Treasury Today Country Profiles in association with Citi

Is your head in the cloud?

Clouds from above in the sunlight

Dynamic competition and economic pressure has meant increased requirements for the availability, scalability, and efficiency of corporate IT solutions. Accelerating at an unprecedented rate, the cloud phenomenon, and its related benefits, pave the way for business innovation in such an environment. Cloud has prompted a different way of thinking: looking outside the company’s existing systems and infrastructures is the new ‘virtual’ mantra.

Large investments have been made by major companies such as Microsoft, Amazon and Google to promote awareness of the cloud recently. Indeed, in January 2012, Spanish banking group BBVA helped Google to achieve its largest business contract to date by moving its entire workforce to the vendor’s cloud platform. So what is all the excitement about?

In ‘cloud computing’, web services are available whereby the provider of a cloud builds a particular application customised to meet the user’s specifications, enabling ubiquitous, on-demand network access to a shared resource pool. As the user no longer has to splash out on expensive hardware (and software in some cases) themselves, the corporate can expect reduced IT spending, with post-implementation IT support catered for by the cloud provider.

Lower total cost of ownership (TCO) and a higher return on investment (ROI) can thus be anticipated in this shared virtual environment, as internal IT staff can focus on more strategic functions that aid business growth. These benefits help promote business innovation and a renewed focus on optimising the service value chain.

NIST visual model of cloud computing definition
NIST visual model of cloud computing definition

The right tool for the job

There are varying levels (models) of cloud service. The decision as to which model to choose depends entirely on your own business processes and what you wish to achieve from implementing the cloud.

With each step up (IaaS to Paas and then SaaS), you receive more services and more capabilities – and presumably more value. With each service category comes different implementations – all of which are more cost effective than what can be achieved with similar on-premises non-cloud solutions, according to Dan Ashton, Senior Solutions Marketing Manager at Ariba.

Cloud models

Infrastructure as a Service (IaaS)

At this lowest level of cloud service, the user is supplied with a virtual server with web access. Any system can generally be installed on this fully-outsourced server.

Platform as a Service (PaaS)

This is the next step up the ladder. The user is offered a remotely managed platform that allows applications to be written and deployed upon.

Software as a Service (SaaS)

This is the highest level of cloud service. A hosted application that is simply used – no software installation or maintenance tasks required.

“IaaS is a virtual environment, infrastructure as a service rather than purchasing servers, software, data centre space or network equipment. Clients buy those resources as a fully outsourced service. PaaS delivers a computing platform in addition to the hardware to make it easier to build and deploy applications without the cost and difficulty of buying underling hardware. SaaS delivers everything: all of the equipment, the underlying hardware and the software applications,” he explains.

Cloud computing, regardless of the service or deployment model, requires the engagement of a cloud provider that can ensure elasticity, scalability, provisioning, standardisation, and billed usage – the features that make the cloud so attractive. Elasticity enables scalability, which means that the cloud can scale upward for peak demand and downward for lighter demand.

The scalability factor allows the capacity to add users to an application and adapt to changes in application requirements. In addition, cloud customers can request and achieve an amended or new amount of computing, storage, software, or process from the service provider at relatively short notice. After these resources are used, they can then be automatically de-provisioned. Unlike most software vendors, the cloud environment also allows on-demand service payments, meaning usage can be metered, allowing you to pay only for what you consume.

Cloud deployment – is hybrid the answer?

A common misconception of the cloud is that it is just one big area that the whole world can go into (public) but companies can have their own individual cloud (private) – it is simply hosted and managed by somebody else, instead of them doing it themselves.

“Unlike most software vendors, the cloud environment also allows on-demand service payments, meaning usage can be metered, allowing you to pay only for what you consume.”

There has been much debate over the pros and cons of public vs private cloud models. The public cloud is managed by the cloud vendor and available to the general public.

Easy to adopt as it doesn’t require a rethinking of internal IT infrastructure, it may be the initial step that corporates make towards the cloud – allowing systems such as marketing, customer care and human resource management to test the water. On the other hand, a private cloud is built for the exclusive use of one organisation behind a firewall providing high potential for control, especially for business sensitive data.

However, choosing the high security of the private cloud is not always the right option. There are some cases where it might be quite sensible to share information, and adopt a hybrid model, and this is where some of the synergies in the market might happen, according to Alex Foster, Global Head of Sales for BT Radianz.

“The new paradigm is that your clients are your competitors and your competitors are your clients – there is huge potential for collaboration, especially within a hybrid model.”

