Ahead in the Clouds

The mortgage world has changed a great deal since the contraction prompted by the “Great Recession” and the credit crisis that sparked it. Now, many financial organizations are facing the need to upgrade their technology infrastructure, if not overhaul it completely just to meet current business demands. At the same time, organizations large and small are looking to embrace new technologies and processes to address changing operational needs and new regulatory requirements. While compliance remains at the center of mortgage decisions, everyone in the mortgage industry is looking to do things better, faster, cheaper and more securely. So how does cloud computing figure into this discussion? Certainly “the cloud” is a fashionable topic of discussion for many businesses and executives. Why wouldn’t any business want to migrate to a model where hosting application servers and databases is someone else’s problem, and if you want to increase capacity or capabilities, just say the word? One definition of the cloud is technologies “that make the physical infrastructure transparent and relieve the consumer of the burden of having custody of the infrastructure.” While the cloud makes services readily available at economic prices, most services accessible via the cloud are also available in non-cloud form. What’s changed for the application architect is that by adopting a public cloud solution, these services are more readily available and scalable across multiple entities and geographies. The internal IT is freed of maintaining and growing the infrastructure. The procurement and deployment process is often reduced to a click of the button after the decision. But the reality is far more complex than that. The decision to embrace deployment to a cloud service provider varies depending on the size, scope, infrastructure and focus of each business within the mortgage industry. Based on our own experience moving to the cloud for the design, development and deployment of custom mortgage processes and risk management  applications, NewOak has outlined some of the key factors and challenges to consider when weighing Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) offerings from cloud service providers for custom, mission-critical mortgage credit applications for which data privacy and high availability are paramount. Selecting the right cloud partner There are many options when it comes to cloud services. The provider you choose can hinge on certain questions: are you building a new application or solution? Are you willing to accept provider lock-in? Does the provider meet the technical requirements of your applications? Are you confident you can meet the service level agreements established with your end users, including protection of private data? No matter which provider you choose, there will be some level of provider lock-in. There will always be an intellectual investment and lock-in as well, as you build experience and an in-house knowledge base around the specific DevOps (agile collaboration and communication between developers and operations) solution supported by your provider.  Provider lock-in can be minimized, however, by selecting services based on OpenStack and/or Cloud Foundry. While Amazon, Rackspace and Microsoft are the better known providers, IBM and CenturyLink/Savvis have a history of up-time and reliability that make them attractive for mission-critical mortgage applications. Look for industry certifications (SSAE 16/ISAE 3402) compliance, but be aware not all provider services comply. While your application may not require HIPPA compliance, if a provider supports HIPPA compliant applications for other clients, it indicates a maturity in the provider that you may desire. Choosing cloud services As NewOak learned when designing, developing, and deploying these solutions, financial application architects have a powerful alternative in cloud service providers to achieve required scalability, integrity and maintenance. However, deciding when and which cloud technologies are appropriate can be challenging. Mortgage applications are no exception, particularly when they are meant to provide flexible, collaborative process management workflow and data security involving significant data and document volumes across multiple entities. Most IaaS offerings include virtual machines, load balancers, virtual networks and storage. By leveraging a virtual network, you can transparently augment your on-premise network and infrastructure with a private infrastructure in the cloud. Utilizing virtual machines on a private virtual network can be one of the quickest and least intrusive ways to leverage cloud technology. Most providers also allow uploading of custom machine images for deployment. While the simple SQL databases, Web servers and compute engines offered under PaaS schemes are inexpensive options, they often have limitations that do not exist in an IaaS virtual machine deployment. All major cloud vendors provide highly scalable storage options. Once you start down the path of building cloud-based solutions, blob (binary large object) storage quickly becomes a key component to your architecture, replacing the role of file server found in the traditional architecture. If you plan to transition a legacy application or business process that relies on shared file services for such things as loan documents, you will inevitably have to migrate this to a storage solution to leverage process distribution. This has the added advantage of providing the storage redundancy required for high availability. License requirements for both operating systems and any third-party software to be deployed must be carefully reviewed. It has been a highly competitive market place for cloud providers and pricing. Available features and feature limitations are frequently being changed, so always reference the latest documentation available. Customization and deployment Once a provider has been selected, realities of deploying a custom mortgage application in the cloud become readily apparent for the first deployment. It is advisable to start by deploying some non-mission critical service or application, allowing you to build in-house experience and knowledge before tackling mission-critical applications. Take into account the investment in time required to become acquainted with building applications around the targeted services. Each cloud provider makes available various tools and APIs to automate the deployment and administration of their cloud services. Become familiar with your provider’s deployment options and failover architectures as soon as possible. This will save you considerable time and effort in the long run.       Huge efficiencies in the development life cycle can be gained by leveraging agile development methodologies and a DevOps approach in conjunction with cloud services, so organizations need to be prepared to revise existing policies to accommodate the new DevOps era. Availability and scalability For mortgage origination platforms or other service providers to the mortgage sector, it's a fast-paced and dynamic marketplace. The right technology is critical to get the job done securely, on time and on budget, whether facilitating loan origination, underwriting, loan servicing or due diligence. Down time is not an option. This underscores high availability as a prime requirement. A cloud deployment does not mean being free of the usual housekeeping responsibilities. Storage redundancy may alleviate your worst data loss fears due to hardware failure, but it does not provide you with a database recovery point for a failed business process or database corruption. Treat cloud service provider regions as a single point of failure in your deployment architecture, and use geographic replication options in your disaster recovery planning. Standard disaster recovery precautions and practices should still be followed, and that means off-site backups and dry runs of disaster recovery plans. Security, data protection and compliance To mitigate security risks, NewOak recommends clients assume responsibility for encrypting all stored sensitive data. When storing sensitive information such as loan origination documents in blob storage, we recommend you apply your own application-level encryption as an added security precaution. For relational databases, we recommend column-level encryption or file-level encryption. Whether your mortgage application is an internal, intranet or internet application, look at using two-factor authentication. Microsoft Azure, Amazon Web Services and Google Compute Engine offer it and other providers are following suit. For the typical mortgage concern, the deciding factor may be if a cloud-based solution can be architected that meets existing internal policies and audit requirements. Considerations should be given to compliance with new regulations, data security and potential liabilities surrounding specific applications. Generally, cloud providers can work with potential clients’ technology and governance teams to address any concerns. Bryan Boyer is chief technology officer of NewOak Capital’s Credit Services group, has more than 30 years of experience in the securities and banking industries, covering the design and implementation of many online and batch applications and services. He may be reached by phone at (212) 208-0867 or e-mail [email protected].