March 26, 2014
Credit Union Management’s Web-only “Tech Time” column runs the fourth Wednesday of the month.
With interest and participation in cloud-based virtual systems on the rise, credit unions that have not moved their IT infrastructure, e-mail and public-facing systems to the cloud are likely giving the idea some serious thought.
Unfortunately, while many people have a basic understanding of how cloud computing works, appreciating the subtleties can mean the difference between a successful cloud transition and an expensive headache. Even among experienced IT professionals, misconceptions are common.
Correcting these misunderstandings and grasping the basic principles that influence the way different companies operate in the cloud are important for any business. For credit unions and other financial institutions, where the stakes are (sometimes literally) higher due to the amount of personally identifiable information they manage for customers, solid understanding is essential.
When it comes to working in the cloud, operating within a set budget is obviously a priority. One of the complexities about moving to the cloud is that, while you frequently only pay for what you consume, it can be very difficult to predict your level of consumption.
Storage needs—how much data storage you will require—are fairly straightforward, and there is also some correlation between how much “compute”—or server resources—you use in your current on-site system and how much you will use in the cloud.
When it comes to pricing, many cloud providers take a significant loss on the storage and compute components of their services—they are essentially loss leaders for the third and most lucrative portion of cloud computing: the bandwidth charges (how much data you are moving in and out of the network). It is incredibly difficult to predict, and the price structure tends to take advantage of that.
Think carefully about how accurately you can predict your bandwidth consumption, and be wary of cheap storage with cost-per-access fees that can add up quickly. Think critically about how often your users—both employees and credit union members alike—will access documents on file systems and records databases. Quite a few companies are getting burned as a result of miscalculation within the pricing structure. Although difficult to measure, having a network architect or administrator monitor bandwidth utilization, as well as how often users are accessing information on the cloud, can help businesses develop a utilization profile and better predict its bandwidth consumption and information access.
Performance, or the amount of time it takes to access information stored on the cloud, is also difficult to predict, because performance is, logically enough, not guaranteed. It is also tough to predict performance parameters and to translate what they mean in the real world.
Another frustrating issue: evaluating what performance is “worth.” Until you experience not having performance, you are not going to know what it is worth. How much value is there in your ability to access a document in seconds as opposed to minutes, or to retrieve a database record in milliseconds instead of tens of seconds? Credit unions are more likely to need that guaranteed throughput—the last thing any credit union wants is a service representative waiting for data.
Together, performance and bandwidth can drive the price of moving to the cloud up dramatically—they are cost considerations that can be “multipliers.” Typically, the better the performance and bandwidth, the more it will cost credit unions. Keep in mind, these are costs that are currently buried in your on-site infrastructure, and there may not be correlation between your existing technical architecture and your needs in the cloud.
Private vs. Public
The difference between a private, hybrid and public cloud—through a well-known provider like Amazon, Google or Microsoft—boils down to fit and service. Those brands are innovative and successful, their public clouds such as Google Cloud Platform and Microsoft’s Azure are well designed and their data centers feature some of the best security in the world, but their service is structured around one common platform—with little by way of customization. A private/hybrid cloud vendor, on the other hand, has both the vested interest and the ability to keep client information secure. Private and private/public vendors are far more likely to design a customized model for your systems, processes, storage and access needs in a way that maximizes security. The flip side, of course, is that using a private vendor also can be significantly more expensive.
Moving to the cloud requires evaluating the level of risk a credit union is willing to assume—balancing accessibility and security. The cloud itself does not make your organization secure. Even the best cloud providers and data centers that meet the highest standards for security and compliance do not ensure that you will automatically be able to implement your system in the cloud in a secure and compliant manner. The missing piece of the compliance puzzle lies within the financial institution: Your people have to understand how to implement a compliant system in the cloud.
Part of the problem is that many IT professionals have gotten very good at securing an on-premises network. They understand that the primary points of vulnerability are the machines and the network, and they are adept at implementing security measures like firewalls, intrusion detection and prevention, and antivirus software. Securing a cloud-based system is very different, however. Think of it like the difference between securing your family at home, and keeping them safe on a road trip. The security perimeter is very different in the cloud, and there are not many IT professionals who truly understand how to define and defend that perimeter.
In addition to information security, business continuity and disaster recovery are major compliance considerations. Do not assume cloud storage ensures that all your data is backed up and recoverable. Ask about how protections are established and maintained (including where the data centers are located), what backup mechanisms are in place (including how quickly you can be up and running after an outage), and what the price tag will be for maintaining those standards.
Ronald Redmer serves as chief operating officer and chief technology officer of assure360, a Farmington Hills, Mich.-based provider of private cloud and hosting solutions, software-as-a-service offerings, and information security and compliance consulting with two geographically dispersed data centers.