Some corporates want a private cloud purely to reduce their IT spending and reallocate some of the IT budget towards innovation, but enterprises are increasingly moving towards hybrid IT infrastructures combining on-premises and cloud applications. This is particularly true among the larger corporates, allowing private data to be stored while utilising the elasticity of the public infrastructure.

Reasons for embracing the cloud

With a volatile market backdrop, chief information officers (CIOs) are looking at alternative ways of optimising their business processes. The role is transitioning from simply managing operations to managing IT as a service value chain.

With a focus on improving the performance of the business, CIOs are figuring out how to optimise this value chain to best support customers and enable the company’s business. Cloud is accelerating and mandating the transition.

With cloud, from the infrastructure to the upkeep, the corporate is suddenly going from a CAPEX to an OPEX-type model – this gives many corporates and CIOs the freedom, and the resources, to focus on driving the business forward in such a competitive environment.

While some CIOs remain nostalgic for traditional methods and complain that management now ‘go around’ IT by using the cloud, there are those who see the cloud as an opportunity to be embraced.

They recognise not only the benefits of the cloud, but also an attractive prospect of becoming more aligned with business units and the overall business strategy. These forward thinkers acknowledge, not just an expanded role, but also a more influential and strategic position within the corporation, according to Ashton. “Companies are now appreciating collaborating outside the four walls of the enterprise in order to really optimise the service value chain. We’re in transition – a lot of former naysayers are realising that by getting on board, they can become more strategic in their job,” he adds.

Overcast skies?

However, the concept of isolation of the physical infrastructure from the owner of the information being processed and stored has made some IT departments reluctant to move to the cloud.

They may be unsure whether their providers can offer the level of security, compliance, availability and control that they’re looking for. CIOs may also be unwilling to succumb to that high level of dependency. As the BlackBerry outage in October 2011 has highlighted, there are potential shortcomings with new technology that causes concern for many corporates – could this happen to their data on their cloud provider’s servers?

Understandably, security and reliability are main priorities when making the decision to move to the cloud. Can cloud providers deliver individual requirements of protection to corporates? Ariba’s Ashton believes that they can, and in some cases, cloud providers are actually giving better security than the company could provide themselves.

“The majority of the cloud providers have excellent security so now, rather than being scared by the idea, CIOs and CFOs are looking into it and feel they can trust cloud security as they know the facts.”

“It is a core competency for cloud providers; they know it is something inherent that has to be delivered directly into whatever solution they are providing. The majority of the cloud providers have excellent security so now, rather than being scared by the idea, CIOs and CFOs are looking into it and feel they can trust cloud security as they know the facts,” says Ashton.

That said, increased access to more important data online means greater potential damage from security breaches. Existing cloud security solutions such as a firewall, for example, are not designed to prevent security problems like dedicated distributed denial of service (DDoS) attacks.

With hacking techniques such as these constantly evolving, corporates need to be sure that the defence methods used by their respective vendors are reviewed on an ongoing basis. Guaranteeing high security levels is also a significant factor in the decision to adopt a private cloud instead of a public model but this is not a fail-safe solution.

Unless internal security infrastructures are reviewed and tightened before cloud adoption, the corporate could be at risk of automating existing problems – issues that become even more difficult to resolve within the architecture and (virtual) geographic reach of the cloud.

“No matter how you deliver a solution, you don’t want to automate a flaw within the process that is not going to deliver a return on your investments. You need to look inwards to evaluate,” warns Foster.

Furthermore, when issues do occur in the system, having many users on one cloud platform could make these more difficult to resolve.

If a breach happens, the cloud provider may decide to shut down large sections of the network as a precautionary measure, leading to significant cloud outages. In this regard, having a water-tight service-level agreement (SLA) that provides alternative workarounds in case of downtime is imperative.

“If businesses can’t get their arms around who actually owns the information and who’s responsible for keeping it in check once it’s in the cloud, they’ll continue to have problems in these areas.”

Companies are also advised to establish a contract that ensures audited maintenance checks will be completed on a regular basis. However, after signing an agreement with a vendor, corporates cannot assume that their work is done.

They should always maintain an agreed level of technical disclosure and updates on necessary information, according to Kevin Beaver, an independent consultant with Principle Logic and author of the book Hacking for Dummies.

“If businesses can’t get their arms around who actually owns the information and who’s responsible for keeping it in check once it’s in the cloud, they’ll continue to have problems in these areas.

