For Tony Kerrison, the day has long passed when it made sense to question whether cloud computing had a place in financial services companies' IT plans. Kerrison has been one of the industry's cloud computing pioneers: In 2008 he helped create an internal cloud for data center servers at Merrill Lynch (back then it was referred to as "stateless infrastructure"). This year he took the helm of the Enterprise Cloud Leadership Council, a group of corporate technology buyers developing cloud standards for vendors.

From his perch in Amsterdam as chief technology officer at ING, he's at it again, and along the way he is aiming to provide a path that banks in all parts of the world can follow. ING's project involves building a large hybrid cloud that combines features of public clouds and private data centers, one it will open to other banks to use. The hybrid or shared IT infrastructure, Kerrison believes, will achieve the variable costs, scalability, flexibility, and on-demand availability offered by public cloud computing in a way that addresses the security, compliance and performance requirements banks adhere to in their internal clouds.

"One issue a lot of financial companies have today is we all carry a lot of legacy in our environments, which means we can't move quickly and respond to demands the way we'd like to," Kerrison says. "Technologies like cloud will help us to be more agile and adapt to the demands of our clients in a much better way. Cloud computing has given us the opportunity to have some standards we work to and think about different ways of providing our services than just the traditional way of running everything ourselves." By taking a hybrid approach, ING can start with full control over the physical environment in which servers, storage and apps live. Over time, as regulations become clearer and as public clouds and their service level agreements become better understood, more computing can shift to less expensive and more easily scalable cloud venues.

The $1.7 trillion-asset ING has already built an internal, private cloud - a web of computing, storage, and network resources consumed as a service with automated, self-service provisioning - with a bevy of technology partners including IBM, Hewlett-Packard, Cisco, VMware and EMC. ING's cloud makes heavy use of Vblock from VCE (a joint venture of Cisco, EMC and VMware), a set of preconfigured, interoperable components that includes VMware virtualization software, Cisco switches and Unified Computing System (a combination of server hardware, virtualization software, switching fabric, and management software), EMC storage units and software, and RSA security software.

ING is by no means alone in pursuing a hybrid cloud environment. In May, Frost & Sullivan found that 22% of enterprises around the world were already using hybrid clouds; 41% of IT decision makers indicated that cloud will be a top priority for the current fiscal year. Hybrid clouds are the wave of the future, according to Gartner analyst James Staten. "This is not going to be a world that runs on cloud. It's going to be very hybridized," he says.

Purists could argue that private clouds like ING's, which JPMorgan Chase, UBS, State Street, Morgan Stanley and other large banks also have built, are not truly cloud computing, but merely virtualization projects. Kerrison and other IT leaders argue that, call them what you will, such flexible internal technology frameworks are critical to cloud computing. "I don't believe the private cloud environment is so significantly different from traditional virtualization," Kerrison concedes. "The real value comes when you start to integrate other cloud services into your existing infrastructure. That's where you want to start targeting the 30% cost savings that can come through migrating to cloud providers. It's an evolution from virtualization to the cloud."

One benefit of ING's private cloud is the self provisioning: users go to an internet site, specify what they want, get the right approvals made and receive what they need over the Internet. Another is efficiency for IT staff who don't have to spend so much time setting up each new user.

Currently about 5% of ING's applications run in this cloud, but the ratio will grow. The types of applications Kerrison finds are best suited to a private cloud are generic office applications. "In the private cloud environment, we're focused on utility apps and the less critical, less bespoke business apps," he says.

The overarching benefit of this private cloud for ING has been not cost savings, but the building of an IT architecture that will enable the bank to shift to hybrid and other cloud services that use other people's infrastructure.

"For us, this is an evolution of understanding how cloud services operate, which is why we did it initially in a private environment, acquiring the tools and capability to manage that private environment, putting automation in place to exploit what the cloud can offer," Kerrison says. "We're setting ourselves up for the future and making sure that we understand the way the cloud operates, the constraints and security requirements. We've done all that in a very conservative way to understand it before we scale out and start to use other infrastructure."

Building a Hybrid Cloud
The hybrid cloud ING is creating will let it manage some IT resources in-house and have others provided externally. "One thing we've focused on is, how do we develop a future operating model for cloud services that evolve over time?" Kerrison explains. ING is looking to partner with a technology company and a hosting company that will help the bank develop a cloud hosting facility in the Netherlands that will run its legacy private cloud environment and combine that with services from the vendors' shared infrastructure.

As more workloads are moved to the public portion of the hybrid cloud, ING will reduce its legacy dedicated IT environment. And Kerrison hopes the shared, hybrid data center will eventually have additional tenants, possibly other financial services companies with similar requirements for security and redundancy.

While this arrangement may sound a bit like outsourcing, Kerrison assures that it is not. For one thing, the bank plans to use a host of service providers, rather than allow itself to be locked in with just one - avoiding vendor lock-in is a key objective for many cloud aficionados. ING also will not do the kind of asset and personnel transfers that are often at the crux of outsourcing relationships. The bank will simply consume a service.

