Larry Tabb: People are worried about security, but I think to a certain extent, the Public Cloud guys have been on top of security, probably even more than the private data centre. The security needs to be configured properly and people need to be on it, but I’m not sure if this is any more or less of a challenge than having your own data centre.
I think the question would be what’s the confidence in AWS or Google or wherever the Cloud provider is to provide a secure and reliable environment? Can you insulate my stack of infrastructure and the exchange stack of infrastructure from everything else, such as Netflix swallowing all bandwidth when a new movie is released? And I think the answer is probably yes.
Hopefully the Cloud Service Providers (CSPs) can shift workload in a heartbeat if a set of servers, for instance, goes down. That may mean that they need to create a financial services Cloud to support seamless failover in a secure environment. It might not be a bad idea having one major data centre in the New England area and another one mid-Atlantic, or elsewhere.
To a certain extent, the CSP’s main business is providing the hosting centre and the security facility, whereas a bank’s main job is to either trade or make loans or process deposits or, do the business of banking. Their data centre and their Cloud business are an adjunct facility to a bank. Yes, it’s core to their business, but it’s not core to how they make money. However, the Cloud infrastructure is absolutely core to how Google, Oracle, AWS and all these CSPs make money.
Larry Ryan: Cloud Service Providers (CSPs), such as Amazon Web Services (AWS), Azure and Oracle Cloud Infrastructure (OCI) provide a number of services that enables development of secure and resilient systems. From a resiliency standpoint, these CSPs offer multiple locations distributed globally with the ability to quickly, and in some cases transparently, shift workload between data centres. Azure and AWS have published white papers recommending best practices in order to comply with Reg SCI. From a security standpoint, these CSPs also offer a number of access control features and features to encrypt and protect data at rest and in transit.
Greg Allen: In particular, CSP deployed resources are more secure than our data centres because the CSP have a far bigger budgets to spend on cybersecurity, and they’re privy to patches before us, often before we even hear about the exploits.
For low latency trading platforms. It really comes down to the right application architecture and availability of a low latency interconnect. As far as the role of regulators goes; that really doesn’t change. In effect, this is an outsourcing arrangement; the exchanges are still regulated in terms of security and resiliency. The fact that you outsource services to a CSP doesn’t change that commitment.
Evan Bauer: The application has to be architected to take advantage of Cloud infrastructure appropriately, existing applications designed for on–premise deployment don’t do. They don’t take advantage of the unique resiliency and the security capabilities of the Cloud. As has always been the case, infrastructure architecture and application architecture need to be seen together. Furthermore, there’s a real opportunity to define your infrastructure as code, i.e., to compose your infrastructure. This allows integrated testing and deployment of infrastructure and application together. As one example, OpStack measured extraordinary variance in the performance of identically provisioned cloud VMs, requiring a deployment strategy that tests each VM before start-of-day and discards the rejects – this is a tactic unique to the Cloud. The use of Public Cloud infrastructure provides new opportunities, challenges and unique options.
Larry Tabb: It will be interesting to observe how the regulators manage the CSPs going forward. God forbid AWS or Microsoft or Oracle or whatever goes down. There could be a wide swath of infrastructure across all industries to go down. Years ago, and today, trading venues deploy fault-tolerant architectures that they controlled. In the world of Cloud, the CSPs provides that kind of redundancy, which means it is operating under one infrastructure, which is a central point of failure. Eventually, the CSP data centres will be audited by regulators. The CSPs may want to corner off these areas because they don’t want the SEC, Bank of England and FSA wondering around their data centre.