technology because it was useful and convenient, the companies came out with enterprise-grade systems that provided security and compliance. But until IT rolled out approved versions, those applications presented sizable security holes.

Migration Risk

Some cloud vendors, including Salesforce.com and Amazon, offer proprietary platforms for applications, says Bill Coleman, CEO of San Jose, Calif.-based infrastructure software vendor Cassatt Corp., which helps companies build in-house cloud computing systems. “Most of our customers have very sophisticated applications and they want the benefits of the clouds, but there’s no way you can run sophisticated applications on the cloud services available from third parties today,” he says.

And applications that are written specifically for those systems will not run anywhere else. “When we first put railroads in the U.S., we had hundreds of companies and they all built different gauge railroads,” he says. “That’s sort of what’s happening now.”

Although the big players dominate the headlines in the cloud space, there are plenty of start-ups promising lower costs, better customer service and more specialized solutions. However, “it’s one thing to provide services” and “another to know how to do high-performance computing,” asserts Kevin Pleiter, IBM’s director of financial services. “We have a lot of experience [with] strategic outsourcing arrangements with large banks around the world. The story with a small vendor is that there is a huge risk-they’ve never been faced with some of the realities of dealing in this environment.”

Continues Pleiter, “Just throwing a bunch of servers into a data center and leasing them out doesn’t create an optimal environment for high-performance computing.”

Dealing with disasters is an area in which start-ups struggle, according to Todd Stefan, president of Fountain Valley, Calif.-based security vendor Talon Cyber Tec. “We find a lot of these firms are not prepared to actually support a recovery effort and investigation,” he says. “We have encountered a number of incidents with cloud computing vendors, but most of these are kept out of the news.”

As a result, several clients who tried out cloud computing have moved the functions back in-house, notes Stefan. “There’s a desire to make cloud computing work because it’s a perfect solution,” he says. “But there are more vendors getting into the market and many of them aren’t prepared.”

Even if a start-up delivers on its promises, there’s no guarantee it will survive once its initial funding runs out, or if there’s a costly disaster. “If they’re competing on price and don’t have that many clients, one incident could cause a large loss,” Stefan says. “What if they go out of business? … All of that highly sensitive data is in the system of a financially unstable firm.”

Customers want assurances about the reliability of their vendors-especially for mission-critical applications-but in the relatively young cloud arena, service-level agreements (SLAs) can be hard to find. Amazon offers SLAs for its storage services but not its cloud computing, says Geva Perry, chief marketing officer of New York-based GigaSpaces Technologies, which sells an application server that runs in cloud environments. The company counts Lehman Brothers, the New York Stock Exchange, Goldman Sachs, Societe Generale, Dow Jones & Co. and Bank of America among its customers.

The industry’s lack of maturity shows up in other areas, says Perry, such as only being able to pay for Amazon services with a credit card. “It’s great for small companies,” he says, “but not ideal for big companies, where you normally send an invoice.”

Financial firms were reluctant to adopt cloud computing until Merrill Lynch & Co. signed up 25,000 users for Salesforce.com’s online software last year. But “just because one thing in the cloud is safe enough for Merrill Lynch doesn’t mean that everything is safe for everyone,” says John Lytle, lead consultant at U.K.-based Compass. “You have to do this due diligence every time. Cloud computing is not a single offering-it’s an environment, it’s a blank sheet of paper.”

This article first appeared in Securities Industry News. (Paid subscription required.)