The rise of cloud computing in the capital markets is rapidly gaining steam, and as is the case when any new technology catches on, regulators will take notice. "The industry needs to start talking about information security and cloud computing with regulators," insists Adam Honore, research director at Aite Group. "They'll have to see what is and isn't acceptable behavior. And that discussion should start happening sooner rather than later."
Some industry groups -- including the banking association BIDS, the Cloud Security Alliance and the Enterprise Cloud Leadership Council -- already are working to preempt regulation by developing standards, or at least discussing potential potholes. Certainly, the agile nature of the cloud and the ease with which data can (and should) move around will be a hot button issue for regulators, which will scrutinize data security.
"Even though data is kept in the data center, it moves around -- you have to really look at ... different potential attacks," says Larry Ryan, chief technologist for the financial industry at HP. "You have to be able to analyze everything in real time, and if you detect patterns that are abnormal, you have to react to them in real time."
Other cloud-specific data challenges also are likely to arise. "If a client requests information to be deleted, it is very hard to prove the fact that the information has been completely removed," notes Shin Kusunoki, corporate SVP and asset management systems division manager of the Nomura Research Institute, a think tank and systems integrator in Japan. "It is similar to the phenomena that occurred with information that was on WikiLeaks [that was taken down] -- but it was still available to browse on other websites."
The global nature of the cloud also is likely to appear on regulators' radar. "You have to see if different countries demand different levels of security or practices," says Chenxi Wang, VP and principal analyst, security and risk, Forrester Research.
Andrew Feig, an executive director at UBS and a member of the Open Data Center Alliance, which drives cloud standards, points out that complying with varying global regulations could force firms to ensure that data doesn't leave the country where the data center resides. "But how do you make sure the data doesn't leave?" he asks. "Also, if you can't move your workload around [the cloud], that goes against one major benefit of the cloud."
Service provider liability also is likely to play a central role in any upcoming cloud legislation. "If you have a small provider that will accept liability and they're broke, that doesn't mean much," notes Rodney Nelsestuen, senior research director of the retail banking and cards practice at TowerGroup.
"Accountability can't be outsourced," says UBS' Feig. Noting that Amazon Cloud Services's recent outage reinforces the importance of looking at operational risk, he adds that firms will have to extend all of the security and compliance checks that they carry out internally to the cloud, too. "Everything you do internally," Feig contends, "you will have to do on the outside. And there will be a higher level of scrutiny on the outside."