The financial services industry has avoided entrusting its data to public cloud vendors, even as Amazon Web Services quietly acquired thousands of business users. Banks and insurance firms feared rigorous regulatory scrutiny should their data become compromised in a breach at one of their cloud vendors.\nNot anymore. More banks are coming around to the public cloud even if they\u2019re not shouting the fact from the rooftops, says Jim O\u2019Neill, senior analyst with Celent\u2019s banking practice.\n\u201cIt\u2019s the worst kept secret in banking that everybody is experimenting with cloud,\u201d O\u2019Neill says. \u201cIt\u2019s just that no one wants to be the first one to get a full proctology exam from the regulators as to how they planned out their cloud environment.\u201d\n[Related: Cloud consequences: JP Morgan calls time on IT-as-usual ]\nO\u2019Neill says the tipping point may have occurred last October, when Capital One CIO Rob Alexander revealed that the bank was a heavy user of AWS. \u201cThe ability to provision infrastructure on the fly is huge for our productivity and speed to market,\u201d Alexander said at AWS\u2019 RE:Invent developer show. As it hosts more of its software in AWS, Capital One is gradually reducing its data center footprint from eight in 2014 to three by 2018.\n \n\u00a0Rob Alexander, CIO of\u00a0Capital One.\n\nCloud provides business agility\nWhen Stephanie von Friedeburg became the CIO of the World Bank in 2012, the nonprofit bank was profoundly averse to risk. She recalls explaining the potential benefits of cloud computing to her legal team, only to have a lawyer tell her, \u201cThat\u2019s like taking every important piece of information the bank has, putting it in a cardboard box, writing \u2018free\u2019 on it and setting it on the curb.\u201d Though a gross exaggeration, this stance underscored the paranoia accompanying public cloud.\n \nStephanie von Friedeburg, CIO of the World Bank.\n\nBut von Friedeburg wouldn\u2019t be denied; she made her case that the business agility of public cloud outweighed the risks. The World Bank soon began migrating several functions to public cloud software, and stated an ambitious goal to reduce the bank\u2019s data center footprint from five to two.\n[ Related: Microsoft, Google sweeten cloud freebies ]\nFlexibility is particularly important for the World Bank, which offers financing and other programs to help governments fight poverty. Although her team initially proposed switching to Microsoft Exchange from Lotus Notes email, von Friedeburg decided she didn\u2019t want the burden or cost of maintaining a mail server in every office in all 186 countries in which the World Bank operates. The World Bank replaced 30,000 Notes licenses with Microsoft Office 365, cutting the annual costs of running email from $12 million to $6 million and enabled employees to continue working in the event of political unrest or natural disasters.\nThis keystone migration also let the World Bank\u2019s business management become more comfortable with the cloud. The World Bank software developers now use public cloud infrastructure from Microsoft Azure and Amazon Web Services to build and test apps. Employees also use Box to exchange files, including documents for loans and investments, as well as OneDrive and Dropbox.\nPublic cloud pitfalls\nThe World Bank\u2019s path to the cloud wasn\u2019t always easy, a common finding among many CIOs who adopt public cloud services. Von Friedeburg said it took 10 months to negotiate and close a deal with AWS last year as the parties hammered out a satisfactory contract. At issue was AWS\u2019 acceptable use policy, in which it maintains the right to shut down a computing instance if a customer violates its terms. However, AWS also reserves the right to change its policies without notice. So if a customer violates the changed policy, their service can simply be switched off.\nVon Friedeburg\u2019s says she told AWS that wouldn\u2019t work. \u201cThere was no sense of the magnitude of [the World Bank\u2019s] risk, or any sort of escalation period whatsoever, and no way for me to know if they changed their policy.\u201d Ultimately, after \u201ca lot of back and forth and a lot of legal work to get to a point where we had a contract where I could hand on heart say I\u2019m comfortable using AWS.\u201d\nThe World Bank uses AWS to test Linux-based apps served by Oracle database software, and hosts SQL Server-fed apps in Microsoft Azure. However, she says she\u2019d like to get to a point where the bank could connect the two systems. \u201cWe need both,\u201d von Friedeburg says.\nTo determine what should go into the public cloud and what she stay home von Friedeburg created a security framework in which apps are designated as ready for the public cloud; those that require remediation work or those that include too much complexity or sensitivity don\u2019t move. Ultimately, senior management must sign off on what does or doesn\u2019t go on the public cloud, based on the residual risk. \u201cWe have a very good dialogue with the business to say \u2018does this belong in the cloud?\u2019\u201d von Friedeburg says.\nOther companies are trying to figure that out as well. Global banks such as Goldman Sachs and Bank of America are using public cloud services to test software. The Cloud Security Alliance noted that although only 32 percent of banks surveyed have a cloud services strategy in place, 61 percent are developing one.