Buy-Side Executives: Key considerations for conducting due diligence on cloud computing providers

Contributor: Michael Stoeckert

Software-as-a-service (SaaS), also known as “on-demand software,” is a delivery model in which software and its associated data are hosted centrally, typically in the cloud. Users normally access this software by using a web browser over the Internet. The financial services industry’s extensive use of SaaS programs has provided a significant foundation for migration to cloud-based platforms. Many of the processing, storage and security tools that a financial services organization requires to run its business are now available through cloud-based applications. In fact, the cloud is expected to dominate technology growth for the next 20 years. Cloud-computing technology is expected to increase at five times the rate of traditional information technology (IT), while representing only 12% of total IT product spending by 2014.

The cost savings of moving to the cloud have been extensively proven. But mutual fund compliance personnel ask themselves: What about security risk when selecting a cloud provider? What are some of the most critical attributes financial services organizations should examine when engaging in due diligence on a provider?

Fund executives can take steps to significantly reduce risk to a level that is acceptable for a given business need. The most crucial step in reducing security risk is vendor selection. The right vendor will work in partnership with customers in order to maximize the security of data in the cloud. The key is an understanding that security is a collaborative effort between the vendor and the customer. The vendor can provide the means by which a secure environment is achieved and make it a practical reality.

According to an IDC Research survey of IT leaders, 68% of respondents indicated that security is a primary concern; 57% said they worry about data control; and 43% fret over meeting the requirements of service-level agreements (SLAs). Increasingly, organizations will demand that their cloud providers be ready to help them make the case for a range of security issues to board members, investors and regulators.

Another consideration is the longevity, stability, experience and expertise of a particular vendor, which should be examined extensively. Time and again, new cloud providers have come and gone, and because cloud computing is a service to be utilized over the long term and not a stand-alone product, the disappearance of a provider can have a significant impact on an organization’s business and data management. That is why the cloud-computing provider should also possess applicable knowledge that has been established with a broad customer base.

When it comes to compliance, many midsize companies don’t have the resources in place to manage the audit and certification processes for an internal data center. Cloud providers should be able to address both, and help companies manage their mounting regulatory obligations. To measure the risk and regulatory impact of investment decisions, regulators may be interested in inspecting the links in the data-management process from the buy-side firm and data center, right through to the cloud-computing provider. So, a cloud provider should have extensive experience in both the complexities of a highly regulated industry, as well as a proven track record with hosting private and hybrid clouds.

Along with compliance standards and the expertise of the vendor, data security due diligence must be performed. Data is the lifeblood of the cloud, and without the correct protections in place, data can be compromised. Sound encryption protects the integrity and availability of data housed in the cloud. Intrusion detection and prevention is also paramount where a vendor’s firewall, scanning, and anti-virus applications should be considered. Firms must also examine the area of system access, who has access to what and why? Policy and process controls must be in place to ensure only approved individuals have rights to system code or data.

No matter what cloud-based solution a financial services organization chooses, the provider should have strong capabilities in all these critical areas:

• Deep understanding of the asset management industry;
• Security and privacy protections that meet or exceed internal IT and data security policies;
• Cloud provider does not outsource responsibility of passing an audit to a third-party technology vendor;
• Clear explanation about where data is stored and how it is handled; and
• Strong business continuity planning model with adequate data centers for backup.

Further, the cloud-computing vendor must have the capability for hybrid solutions to integrate the cloud securely with local installations if needed. It also must have a comprehensive service-level agreement that meets or exceeds the organization’s needs and requirements. In addition, the cloud provider must be responsible for the cloud technology, and it has to have a track record of successes, as well as references and proven financial stability.

Once all of these prerequisites have been satisfied, mutual fund executives can choose the vendor that is most accessible and the easiest to work with.

SHARE