Thursday, 8 December 2011

Banking in the Cloud and the Data Protection issue

A few years ago, when all this cloud hype started I was working on setting up an R&D centre, utilising Microsoft technology to develop solutions for commercial and retail banking, and I therefore had a number of meetings with the Microsoft evangelists, particularly in the server technology area. I had followed the development of the Oslo project, the Azure platform and Amazon Web Services which were (are) all novel in the way you in the way you build and deploy applications, but in my opinion a bit disappointing, and now suddenly Microsoft, Amazon and many others were with unprecedented (at least since the dotcom days) coordination launching "the cloud" and I couldn't figure out what was new.

So at one of these meetings I asked "if the cloud is a bunch of hardware resources in a network with virtualised servers, then what the hell have we been doing the last 10 years?" and the only answer I got was a crooked smile.

My conspiracy theory is that what Microsoft, and others, had done was, in a year where nobody had any major releases to take the excess capacity and re-launch existing technology, a concept older than the internet itself. They took something that was considered very boring and super geeky (hardware, network, and virtualisation), even by most software developers, and made it cool. Brilliant!

Almost any vendor in the infrastructure space jumped on the band wagon and they could do that quickly (because after all it was basically just a name change). They were now cool!

 But then something strange happened. Because it was suddenly mainstream, IT managers and executives that hadn't been involved hands-on for a decade, started to pick up these things and run various kinds of feasibility studies, technology roadmaps and transformation programs because they wanted to be cool too. Two years before, the guy with the greasy hair and really thick glasses from "network services" would just set up the infrastructure, but now it was an executive discipline.

In the process of simplifying everything so they could themselves understand it and then simplifying it further so it could be presented in a PowerPoint format at a board meeting, some strange misconceptions began to blossom.

The most interesting one is the belief that if you install a server on a cloud infrastructure, you can’t control where your data is, it will flow freely all over the world in this great indefinable soup that is the cloud. You don't know if your customer data is in the UK or Thailand.

Enter the Lawyers! I have been in meetings with two sides of lawyers with a second-hand knowledge of something already simplified and unenlightened, trying to reach an agreement on data protection implications. Lawyers are by virtue of their profession inherently 1000% risk averse and you can therefore never reach a useful conclusion.

Have a look at this piece from Willans Solicitors. It is from their news magazine a few days ago where Partner Simon Brace, an ex City lawyer, highlights concerns regarding cloud computing;

potentially you could find you data chopped up and is being stored on a number of different servers in any number of different countries world wide, leaving you in complete breach of data protection laws.”

Needless to say that it prompted questions for me, because the wrong people read that article. Thankfully the Information Commissioner’s Office (ICO), which is the authority on the area has issued guidelines and if you steer your clients lawyer towards that site, there will be enough ass-covering in it to gain approval.

You may transfer personal data to countries within the European Economic Area on the same basis as you may transfer it within the UK.  However, you may only send it to a country or territory outside the European Economic Area if that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to processing personal data. Read more about what this means in practice.

 Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Man, all of this because we couldn't just leave the guy with the thick glasses to do his job.

So anyway, for a small company I'm a director in, I decided to put our application on a cloud server, and do it myself so I have a 100% understanding of what I'm talking about.

I chose the Rackspace cloud server because it was a pretty reputable business, they had company and data centres in the UK (and importantly if you are a UK customer your server/data will be in the UK data centre) and it looked user-friendly enough that even I could manage it. And finally I chose it because it would give me completely normal windows server, I didn't have to make any changes to my application, and I wanted something I could access with remote desktop.

Call it cloud, call it whatever, but my conclusion is that it is actually very cool. Installing a server took less time than an average intercourse and that is, I can reveal, incredibly fast.

So this is how you do it.

1) Create an account with Rackspace.

2) Select a server configuration:  Windows, Linux - and if you want a database server.

3) Scale it: How much hard disk, ram, cpu do you want (you can always change this later if you need more firepower, they even have an ipad app that allow you to dynamically change the configuration of your servers. it's great and very useful). You basically pay a monthly charge based on the kind of server you have chosen and the amount of resources you have assigned to it.

4) You can also very easily set it up to do regular backups and it's basically a complete copy of the entire server, with operating system and everything, so you won’t have any strange compatibility issues when trying to restore your backup.

5) Perhaps the best thing was when, after deploying and configuring everything, I realised that I also needed a test environment. Through the control panel I could simply make a copy of the server I already had and now I had two.

Would I be comfortable with financial services apps hosted on a cloud server? Yes absolutely. Would I attempt to install everything on a cloud infrastructure if I was HSBC, Barclays or Lloyds? Probably not. They have too many legacy systems with very complicated configuration that it simply isn’t economically feasible to do.

 I would certainly look for admin functionality like the above, even if it was installing in our own data centres because it makes life so much easier (agile if you like) for the development teams in the bank. For core systems I probably wouldn't go with a standard hosted solution without a very thorough investigation of the physical security at the centres and I would, perhaps, ask for a "ring fencing" of our technical assets. IBM and others are also working hard on promoting what they call a "virtual private cloud", which is an interesting concept that I shall leave for another post.

In summary, if you pick the right service provider, and set it up properly, I believe you should be comfortable banking in the cloud.


  1. For some reason your latest post didn't trigger on my blogroll. Is this because you've changed to e mail subscriptions?
    If so I'll register.

  2. Thanks for letting me know. A quick google search tells me it's a fairly common problem, but I have tried adding the "followers" gadget again, hopefully it will fix it.