Kerrison offers up a real-life example. "Today I run all my own development and test environment - I own the assets, I have the people, I do the backups. I'm going to move that to a new data center in my private, legacy environment and I will continue to run development and test. Over time, I'll go to a service provider and ask it to provide development and test virtual machines in its infrastructure. As it starts to do that, I shut down my machines, I reduce my commitment to my legacy space, my fixed cost diminishes, and I consume those services on an ad hoc basis from an outside provider."

In addition to application development and testing in this hybrid cloud, ING has been working on developing cloud-based database as a service. The Amsterdam bank also has plans to use software as a service and ultimately business process as a service. "We're both scaling out and scaling up," Kerrison says.

On the workstation side of IT, ING already has a virtual desktop infrastructure. Eventually, ING plans to have all desktop apps stream from a cloud. "In desktop computing, our concept is workplace as a service, which means that in the future, the traditional desktop will run fully in a data center. We don't want it to be associated with a device anymore; we want complete device independence, provided we know our data and programs are protected in a controlled data center." In this new world, Kerrison would no longer be concerned with giving users thin clients, fat clients, desktops, laptops or other mobile devices. The device would be the user's choice. "We're probably a few months away from truly being able to say we don't care what device you use," Kerrison says.

Security and Due Diligence
When they hesitate to embrace the concept of cloud computing, U.S. bankers' concerns often come back to data security. Using an external provider's cloud can mean not knowing physically where data is being stored. In the case of customer data, banks are required to ensure that information is being protected.

Kerrison believes ING will be able to exert control over data security in its cloud arrangement even as the bank shifts from a private to a public cloud implementation. "Because we'll get a cloud delivered from a specific data center, we'll be able to define security requirements," he says. The collocated data center will be subject to external audits such as SAS 70 and the bank's internal reviews. The bank will know where its data is, in the collocated environment.

No provider will be deemed worthy of participating in ING's cloud until it has met specific criteria for security, service levels, price points, and performance benchmarking. If a cloud vendor is unsatisfactory in some way, Kerrison says the bank's provisioning engine will allow it to easily swap out that provider for another. "We see it as another set of capacity, a utility we can consume," he says.

He points out that the service level agreements for enterprise cloud computing deals are far more stringent than those geared toward consumers, such as Amazon Web Services. "For enterprise cloud requirements, we want much higher service levels, we'll pay a premium for that and we'll look to stay with that provider for a longer period of time," he says. "We will treat this collocated data center environment as if it were our own," he says.

Some bankers, such as Anne Weatherston, CIO of ANZ Bank, are less convinced of the relevance of cloud computing for reasons besides security. Weatherston told an audience at a recent event that cloud computing isn't well suited to large financial institutions. "Cloud is great for small and midsize businesses, but I don't think it's completely relevant for large, complex banks at this point in time on a large scale," she says. "A lot because the industry is still evolving, but I think that it's also because, for the regulators, the jury is still out," she says, suggesting that vendors need to take their offerings to the next level to make them relevant to large enterprises."

Kerrison would not directly comment on a peer's remarks, but offered a different view. "You're not going to see banks suddenly migrate everything over to a public cloud infrastructure," he says. "It's going to be an evolution where we take steps to work with regulators to make sure we put the right controls, security and SLAs in place and that we're doing things very transparently. I understand the concerns and skepticism and I think it's up to all of us in the industry to address those concerns. But we can progressively build out and think about ways to use the cloud to address the challenges we all have today and in future.

"If you look at the amount of energy, time and money going into developing cloud services, you will see this grow over time. What will be interesting is the pace at which cloud adoption happens. It will also be interesting how far up the stack cloud services go. As they become business processes, the value of that is incredible. Within the ECLC and in discussions with tech partners, we're all putting a lot of effort into helping to shape the cloud marketplace, to help our vendors understand what enterprises need, and to make sure they're appropriate for the businesses we're in. We're not consumers, we're enterprises that have strong demands. But one thing we've found is that ultimately the technology partners are eager to listen to what we need and are keen to respond to that with solutions we can use."

The Cloud Changes Everything
Cloud computing changes the role of the chief information officer and everyone else in the IT organization, Kerrison says. First of all, IT roles become more focused on integration of services, whether they originate from within the bank's own environment or outside its environment. "We need people who truly understand the application landscape and the upstream interfaces to other applications," he says. "We need to make sure that as we look at what can be provided by providers outside our infrastructure, that we make the right decisions. We need to know more about how the cloud works, how to integrate these applications together and operate at a different level. We're less interested in what the underlying hardware is." Hardware quality will be a result of service level agreements rather than hardware purchasing decisions. IT staff, architects, engineers, systems administrators and database administrators will all need elevated skills to manage in a hybrid cloud environment.

The cloud should make the bank CIO's life easier. "If you look at the challenges CTOs and CIOs have in financial services, the customer demands are getting higher, the need for availability and accessibility is increasing," Kerrison says. "The only way to handle all of that is to architect and develop a flexible strategy."