The risks in employing cloud providers are still not settled, despite its value to data scientists. Dan Barnes.
Cloud computing providers should not be too smart if they want to gain the confidence of their users, according to industry practitioners, despite the utility’s obvious advantage.
The popularity of cloud is well recorded in the finance space. In his 2018 white paper ‘Cloud banking: More than just a CIO discussion,’ Michael Tang, global financial services digital transformation leader, at consultancy Deloitte wrote, “From 2016 to 2018, Deloitte Global saw a threefold increase in the number of organisations adopting cloud to promote innovation… Companies across the global financial services industry have been on the public cloud journey for the last three-to-five years, with tremendous acceleration over the past 12–18 months.”
One bank, spoken to on background, cited the costs of hosting infrastructure on the cloud as being around 30% of the cost for hosting the same infrastructure on-premise. It also observed that a major advantage was created by cloud providers supporting a financial institution in any location due to their international presence.
For investment managers employing data science, access to huge amounts of computing power and the services held within cloud is a critically important service. Technology development, the support services provided to them by banks, and the testing of risk and investment models are all built on cloud.
Major cloud service providers are Amazon Web Services (AWS), Microsoft Azure and Google Cloud. These firms have a native ability to support their proprietary business through virtualised computing, and have expanded that into commercial offerings for the investment sector.
An example of this is the work AWS is conducting with Morningstar, the investment research and data services provider.
“Morningstar’s risk model solution for multi-asset portfolios was taking more than 10 hours to run a single model with a single currency for a single day – and had no option to scale,” says Stephan Schmidt-Tank, senior manager for Financial Services Business & Market Development at AWS.
Morningstar adopted the Amazon Elastic Compute Cloud (EC2) to build the scale required to break up its risk model into a series of micro services and perform predictive analytics for multiple currencies at global, regional and local levels.
“The numbers tell the story – previously 10 million data points were run in each model, this is now up to 50 billion,” says Schmidt-Tank. “Instead of just one model running at a time, the company can now run more than 50 at a time. And instead of taking months to refresh its data, Morningstar can do this in a matter of hours.”
Despite the advantages in use, a key barrier to adoption of cloud in finance has been concern around trust. Transfer of proprietary data to a third party carries risk and may contravene data privacy laws, such as Europe’s General Data Protection Regulation (GDPR) which came into effect in 2018.
This has been downplayed as an issue more recently, with many commentators suggesting it is no longer a concern. Yet some specialists in the sphere of data science argue that service adoption today is being driven by trust issues. Building the most sophisticated cloud provision is not going to win you as many friends in finance as you might think. In fact, firms may find that off-putting.
“The best cloud technology by a long way is Google, but people also struggle to trust them,” says one senior big data practitioner, who spoke on condition of anonymity. “The least sophisticated is Microsoft, but people trust them. If you log on to Google you have one account regardless of your size. One IP address for the whole firm. Google can manage that whole infrastructure and manage it down to a cost centre level across the cloud. That is super impressive technology, but, people don’t like that. They like to have their own little playground. Microsoft has tens of thousands of accounts and IP addresses, but everybody gets their own playground and it looks like Excel. That’s why Microsoft’s growth is off the charts compared with the other players.”
Another risk stems from the potential for big tech firms to step into the financial services arena. While China’s Alibaba offers cloud service provision, its financial services arm, Ant Financial, has become the country’s largest fund management platform through distribution of its own and other firms’ money market funds, which are billed as an alternative to savings accounts.
“If you give all of your data to a cloud provider that has ambitions in the financial services space, how confident are you that it cannot reverse engineer your business, based on the data it holds?” noted one portfolio manager.
Safety in numbers
There are clear concerns about risk management best practice for financial services’ use of the cloud, stemming from both regulators and industry participants. The International Standards Organisation (ISO) has set up ISO/IEC JTC 1/Secretariat (SC) 27 to manage information security, cybersecurity and privacy protection, and has published 184 standards to date. Complying with these ISO standards is one way in which cloud providers can support the trust of their users.
Schmidt-Tank says, “AWS has achieved a number of internationally recognised certifications and accreditations, demonstrating compliance with third party assurance frameworks, such as ISO 27001, ISO 27017 (cloud security), and ISO 27018 (privacy). We are constantly listening to customers and are looking into other certifications that will define the future. Our accreditation reports and certification documentation are available for review under non-disclosure agreement to our customers.”
Beyond applying these standards, financial services firms can also apply their own encryption to information that is stored in the cloud, in order to reduce risk.
“We built a framework of controls with cloud providers, ensuring that privileged-access accounts would be given access to data only if that were recorded and flagged up,” explained the chief information security officer at one global firm.
Schmidt-Tank adds, “We take privacy extremely seriously, and on AWS, customers always retain full control and ownership over their data. For example, the ability to encrypt it, move it and delete it. We are vigilant about our customers’ privacy and have implemented sophisticated technical and physical measures to prevent unauthorised access.”
The balance between security risk and compliance challenges is also a factor in firms looking to use cloud providers. A financial services firm may determine that in certain cases having a cloud service provider – with cybersecurity that can out-gun many banks – generates less risk than on-premise technology.
“The probability of a systemic risk is quite low, and of cyber risk such as hacking, is quite high,” adds one cloud user. “The balance between those must be weighed.”
Footnote: Microsoft and Google were approached for this article but did not respond to requests for comment.