“I’ve looked at clouds from both sides now,” Joni Mitchell famously sang in 1969. More than four decades later, the financial-services industry is discovering how much more there is to know about clouds.

The cloud-computing business has been expanding by almost 25% per year and will reach $16.7 billion this year, according to 451 Research. Drivers of growth include platform-agnostic IaaS (Information as a Service) as well as demand for cloud-based storage.

The cloud is a service-, rather than asset-centric business, according to Ken Barnes, principal and senior vice president of corporate development at Options and formerly a co-location and platform-service executive at NYSE Euronext.

Options, which has offices in London, New York, Hong Kong, and Singapore, offers its PIPE Private Financial Cloud to hedge funds, prop-trading firms, exchanges, banks and market makers.

Barnes said in derivatives, cloud is broken into functional components; markets have been using SaaS for years, for example with the Bloomberg terminal. At the other end of the spectrum, PaaS is still a ways out on the adoption curve.  But the other IaaS – infrastructure – is becoming more entrenched as an operational model across the financial sector.

About nine out of 10 new hedge funds use cloud computing, Barnes said, citing for example Napier Park Global Capital’s recent selection of Options as an infrastructure provider.

In terms of how cloud providers use layered network-security, IDS (intrusion detection systems) and IPS (intrusion protection systems) are typically deployed against malicious traffic in tandem with firewalls and antivirus platforms, Barnes explained. Together, IDS and IPS correlate and implement algorithms to review patterns, trigger alerts, and initiate operational responses. With deep visibility into network activity, IDS is also used to help bolster security policies within an organization – identifying and documenting exiting threats and to discourage or block any insider attacks.

Another part of the security fabric protecting the digital assets of Options and their clients including data in flight and at rest on the storage platform is unifying each component of the security stack in a single authentication and authorization platform. Barnes said unifying customer and user management with the same scrutiny and demanding standards across platforms, geographies and services helps a full-service cloud provider manage the life cycle of the customer, so every administrative change is implemented simultaneously.

While cloud industry accreditation is voluntary, going through the rigor of the Statement on Standards for Attestation Engagement No. 16 program is critical, according to Barnes. “It forces you to assess the current state of your security architecture, the level of availability you’re engineered to deliver, and the maturity of your operational processes.”

On the subject of SSAE 16, the controls to be audited are specified by the vendor, and agreed upon by the auditor, so they don’t connote comparison between vendors, according to Gartner Research. It is relevant for compliance with Sarbanes-Oxley and similar regulation, but that accreditation should not be mistaken in marketing collateral to be universally assurant of controls and credibility. Barnes agreed, explaining the importance of a SOC 3 report being made publicly available on the webtrust.org website for customer scrutiny.

About the name: Options the cloud company is not named for the derivative product, rather it was chosen as the firm’s name to imply flexibility when the firm was founded in 1993. Cloud as a defining term is going to fade, Forrester Research said. A blog quoted Sam Johnston, director of Cloud and IT services at Equinix: “Anyone with ‘cloud’ in their company or product names will scramble to rebrand.” Also, “there will also be a merciful fading out of the clunky-sounding ‘as a service’ monikers, which will go the way of the dodo.”