Multicloud refers to the use of multiple cloud-computing services from more than one cloud provider. This is essential for any enterprise that aims to reduce vendor lock-in, ensure the availability of applications and data across platforms, and attract the best people to work with their technology in a way that best suits their needs.
Going multicloud can be a good option that adds more flexibility in processing and storing information with proper automation and real-time synchronization. But sometimes that flexibility can cost a lot more than a financial organization is expecting.
The Current State of Multicloud in Financial Services
Finance, being heavily regulated, has been seen by many as one of the most static industries, rarely changing its digital infrastructure and data management operations. Since 2011, the volume of regulations a financial entity has to comply with has tripled, greatly hindering the adoption of cloud computing technologies. Consequently, over the last decade many banks continued to trust their most sensitive data to on-premises data centers or private clouds, as public cloud providers could not always fully comply with the salad of international laws, regulations, guidelines, etc.
In recent years, major cloud providers such as Amazon, Microsoft, IBM, and others, have made drastic improvements, reorganizing procedures to comply with regulatory policies on data, e.g., by including compliance requirements early in the product or service lifecycle. As a result, established financial companies such as Wells Fargo and J.P. Morgan introduced multicloud approaches into their business models to milk the benefits of multicloud, e.g., avoiding vendor lock-in, achieving better compliance, controlling costs, and more effectively managing rapid data growth.
According to a recent Google study, multicloud is showing a steady growth in adoption, along with other popular architectural choices in financial services.
As part of their primary computing infrastructure, 83% of respondents already use some cloud technologies:
- 38% use the hybrid cloud (public and private together)
- 28% use a single cloud (one technology from one provider)
- 17% use multicloud (multiple vendors)
Those currently not using multicloud (88%) are considering adopting a multicloud strategy in the next 12 months.
But will better compliance and reliability finally prompt banks to give up their on-premises COBOL-based solutions from the 1960s and 1970s and move key banking data and services into the cloud in 2022?
In its latest report, Intel, one of the long-standing leaders in digital innovation, lists the cloud as one of the four main digital technologies that are “transforming the world at an accelerated pace.” Gartner also predicts use of public cloud services will increase by more than 21% over the next year, reaching $482 billion in 2022. But, when it comes to banks, the cloud adoption rate is still extremely low, especially in areas responsible for critical banking functions. Banks have low risk appetites both for regulatory reasons and due to the fear of public outcry over lost data or other cloud failures. In many ways, they have taken a slow approach to adopting more cloud services. As shown by GFT research, in 2021 keeping important data and operations on-premises was still the most popular choice, followed by the private cloud and then public cloud, but mainly for functions only indirectly involved in banking operations, such as HR.
However, as shown by the Google study above, banks are now naturally starting to gravitate toward cloud technologies and architectures for their speed, security, and flexibility. This has attracted attention from major financial regulators, such as the European Securities and Markets Authority (ESMA) and the Bank of England. The US, unfortunately, will be late to the party, as data regulation currently is not yet uniformly enforced throughout the country due to the lack of a single comprehensive law.
The regulators have expressed concerns over banks becoming too dependent on specific cloud service providers (CSPs), as there are currently only a few CSP giants dominating the market. Even though some banks have already invested in their own private clouds, e.g., NetApp HCI with Red Hat OpenShift, VMware Cloud Director, and OpenStack, to avoid being “locked in” with popular cloud providers, others successfully migrated to AWS, Azure, and Google in 2021.
But what will happen if a large cloud provider experiences an issue with one of its services, resulting in an outage that simultaneously takes down multiple major banks for many hours? What will the impact be on a global scale, e.g., in stock trading? Considering that even small issues with card transaction systems being down can cause absolute chaos in local stores, forcing people to use cash, what will happen when suffering a high-profile outage?
The cloud, in theory, may seem like a great, infallible system run by computers, but it is still controlled by humans. Things can get messed up and bankruptcy can still happen. Having all your banking data and services with one cloud provider is risky and, fortunately, many understand this risk.
Multicloud allows faster recovery and improves performance. It also gives you the flexibility to choose the closest servers and best resources available and thus provide a better service quality. On the other hand, managing the security of multiple distributed assets is relatively complex and requires more effort and expertise. Nonetheless, according to GFT, most of the banks that switched to multicloud consider their switch to be important or very important.
Can Multicloud Help Comply with New Regulations?
The European Securities and Markets Authority (ESMA) final guidelines on outsourcing to cloud service providers entered into force on July 1, 2021. These guidelines require financial firms to know how they would identify, address, and monitor risks and challenges related to cloud outsourcing and, if necessary, transition to an alternative cloud service provider while maintaining business continuity. The firms should review and adjust existing cloud outsourcing arrangements by December 31, 2022, in accordance with the guidelines.
