Conservative Bank Treads Softly Into Cloud
As head of infrastructure at DZ BANK, Dr. Jan Vitt is cautiously leading the conservative German financial institution's investment into cloud. Germany, after all, has some of the most stringent privacy and security regulations in the world, and DZ BANK must adhere to its nation's rules, as well as industry and European Union protocols. However, DZ BANK does operate several private and public clouds, a topic Vitt will discuss in his keynote at ISC Cloud & Big Data on Sept. 29 in Frankfurt, Germany. Follow the event at @ISCCloudBigdata.
Vitt, who began his technology career as a management consultant, has been responsible for DZ BANK's internal IT operations for the past seven years. He recently responded to an email Q&A with EnterpriseTech. Here are Vitt's responses:
Enterprise Technology: What kinds of regulations are in place in Europe that you believe is inhibiting the use of cloud computing by the financial industry?
Dr. Jan Vitt: We don’t look that much into Europe. We go straight to German regulations, which are usually derived directly from European law. The German banking authorities do have a bias against IT outsourcing in general. Roughly speaking, they require us to control and monitor an outsourcing partner in the same way we would do for an internal department. Cloud computing as a certain subset of IT outsourcing is even less favored.
This results for example in: You need to know the system administrators by name. You must make sure that they are trained appropriately to do what they are supposed to do. We permanently need to know where exactly our data is stored. Here, we are talking of certain servers – not a country or a datacenter location. Access to the data must be limited to only those persons who need that access. And this set of persons needs to be minimal. We need to provide all kinds of reports logging information from the cloud provider to the banking authority. This comprises standard reports and surprise requests on short notice.
Of course, in theory this could all be added to the standard cloud services. But isn’t the operating model of a cloud provider based on complete standardization, with no room for this kind of extra wishes?
Enterprise Technology: After data security, what is the most significant hurdle to the use of cloud computing at your bank?
Vitt: Data security is by far the highest hurdle. But there are more. Lack of trust to the cloud provider is another one. We need to be sure they will treat our data the way we want it.
Then there is the risk of unsufficient performance. One element here is the cloud provider’s systems. Another is network capacity. Our spoiled users might not get along with the user service they expect in case of reduced performance.
Downtimes for maintenance that do not harmonize with internal needs are also a hurdle. Planned downtimes that fall into time slots when crucial banking activities must be done are painful. Unplanned downtimes are even worse. Recent denial of service (DoS) attacks on providers usually lead to complete shut downs of the services. If you rely heavily on cloud services that are no longer accessible, then you face serious damage to your business.
Were the initial hurdles in adopting public cloud computing based solely on privacy issues or did you also have to make a case for the investment?
The initial hurdles were indeed based solely on privacy issues. News of information leakages and stolen data gave fuel to this set of thinking. This has not changed much in recent months. With a growing number of companies in financial services using cloud services without incidents regarding privacy we will take a closer look at using those services ourselves. Another hurdle is the vast offering in computing power and storage capacities of the internal IT operations department. Why choose a troublesome and probably risky way to save a few euros when you can have it safe and secure? Who wants to argue the fine print in standard contracts (that in the end will not significantly be changed) when you can have it the easy way between organizational departments?
Of course, we need to justify the costs for internal cloud offerings in comparison to market prices, especially to those of major players in the cloud services market. So far our internal cost structure is highly competitive.
Enterprise Technology: What kind of data is hosted on the private clouds and the public clouds of the DZ BANK? Does the sensitivity of that data determine which type of cloud is used or are there other factors related to the data or applications that drives those choices?
Vitt: Sensitivity of data is the major criterion to determine if certain applications or data can potentially be operated as public cloud services. Basically almost every data item is marked as sensitive so there is not much room. In general terms, no bank-specific data goes into public clouds.
Currently, in one public cloud we keep data on individual goals of our employees and some information of the recruitment process. In a private cloud that is operated by an external provider solely for our bank, we keep data that is generated in the IT service management process, e.g. incidents, problems, or changes. This type of information could give an intruder some insight into the bank’s strategies and their operational breakdowns, into our efficiency in recruiting talent, and into the assets of our IT division. In all three cases the bank knowingly chose cloud offerings because no alternative was found to produce these IT services on-premise.
Enterprise Technology: In selecting a public-cloud partner, what do you look for from the company itself? Do you have criteria for the location of its datacenters (for example, must they be in specific countries)? Did news about the NSA impact your selection criteria?
Vitt: The company we select for cloud offerings must operate under German law. Also German ownership is required. If a major owner is U.S.-based, we would not consider that company, thanks to the Patriot Act. Finally, we need to have trust in that company that it adheres to existing laws and does not solely look for a quick euro by neglecting data security, etc.
Our criteria to select a location are as follows: We best like a German location for their strong laws in data security. Second best are most countries in the EU. A location in the USA is currently not an option.
News about the NSA and their involvement in breaches of data privacy contributed heavily to this set of selection criteria.
Enterprise Technology: How do you measure the success of your cloud investments? How do these metrics vary, depending on the business use cases behind the implementations?
Vitt: Measurement of success is twofold. First, internal customers must be happy. They usually are when they receive the services they asked for without major incidents. Second, we look at the total costs it takes to offer internal cloud services. If they are not higher than public services, then it is a straightforward decision: Go internally! Regarding perceived risks in using public cloud offerings, even higher internal costs are justifiable to a certain degree.
These metrics are stable and in general, they apply to all cloud related decisions. However, if users argue strongly for a certain application that seems crucial to pursue their business goals with no functional alternatives in place and if this application is only provisioned as a cloud service, then we do have the chance to skip the metrics above, put customer satisfaction into first place, inform them on the risks involved, and let them go for the cloud solution.
Enterprise Technology: What other areas of cloud is DZ BANK exploring or considering for the future? What hurdles must be overcome? What opportunities do these areas offer?
Vitt: As mentioned above, whenever a crucial application is offered only from the cloud, we would go for the cloud, especially Software as a Service (SaaS). Infrastructure as a Service (IaaS) is not an area we will consider in the near future as long as we can fulfill all user requirements with our internal capacities. Saving a few costs while adding risks is not an option.
We take a close look at some companies in our group that start using Office 365 for certain user groups. If we find a company that meets our criteria regarding location and ownership, we might give it a try.