Business Continuity is Dead, Long Live Business Continuity

Correct me if I'm wrong, but I think this might be the first time that a regulator has directly addressed security issues surrounding cloud computing. How many conferences have we been to where we've talked about data location, security, mission critical versus non-mission critical, client key information and all the rest? Fear not, gentle readers, the Federal Financial Institutions Examination Council (FFIEC, to its friends) is on it.

In a paper released on 10 July, Outsourced Cloud Computing, FFIEC broadly defines cloud in this sense as the third-party provision of applications, infrastructure or services, placing it firmly into the outsourcing category. As such, it says, financial institutions should be aware of FFIEC guidelines in this space, such as fundamental risk and risk management.

Due diligence, vendor management, auditing, information security and legal, regulatory and reputational concerns are all covered. While fun to see it codified in such depth by a regulator, it's really nothing new. Having covered this space ad nauseam for a long time, it's clear to me that all of this is understood by most financial institutions. Most competent financial institutions and firms, of course, not the guy who was nicked by the SEC a few weeks ago for selling trading strategies based on the movements of the moon.

Cloud Continuity
Most of this will be covered in any decent service level agreement, of course, and the vendor sector are pretty hot on this. Uptime, redundancy, information security and all of those good things are, traditionally, concerns on the part of the service provider. However, the FFEIC makes a good point that you can't just label things as ‘outsourced' and, suddenly, responsibility vanishes.

For all of its good points, and all that it facilitates, technology is fallible. And firms shouldn't make the assumption that, just because cloud offers a streamlined front end, it's not as convoluted in terms of infrastructure as other, more traditional, systems. Falling into the complexity trap, as we've seen in recent weeks, is easy to do, as Randy Clark, chief marketing officer at UC4 Software, told me last week when we were discussing the NatWest situation. Not strictly related to cloud continuity, of course, but the essential points about complexity are just as relevant.

Uptime, redundancy, information security and all of those good things are, traditionally, concerns on the part of the service provider. However, the FFEIC makes a good point that you can't just label things as ‘outsourced' and, suddenly, responsibility vanishes.

"Complex systems fail in creative ways; this is why it took so long to find the root of the problem," he said. "Like the rest of banking, the IT got so complicated that the people using it didn't even understand it. The solution to complexity is always simplicity. Break the problem down and keep it simple. To get control of this complexity and head off the risk of failure, IT teams in banks need to architect their systems for web-scale. More standard, simpler and scalable levels of abstraction are what are needed. This kind of re-organization of IT isn't new - we did it going from mainframes to distributed computing. However, as usual, this time it's happening faster with bigger consequences."

The Right Approach
That's why, I think, it's good to see a regulator taking the lead on this. It might be old news, and conversations about this may have been batted around hotels in New York, London, Singapore and Paris for years, but the first step towards a common approach is always discussion.

In actual fact, I personally believe that cloud is probably the future of areas such as business continuity planning. I'm not alone in that either. I had a discussion with Justin Wheatley, CEO of StatPro a few weeks ago about cloud stability and continuity processes, among other things. Clearly, there's a vested interest in extolling the virtues of cloud there, but he made a few good points about information security.

"Some people are concerned about the level of security on the cloud but I think that cloud computing is, by its very definition, a better and more secure approach," he explained. "In a centralized system, users are given access to come in and look, but they can't take the data away or send it down a wire. The information isn't going anywhere, it's staying in one place. Structurally, it's a more secure concept than the one of sending information all over the place."

Let's not forget the ability to cross computing networks with each when one goes down, the lack of geographical reliance and other areas, and the benefits of cloud become apparent. The FFIEC's point, however, is that individual responsibility remains key, and that's the truth regardless of what kind of outsourcing you engage in.

Do you want to talk outsourcing, cloud, the endless amount of rain in London and the brief, torturous moments of sunshine, or anything else? Give me a call on +44207 316 9811 or an e-mail on james.rundle@incisivemedia.com.