Do Banks Need a Financial Cloud of Their Own?
Not only are many banks and other financial institutions ready for the cloud, some are pushing Amazon and potentially other cloud providers to build cloud services specifically for their own needs. “Finclouds,” if you will.
Privately, executives at these institutions point to Amazon’s (AMZN) GovCloud—a set of computing, storage, and networking services set up especially for use by federal and state government agencies. GovCloud runs on its own set of Amazon data centers.
All GovCloud employees must be U.S. citizens or permanent residents due to International Traffic in Arms regulations. It is basically a segregated AWS cloud—Amazon prefers the term “gated community”—built for that specific, albeit very large set of clients. As Amazon’s GovCloud page explains: “ITAR stipulates that all controlled data must be stored in an environment where logical and physical access is limited to US Persons (US citizens and permanent residents).”
Financial services companies wonder why AWS can’t do the same for them. They face their own alphabet soup of regulations. There’s the payment card industry, or PCI, specifications for how to handle credit card payments securely, for example. Or SOC2, aka the Service Organization Control guidelines set by the American Institute of Certified Public Accountants that describe how a company or its service provider sets up system controls to ensure security, availability, process integrity, confidentiality, and privacy. Quite the mouthful.
And, if the financial institution does a lot of transactions with or for government entities, it also has to meet some of the same requirements as GovCloud. FedRAMP, or the Federal Risk and Authorization Management Program, is one example.
“Financial industry customers are very interested in AWS potentially offering a financial community cloud region, similar to the GovCloud region,” noted Lydia Leong, vice president and distinguished analyst of Gartner (IT).
(There are exceptions to the rule. One executive at a too-big-to-fail bank said privately that while his bank uses AWS, he personally would like it to provide its own financial cloud services, basically compete with Amazon. But that’s fodder for another story.)
That very notion poses a dilemma for Amazon, which has long said that its massive pool of computers, storage, and networking can be set up to suit any need. It’s deviated very rarely from that one-cloud-for-all meme, once for GovCloud and more strikingly with the “private” or dedicated cloud it agreed to build for the CIA and other intelligence agencies a few years ago.
Cloud purists say AWS-as-is is fine for most banking and financial applications but some agree the company could make it more attractive to financial firms with prescribed setups and guidance.
“The whole idea is that the cloud is one platform. It offers the same level of security to banks as it does to one-person websites. AWS will certify the whole platform,” said David Mytton, CEO of Server Density, a server monitoring company based in London.
And it’s true that many Amazon services in certain regions comply with various regulations, but it can be a chore to ascertain which. For example, here’s a list of AWS services that are PCI compliant.
Get Data Sheet, Fortune’s daily technology newsletter.
Kris Bliesner, chief technology officer for AWS partner 2nd Watch, agrees. Sort of.
“I don’t think they need to go the route of a separate cloud but there is a need to make it easier for banks to understand they can trust public cloud providers,” he told Fortune.
There are things that AWS—or Microsoft (MSFT) Azure or Google (GOOG) Cloud Platform—could do to package certain services to make deployment clearer for financial customers, these people note.
For more on Amazon and cloud, watch:
“They’ve already done some of that stuff with HIPAA for healthcare providers,” Bliesner noted. He was referring to the Health Insurance Portability and Accountability Act, which outlines how health insurance applications can be set up and run.
These blueprints say, “Here are our services that are HIPAA compliant. You must do things like use dedicated instances, for example,” Bliesner said. Dedicated instances are a type of Amazon EC2 computing power that is cordoned off for use by one customer.
So on the one side you have a few but very big customers clamoring for an Amazon cloud of their own. On the other you have public cloud proponents who say that public cloud, as is, can do what needs to be done to run these workloads. It’ll be interesting to see what, if anything, happens.
Note: This story was updated at 4:54 p.m. EDT with more detail on which AWS services comply with which regulations.