The concept of cloud computing is based upon efficiency and simplification, two themes that are increasingly important to Wall Street in this era of complexity. Fundamentally, the nature of computing, and information technology in general, is evolving. In the past, computing power and the IT resources that supported the infrastructure were procured, installed and managed on an individual basis by each company that needed these services. In most cases, these resources were actually procured by individual departments, and often configured by separate projects.

Cloud technology allows us to move toward an “on demand” model for computing, based on new, Internet-driven economics. It focuses on providing a better end user experience through massive scalability that optimizes computing resources to variable workloads.

A key consideration with cloud computing, and the focus of this article, is how computing power can be made available securely to the financial services industry.

A growing number of companies in the US and Canada are concerned about how to securely leverage cloud computing. These firms have been quite clear about the need for secure computing services that are matched appropriately to their business needs.

Most analysts and consultants recognize three distinct cloud computing models: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Each of these models addresses a different workload and security profile, and has a different distribution of responsibility between cloud providers and their clients.

SaaS includes a range of offerings, but the general principle is that the service provider runs the software, eliminating the issues associated with licensing, installing, running and maintaining the software. In some cases the provider essentially delivers an application or suite of applications (e.g., Salesforce.com). Other providers limit their services, with the understanding that the customer must provide some aspects of the infrastructure architecture, sometimes including security services.

PaaS normally includes at least some aspects of user security, since the primary idea is to provide a platform for the customer to develop and run applications. A platform normally implies a complete infrastructure, so related services such as database and workflow management and computing engines should be provided. The security services should include controls for all aspects of the platform infrastructure.

IaaS focuses more on providing scalable amounts of computing and storage to the customer, with the ability to vary those two resources quickly and efficiently. In most cases, security is provided under a virtualization mode, meaning that the servers and storage should at least be virtually isolated from other customers of the IaaS vendor, if not physically isolated. Security offerings under IaaS run the entire spectrum from minimal to enterprise-class, hardened facilities, so it is best to thoroughly review and understand the security architecture of your provider.

Regardless of the cloud computing model, the need for security governance, risk management and compliance to applicable regulations within the industry are of paramount importance, and should be carefully considered. The security infrastructure should be able to evolve with the scalability of demand, as your use of the cloud technology progresses over time.

Steve Kopelic is a Software Sales Specialist for IBM Corporation (www.ibm.com), focusing on the Financial Services Industry. He can be reached at 704-701-6521 or via email at skopelic@us.ibm.com.