 "BFSI Industry Moves Towards On-Premise Private Cloud Model")
Cloud computing needs to be understood in the right perspective without getting carried away in the buzz that it has created, says Sameer Ratolikar, CISO, Bank of India, in conversation with Biztech2.com.
Does cloud computing really work for the banking sector considering there are so many risks involved? Which cloud model is best suited for banks?
Firstly, to achieve a 100 percent risk-free environment quite difficult. Security and customer ease should be adequately balanced with trade-offs made at the right place. Security initiatives at banks should be taken keeping this trade-off in mind.
A few banks are moving towards cloud computing to catch up with the growth in the amount of banking applications in the last few years. But cloud computing needs to be understood in the right perspective, without getting carried away in the buzz that it has created. Cloud computing, as I see it, is IT infrastructure made available on-demand on a metered basis that provides agility, elasticity, flexibility to scale up and scale down responding to the business demand – ‘On-demand’ being the critical point.
Now, with any bank running roughly 30-35 applications in the datacentre, which include Anti Money Laundering (AML), cash management, Financial Inclusion, NSDL, CDSL servers, credit risk, operational risk, market risk-based applications, the demand for capacity has increased manifold. This asks for heavy duty hardware devices coupled with 24X7 power provisioning backed up by redundancies on standby.
Virtualisation is helping to rationalise and optimise the deployed capacities. Additionally, virtualisation would also make the enterprise technology platform more agile, scalable and easy to manage. This is the pre-requisite for cloud computing. A private cloud at the company’s premises will help take over the operations from here and run them more effectively.
Looking at cloud from the private cloud model, there are two options - private cloud infrastructure is resident at the company and operating out of company’s own premises or a Cloud Service Provider (CSP) is hired to host and manage the bank’s private cloud out of their own infrastructure. The latter model comes with its own set of challenges. Banks will have to run through their individual risk management process, due diligence, etc. The security of infrastructure and services has to be assured along with making sure there is no multi-tenancy. These concerns will remain. The regulator is also not clear about handling of customer data.
Banks will prefer to put non-critical applications, Internet applications – so to speak, on the cloud (read on-premise private cloud). Some institutions may adopt the private cloud first followed by public cloud while others may directly move onto to the public cloud. Overall, as things stand today, the banking industry is moving towards on-premise private cloud model.
Can you elaborate on how you see the private cloud arrangement wherein it is located in-house, at the bank’s premises?
This model is the most popular in the financial industry right now. The in-house private cloud will be maintained and managed by a third party provider but overviewed by the owner’s IT team. It will have the conventional BCP, DR strategies already taken care of by the team.
How do you distinguish the private cloud models of in-house infrastructure operating out of the bank’s location versus hosting the private cloud at the vendor’s premise?
Private cloud model at the bank’s location offers the facility of hosting the data on the bank’s infrastructure following the accepted BCP/DR practices based on set processes. The customer data resides within the bank’s infrastructure. After setting up the baseline processes, this infrastructure is outsourced to a third party cloud service provider.
In the private cloud off premise arrangement, the data is hosted at the cloud provider’s location. The bank has to adhere to its processes and rest on the provider’s trust and belief, a practice not recommended in spite of carrying out the required due diligence and risk assessment of the CSP.
CIOs/CISOs will have to negotiate and get absolute clarity on the DLP strategy of the CSP, hierarchy-based segregation of duties and authorisation of data access; due diligence followed by the CSP while hiring manpower responsible for managing third party data, etc. Private cloud at CSP’s premises will be the second most preferred adoption model after the air around the mentioned issues is cleared in the near future. This necessitates the CSPs to come up with various innovative security offerings, services, etc.
Apart from security, which are the other hurdles towards adopting cloud computing?
Fear, uncertainty and doubt still prevail on various aspects of the cloud models. Secondly, haziness about the jurisdiction of data being stored in different locations and then replicated for back-up with the power of virtualisation is something that requires clarity. The regulator hasn’t been clear about the guidelines for the industry.
Use cases are also awaited, which will instil confidence in the industry and perhaps subsequently, after the release of specific directions from the regulator, cloud will gain traction.
After UIDAI has issued UID numbers to citizens, how can there be a common platform for banks and UIDAI to collaborate and provide services to the unbanked population?
UIDAI and banks can exchange data using web services model via the Automatic Data Flow (ADF), similar to how banks use it currently for data exchange in real-time with the RBI. It’s done using the application mark-up language, which is a variant of XML.
Web services model would provide a platform for various applications on the side of UIDAI and banks to be compatible and thus provide seamless data access by both parties.
Banks will keep the data in its custody and there is no reason why it should be handed over to UIDAI.
What is Bank of India’s cloud roadmap?
We are in the stage of negotiating with a few cloud vendors. One of the cloud security players has also conducted a cloud discovery workshop for the bank. In the near future, a CSP would definitely be hired. I would not like to comment on the cloud model.