This isn’t the first time this topic has been raised as a concern and recent outages only further highlighted how dependent the finance sector has become on the unique few. Yet at the same time, customers demand more agility and innovation. So how do financial services organisations balance their need to move to the cloud and all that brings, while complying with impending regulatory changes?
In this article, Paul Wooding, Senior Director at Cloudera will discuss cloud concentration risk and how regulators might tackle the problem, as well as how financial institutions can implement a strategy that provides them with the need to innovate while keeping their proprietary and customer data safe.
Last month the Financial Prudential Authority fired a warning shot at cloud computing giants. The regulator revealed that it is going to step up the scrutiny of these tech organisations amid growing fears that an outage or hack of their services could severely disrupt a banking system increasingly reliant on them. However, this is not the first time financial regulators have raised concerns about the monopolisation that the big three cloud providers have within the financial services industry.
In July last year, the Bank of England’s Financial Policy Committee (FPC) Financial Stability Report, a bi-annual report examining the UK financial system’s systemic risk and overall resilience, highlighted this very concern. It found that the market for cloud services was so heavily concentrated amongst a few cloud service providers (CSPs), that it posed a serious operational risk for individual institutions.
It further highlighted that overreliance posed a financial stability risk for the wider market and even the global economy. It also made clear that unless there was greater direct regulatory oversight of the resilience of the services these vendors provide, the consequences for financial services could be disastrous.
At the same time, in an era of rapid digitisation and the increase of EU customer data following Brexit, many financial services organisations recognised the value of outsourcing to large cloud providers. The benefit of cloud was made especially clear during the pandemic when storing data in-house caused issues such as increased operational costs, reduced flexibility, and lesser mobility of an organisation’s data. Cloud-based systems on the other hand provided easy solutions for banks. For example, cloud-based systems provide the flexibility, agility, and cost savings these organisations need as they seek to house increasing amounts of data to enable them to keep pace with neo banks.
The question, therefore, becomes, how do regulators and financial institutions tackle the cloud concentration risk without stifling the innovation that cloud technology provides?
Duty of care
The reality is regulators have an extremely hard job in writing rules to mitigate this risk. This is largely based on the “shared responsibility model”. The model outlines that while the CSPs retain responsibility for the lower-level layers of the infrastructure, the financial institution is responsible for the data stored and processed. It means that financial institutions take on the risk of the overall security of the solutions developed on the Cloud and the ability to assess the CSP’s compliance with required resiliency requirements.
While regulators need to be diligent and write rules that help financial organisations mitigate risk, it is the organisations themselves that face the duty of care. No matter what new regulation may arise, financial institutions must bake governance and security into every aspect of their cloud deployments. Banks, for example, need to be able to not only operate with the assurance that all data is secure and correctly governed wherever they deploy their systems but are also equipped with the ability to shift data and applications from any one provider to another, virtually at will.
This is necessary to avoid the risk of any one hyperscaler being a single point of failure and keeping business operations undisrupted.
Fortunately, recent innovations in developing a comprehensive hybrid, multi-cloud architecture, referred to as the Enterprise Data Cloud, directly eliminates many of the concerns of cloud concentration risk for both regulators and financial institutions.
The Enterprise Data Cloud — the future of cloud computing
A report published late last year by the Association for Financial Markets in Europe (AFME) on ‘building resilience in the cloud’ indicated the movement by the financial services industry toward a hybrid, multi-Cloud framework. Data from its report found that 63 per cent of financial organisations surveyed express plans to follow a hybrid, multi-cloud strategy.
The open-source software network has experienced continuous innovation throughout the past decade. And with the advent of the wide adoption of cloud computing and the need to manage data, workloads, and security across many platforms has led to the development of the next generation Big Data platform.
At Cloudera we call this next-generation hybrid, multi-cloud architecture the “Enterprise Data Cloud”. Designed to unlock the power of an organisation’s data, the architecture enables enterprises to service customers better, operate with greater efficiency, and strengthen the security of their data. What’s more it is optimised for hybrid and multi-cloud environments, meaning it can deliver the same management capabilities that enables the full portability of data and applications across all relevant and critical platforms.
A key attribute of the Enterprise Data Cloud (EDC), and crucially important to banks, is that it enables businesses to leverage the cloud more effectively, due to it simplifying data management, enhancing compliance with security measures, and streamlining costs.
It also helps them to better manage cloud-related operational and systemic-related risks such as lack of transparency and governance. EDC creates a centralised interface to data governance that can be applied across the entirety of the hybrid landscape, meaning organisations have the luxury of not having to worry about managing multiple unique security and governance policies for each tech solution they deploy. Thus simplifying integration across the whole tech stack and removing multiple vulnerabilities that typically occur at system interfaces and boundaries.
Ultimately, banks reduce these risks by avoiding any over-reliance on one cloud provider – also known as cloud vendor lock-in – which keeps business operations undisrupted. What’s more, in minimising the risk of cloud concentration, solutions such as an EDC can reduce data silos, ensure that all data is secured and governed, and facilitates innovation within an open-source environment.
A coordinated effort
It’s clear then that a coordinated effort is needed from both regulators and industry participants to manage the risk that comes with cloud concentration, whilst not handicapping the innovation and possibilities that cloud technology provides. Given the evolving nature of the cloud, a collaboration between regulatory bodies and financial institutions will be key in achieving a happy equilibrium as well as the countless benefits to that which the cloud can provide.