Guideline 5.31(b) states that a firm should “identify alternative solutions and develop transition plans to remove the outsourced function and data from the CSP and, where applicable, any sub-outsourcer, and transfer them to the alternative CSP indicated by the firm or directly back to the firm.”
Without going into legalese, trusting your data to multiple cloud service providers at the same time (read, having one or multiple alternative providers) or having your own data center to back that data up makes you compliant with this guideline.
Moreover, following the guidelines is a good way to reduce operational, concentration, data security, and exit risks. Let us dive deeper under the hood of the ESMA guidelines.
- Cloud Concentration Risk
This risk arises when a financial company is overly reliant on a single cloud provider. The company should avoid keeping all its critical data in one place. It should also proactively consider all the actions it will take if the cloud provider fails to maintain any of its other obligations or compliance with the requirements.
The guidelines recommend assessing the criticality of the company’s workloads in the cloud and keeping under careful observation where these workloads are stored. The company should also develop and test a reliable plan for transferring these workloads to an alternative provider in the event of provider failure.
- Operational Risk
In order to reduce operational risk, the guidelines recommend frequently performing and documenting comprehensive risk assessments to ensure secure operations. A financial company should identify all the critical and important services it provides, e.g., cloud banking, and discover the risks associated with those. It is also important that the company has all the necessary skills and arrangements immediately available to maintain its service regardless of what happens with its main cloud provider.
- Data Security Risk
There are many services that are more robust with cloud providers, but the threat landscape varies from that in traditional data centers. In both cases, be it a traditional data center or cloud provider, most breaches are caused by misconfigured solutions/applications rather than failures of the hosting environment.
In order to reduce data security risks, financial companies should conduct wide-reaching data security risk assessments, including assessments of the technology assets managed by the company as well as vetting the security of the cloud service provider.
The guidelines recommend assessing data sensitivity and overseeing how the data is transmitted, stored, and encrypted. This assessment should include a data residency policy, data segregation strategy, and data loss strategy. The company is strongly recommended to build a full view of data tiering and measure the sensitivity of the data being transferring into the cloud. The company should plan out in advance how to remove its data from the cloud service provider’s systems, as removing the data might be troublesome with some providers.
- Cloud Exit Risk
When leaving the cloud, a company should have a well-documented and tested exit strategy. The company should ensure that it can exit the cloud without a disruption to its services and without losing any customer data.
In order to achieve this, the guidelines recommend putting in place viable configuration management practices and architectural principles. In particular, all applications should be as modular as possible, which will allow for an incremental migration while maintaining the uptime of the overall system.
Going Multicloud vs. Multi-region in 2022: Prices and Reasons
While multicloud refers to having cloud deployments with multiple cloud providers, multi-region means that a company uses cloud computing services from a single vendor whose data centers reside in multiple geographic locations (called regions).
In 2017, Intel predicted multicloud would drive the digital transformation of the financial services industry. Large traditional banks and financial institutions can already benefit from the adoption of multicloud in several ways, allowing them to:
- Reduce GRC (Governance, Risk, and Compliance) costs, which usually account for 15–20% of the total cost of all bank’s operations, by managing, reassessing, and improving its IT infrastructure
- Shift workloads seamlessly between multiple cloud providers
- Satisfy the novel wide-ranging requirements of their customers, who expect better experiences, new cloud banking services, and better value proposition (customers are now more willing to purchase services from a variety of providers, and they no longer unconditionally trust traditional financial services institutions)
- Stay competitive in the era of modern fintech companies and challenger banks
However, making platforms or applications cloud agnostic takes a lot of effort. It reduces the value a financial organization can leverage from one cloud provider. It may be safer to have a presence with different CSPs instead of using a multi-region strategy within a single provider, but the costs are quite high. Let’s face it, these days, most of us are working across multiple clouds and do not want to be stuck with the same limited set of options. But that does not mean we want to pay multiple cloud costs.
It is important to match the company’s technical aspirations with the available resources—people, time, and money. Multicloud is a valid architectural option if a company is large enough for it, e.g., has more than 10 people in their IT and Systems department. However, it is resource intensive and a small organization will simply not get much benefit from it.
The Bottom Line
Having a multicloud strategy is a good way to avoid the risks of dependence on a single cloud provider and to comply with regulations. Some leading global enterprises are already using multiple cloud providers, but the costs are significant. For organizations with limited resources, this approach can be prohibitive.
For many financial organizations, the complexity, regulatory issues, data security, and organizational culture are obstacles to embracing multicloud. Implementing a multicloud strategy can be confusing, and it can be helpful to have someone to guide your way.
CompatibL’s cloud-native approach to the architecture ensures the maximum flexibility and performance of risk solutions. We can help you build your own multicloud strategy, optimize costs, and reduce risks by choosing the most appropriate cloud for each project, allowing you to quickly adapt to the changes in the market.
Schedule a consultation with our experts and learn more about how CompatibL can help your financial organization leverage multicloud.