‘Moving to the cloud’, ‘Running in the cloud’, ‘Stored in the cloud’, ‘Accessed from the cloud’: these days it seems like everything is happening “in the cloud”. But what exactly is this nebulous concept?

According to Salesforce, providers of cloud-based Customer Relationship Management software, the short answer is that it's somewhere at the other end of your internet connection – a place where you can access apps and services, and where your data can be stored securely. The cloud is a big deal for three reasons: It doesn't need any effort on your part to maintain or manage it; it's effectively infinite in size, so you don't need to worry about it running out of capacity; you can access cloud-based applications and services from anywhere. All you need is a device with an Internet connection.

That's important because there's a shift going on from office-based work to working on the move. This shift is reflected in computer hardware sales. In 2015 about 270 million desktop and laptop computers will be sold, compared to 325 million tablets and almost 2 billion smartphones.

That makes the cloud a very good place to run business software applications – software that users need to access reliably at any time, wherever they are, and on any device.

Major corporations including Google, Amazon, IBM, Sun, Cisco, Dell, HP, Intel, Novell, and Oracle have invested in cloud computing and offer individuals and businesses a range of cloud-based solutions such as:

E-Mail: Some of the biggest cloud computing services are Web-based e-mail such as Gmail or Outlook. Using a cloud computing e-mail solution allows the mechanics of hosting an e-mail server and maintaining it to be taken out of your hands. It also means that your e-mail is accessible from anywhere.

Document/Spreadsheet/Other Hosting Services: As made famous by Google Docs, a number of services exist on the Internet that allow you to keep and edit your documents online. By doing so, the documents will be accessible anywhere, and you can share the documents and collaborate on them. Multiple people can work in the same document simultaneously.

Financial Services and the Cloud

Last November the Financial Conduct Authority (FCA), published proposed guidance for UK-regulated financial services firms when using cloud-based ICT solutions. Although the proposed guidance raises as many questions as it answers, the main take-away for regulated financial services firms ought to be that some form of guidance as a framework for cloud adoption is better than nothing.

Guidance 15/6 builds on the existing FCA approach to outsourcing. The FCA identifies three risks that it feels are specific to cloud-based solutions over-and-above ‘normal’ outsourced technology services delivery methods:

  1. Cloud customers may have less scope to tailor the service provided.
  2. Cloud customers may also have to accept that cloud service providers will move their data around; however, in some cases, cloud customers may be able to specify which overall geographic region in which their data is stored.
  3. Firms should also consider the risks associated with outsource service providers who may contract out part of their operation to other cloud providers. This may occur without the firm initially realising.

The proposed guidance lists a number of areas that regulated firms should consider when using cloud-based services, including how they should discharge their oversight obligations. These include risk management, compliance with international standards, data privacy and security, and exit planning.

Helpfully, the guidance offers a number of clear statements detailing what the FCA expects in terms of access to data (access for regulated firms, auditors and the FCA to a wide category of data including firm data, personal data, transaction data, HR data and audit logs), access to premises and exit planning (including documented and regularly rehearsed exit plans and obligations on the outsourced service provider to co-operate fully to ensure a successful transition). The document also makes the point that firms should consider this guidance in the context of their overarching obligations under the regulatory system and goes on to say that cloud computing should be considered as outsourcing, and the exact form of the service used does not, in itself, alter the regulatory obligations placed on firms.

The essence of all this is that we should all be aware of the issues involved in any use of the Cloud – whether it is full-on storage of business documents and processes, or occasional use of Cloud-based applications.  All organisations, large or small, need to know who in their company is using what, and apply some kind of guidance framework, pending the outcome of the FCA consultation. This is definitely a case where it’s better to be safe than sorry.