Understanding the Hybrid Cloud: Frequently Asked Questions
In this interview, Eze Castle's Chief Strategy Officer, Mark Coriaty, discusses the emergence of the hybrid cloud and why some financial and investment firms are taking a closer look. NOTE: This article first appeared on Hedgeweek and Private Equity Wire.
Talk about the advancement and evolution of cloud services in recent years and how we’ve ended up where we are.
MC: If you step back and look at the landscape over the last four or five years, we have seen a lot of changes both on the technology front, as well as within the financial markets. Whether the result of fund raising challenges or increasing regulatory demands, the landscape for alternative fund managers has changed significantly.
We’ve therefore had to adapt to the market and this includes three different components: service, technology, and networking/security. With all the different regulatory bodies and demands from standards boards and governments, we needed to make sure we were providing a solution to our clients that a) met those requirements and b) was up to par with the security measures that we pride ourselves on at Eze Castle.
When you look at the Eze Private Cloud, it is a very controlled environment. It features a number of components related to private networking, client controls, data integrity controls, as well as enterprise-standard security measures. But as the public cloud has started to become more popular and mature in recent years, firms have started to pay closer attention to it.
Typically, this is because the cost structure is scalable. If you look at major providers like Amazon, Microsoft and Google, they have enough scale in their infrastructure such that it becomes less expensive for the customer to use the public cloud. However, when you analyse what they deliver versus the requirements of a lot of investment firms, oftentimes those requirements supersede what these large public cloud providers can offer.
Hence the hybrid cloud.
What exactly is a hybrid cloud infrastructure?
MC: The hybrid cloud takes two things into account: the standards that we put forth as best practices to our clients within the Eze Private Cloud, as well as all the regulatory requirements that alternative fund managers face. Then we connect key components of Microsoft’s public cloud, which means we inherently dismiss the majority of risk by going direct to the public cloud.
We have connected our private cloud with the Microsoft cloud so that we can look at and maintain more control over the networking and security components, as well as the end-user experience.
So the client does not need to use the public cloud themselves. They come to you and get the best of both worlds, as it were?
MC: That’s correct. We have a multitude of options that clients can choose from. We’ve put together standards on processes and procedures that we share with clients, and ultimately we make recommendations and steer them in one direction, or another, depending on their individual needs. We want to be flexible enough so that if a client wants a phased approach, where they go from hybrid cloud to private cloud, for example, we have the capability to support that.
The private cloud has long been the preferred platform of choice for investment management firms. Why is the hybrid cloud appealing to many firms today?
MC: It really comes down to the specific features and benefits clients are looking to derive from a cloud platform. The private cloud’s key benefits are control, security protections and high-touch support, and clouds such as Microsoft’s offer enhanced access to new features and a flexible platform for basic IT. The combination of the two with our hybrid solution can represent an ideal marriage for some firms. Ultimately, cost and value are two separate line items, so firms will need to evaluate what benefits they can glean from either cloud model and which makes more sense based on their priorities.
It has taken a while for hedge funds to adopt the private cloud based on security concerns. How has that played out in terms of using elements of the public cloud in a hybrid environment?
MC: Security has always been a concern, and I think it will continue to be a concern. There are, in my view, a couple of different components that need to be understood.
If you have all of your technology hardware on premise, it can create a false sense of security. Egress points, however, aren’t the result of somebody coming through the door to pull a server off your rack. It comes back to the technology, networking and other measures you have in place to ensure the stability of your overall network and the various ways of monitoring that network.
What we’ve done to mitigate some of the hybrid cloud concern is to extend some of our private cloud core connectivity to Microsoft Office 365, which limits the ability for someone external to access an egress point between the public and private cloud environments. So there are definitely security measures that can be put in place.
When firms look at security overall, they need to look at their employees, as the majority of incidents are typically the result of phishing attacks or users having inappropriate access to certain types of information. As a consequence, we’ve put a lot of controls in place to protect and parcel data and track it accordingly.
Therefore, in my opinion, security is less about worrying whether someone is going to be hacked and more about understanding the right responses to all the different data held within the firm.
How does the performance of the public cloud component differ compared to the private cloud? What measures have you had to take from a connectivity perspective to ensure that the end-user doesn’t see any time lag, for example?
MC: Recent technology advances, particularly on the networking side, mean that there should be limited performance issues overall. We actively monitor the traffic that moves between the private cloud and public cloud to ensure that performance and usability are on par with that of a fully hosted private platform.
Do hybrid cloud strategies introduce additional risk into an IT environment?
MC: Every time you introduce a new counterparty, there’s added risk. A typical firm will have 20 to 25 counterparties, so with the hybrid cloud, we will always look to establish direct connectivity to each and every counterparty. That mitigates the risk to some extent. That said, there are some platforms that offer software-as-a-service (SaaS) which sit on third party cloud platforms that we don’t have access to, and that can introduce new risks.
The risk level overall, using the hybrid cloud, is as risky as the client using any other platform. We carefully monitor the public cloud component offered by Microsoft, which we regard as a clear value-add. I believe we are the only hybrid cloud doing this presently.
To what extent does Microsoft allow you to monitor Office 365 and Microsoft Azure? Are they quite protective in terms of the extent to which you are able to perform a vendor risk exercise? As a counterparty you have to be comfortable with what they are doing at all times…
MC: We have done extensive due diligence on the Office 365 platform, and we are very comfortable with what Microsoft does, both from a security standpoint and the documentation they provide on their own internal assessments.
Much like other third parties we partner with, Microsoft has independent audits that we review. Indeed, this is something our clients expect us to do. This forms part of the regular risk assessments we perform on all the different vendors we work with.
Where do investors stand on the hybrid cloud – are they comfortable? Do they understand the virtues it can offer?
MC: They do. Investors have become very savvy over the last few years. Either they will come in and do due diligence on the manager, or they’ll have a third party perform the DDQ. The way that we looked at this business model, with both private and hybrid cloud platforms, we wanted to be prepared at all times to answer questions based on both solutions. We want to be as elastic as possible and answer any queries the investor or consultant might have.
We are always willing to educate the client on the public versus private versus hybrid cloud scenarios.
What do you think will be the next evolution of the hybrid cloud?
MC: It’s very important to ensure that a client’s employees understand the technical environment. In the past, there was an assumption that they could use it and nothing could possibly go wrong, hence there would be no cybersecurity risk.
The key elements that I think are going to emerge over the next 18 months will focus on cybersecurity and employee training.
Cyber criminals will become increasingly sophisticated with their techniques, and it will be vital for cloud platforms to have the most up-to-date technologies to keep pace. It could be patch protection, phishing solutions -- anything that can help ensure employees work safely and are singing off the same hymn sheet.