The general assumption is ‘Although someone else is responsible for securing our information, we still own it and can access it whenever we please.’ That’s a dangerous mind-set that’ll come back to bite you.”

While the potential risks of migrating to this virtual environment need to be recognised, the economies of scale that stem from embracing the cloud are clear – you just have to be smart about your approach.

Strategic integration

Similarly, if corporates are looking to optimise their return from using the cloud, it is not enough to use it as a virtual mirror image of their internal database – they need to have the cloud synchronised with whatever existing IT system they have.

Frequently, organisations are saddled with internal, disparate systems that may block the ability to aggregate data and transform that into actionable business intelligence. With the cloud complementing the traditional system that looks after the core business, impressive cost advantages can be achieved on a long-term basis.

A study conducted by the Carbon Disclosure Project in London in November 2011, for example, revealed that large UK companies using cloud computing could save £1.2 billion (€1.39 billion) per year in energy costs alone.

Like any new system implementation, the key to smooth integration is planning, patience and plenty of preparation. Long-standing best practises in network design, encryption, data loss prevention, access control, authentication, auditing and regulatory compliance are now challenged. How do you prepare for this transition?

Collaboration. IT will be familiar with coding and the existing infrastructure while the business unit understands the business process and knows what the ultimate goal should be. It is important that all functions, particularly the end administration users of the system, work together in cloud integration to share their respective skills.

“To be able to get the best out of the cloud and to get it to work for treasury departments, treasurers need to work with the CIOs on a joint infrastructure to obtain the best output,” maintains BT’s Foster.

Deployment. Finding a solution that matches your current compliance and regulatory requirements while also having the flexibility to correspond to your future requirements is essential. Cloud services are customised not bespoke – do you have internal policies that dictate the infrastructure?

Performance optimisation. To ensure service levels are being exceeded or at least meeting levels previously hit in-house, service-oriented architectures (SOAs) need to be monitored and audited on a regular basis. Principle Logic’s Beaver argues that corporates should not settle for anything less than what they’d implement themselves. “Just because third-party cloud providers say that your information is secure, you need to validate that.”

The strategic benefit to leveraging this new technology should be recognised and the communication of awareness training to both staff and customers is advised.

Choosing the right cloud

From understanding what the cloud can potentially deliver, through to establishing a thorough SLA with a provider, corporates need to be aware of important issues to address before migrating to the cloud.

This means determining their own requirements as regards privacy, functionality, backup location and security concerns – before approaching vendors. The following checklist may help a corporate to decide on the appropriate cloud at this point:

  • What type of availability/isolation can the user expect within the cloud pre- and post-migration?

  • Where will the business data be located – and how easily can it be accessed?

  • How is the corporate‘s information protected from user abuse?

  • How is the security of this data managed – and by whom?

  • In what way, and to what extent, are activities within the cloud monitored and audited?

  • How will the cloud provider ensure that no one has tampered with its data?

  • How is the entire cloud platform protected from hacking threats?

  • What are the provider‘s disaster recovery capabilities?

  • What type of certification or assurances can the cloud provider show?

  • Does cloud make sense for your business?

For small-to-medium enterprises (SMEs) in particular, the decision to take on the cloud requires a lot of groundwork. It’s a question of maximising ROI whilst complementing existing business processes as well. Another point to note is that while cloud can clearly be advantageous for certain business functions, it may not have the same success with others. As Ariba’s Ashton points out: “Companies that have heavy customisation requirements for certain situations may still want on-premise, but the cloud is right for even the most mission critical applications. I think cloud may not be for everything but it is for every company.”

However, treasury is one area where cloud computing can add real value, as demonstrated by Honeywell in the 2011 Adam Smith Awards:

Case study

Honeywell Treasury opted to host its mission critical Treasury Workstation Application and its business sensitive database at SunGard, taking advantage of the latest cloud technology.

In doing so, Honeywell moved to a secure, stable environment and achieved up to 800% improvement in response time on system outages. Business continuity and disaster recovery also improved by 200%.

Joseph Nametko, Director IT, Global Cash and Risk Management at Honeywell commented: “Treasury and IT have positioned their best-in-class global operations and applications to take advantage of cloud computing.”

According to a recent Cisco Global Cloud Index report (November 2011), cloud traffic is expected to represent 51% of workloads by 2014 – a rise of 30% from 2010. So, those corporates reluctant to migrate to the cloud should seriously consider the dangers of being left behind.