Concentration risk has been playing an increasingly important role in banking regulation in recent decades. Diversification within investment portfolios is not only desirable but a necessary aspect of risk management. This same approach is also necessary for financial services on a technological level—to ensure the operational resilience of the digital infrastructure powering the future of banking business models and services.
Gone are the days when storing all critical data on premises in the company data center was the safest option. Business continuity and disaster recovery strategies today depend on cloud solutions that can be accessed 24/7, regardless of any incidents or outages on the ground at or near one company location. One cloud is not enough. To truly secure data flows and create resilient connectivity, a multi-strategy approach is needed—for clouds, for data centers, and for connectivity providers.
The cloud has become essential to the smooth running of any modern business. In addition to speed and scalability, it enables an increasingly mobile workforce to access data and resources regardless of location. It also allows businesses to connect with the latest artificial intelligence (AI) and analytics tools and capabilities, and to implement strong disaster recovery and business continuity plans.
While security was once a concern, most organizations are now confident the tools and processes implemented in cloud infrastructure can deliver robust protection. In fact, many are now realizing their critical data and workloads might be far safer in the cloud than stored in one specific location, with this location representing a clear single point of failure. Business continuity and disaster recovery strategies today are more focused than ever on the secure storage of critical data in the cloud, and the need to provide uninterrupted access to it.
When Caution Becomes an Unintended Source of Risk for Critical Data
Analysts, observers, and growth strategists bewail the fact that banks are notoriously conservative when it comes to digital innovation. This reluctance can be clearly seen when it comes to cloud adoption. While the finance sector has been relatively slow to move to the cloud, adoption is now accelerating, as changing customer expectations push banks and other financial institutions to emulate the speed, agility, scalability, and efficiency of cloud-native organizations. Nonetheless, the conservatism seen in the financial sector has often resulted in institutions being extremely selective and often exclusive in their choice of cloud partners. And although this degree of caution is expected in such a critical sector, the lack of diversity in infrastructure dependencies that result from such a strategy becomes a new risk factor in its own right. This leads to the risk of cloud concentration, where key financial services become overly reliant on one specific cloud service provider. Whether it’s Deutsche Bank and Google Cloud, UBS and Microsoft Azure, or BNP Paribas and IBM Cloud, many financial institutions have close relationships with single cloud service providers. And too much of one thing—even if it is in essence a good thing—is rarely a good idea.
Cloud Concentration—Putting All Your Eggs in One Basket
Certainly, working with trusted partners is an essential ingredient in critical sectors like financial services, but financial regulators around that world are increasingly concerned about cloud concentration—that, despite the benefits of cloud infrastructure itself, this exclusive partnership with one cloud provider may become a single point of failure. Regulators are concerned that disruption and instability across the global financial system could stem from an outage or cyber-attack on a single cloud. Although there are mechanisms to mitigate this risk through distributed computing and diversifying within a single cloud environment, regulators remain unconvinced. As a result, financial institutions need to mitigate this risk through strategically focusing on the operational resilience of their digital infrastructure—and keeping themselves ahead of forthcoming regulatory hurdles.
Interoperability and Cloud-to-Cloud Communication for Seamless Multi-Cloud Scenarios
Adopting a multi-cloud strategy is the first step towards not only mitigating over-reliance on a single provider, but also avoiding vendor lock-in, allowing financial institutions to select services from multiple cloud service providers. This also enables the cherry-picking of best-in-class services for specialist cloud providers.
But simply sourcing services from multiple clouds is not a complete solution. As a result of data portability challenges, financial institutions cannot easily switch between cloud providers, so individual workloads and applications may remain siloed on single clouds. This is also the case for certain cloud providers that offer proprietary applications not available through other providers (e.g. certain AI applications). Therefore, a second step is to ensure interoperability between all cloud environments and the given application, in order to synchronize data and results across a diverse operator landscape.
Management and orchestration of a multi-cloud scenario can become highly complex. One way to simplify this is to make use of a Cloud Exchange in combination with virtualization, automation, and API (Application Programming Interface) capabilities. This puts the booking and scaling of cloud services across providers at the fingertips of the Network Architect responsible, and enables automated scaling to be triggered at times of greater demand.
A further step required is the enablement of cloud-to-cloud communication, thus simplifying the spreading and orchestration of workloads across multiple clouds and streamlining the multi-cloud approach. Connectivity to and between cloud service providers has thus far often been overlooked in strategies and regulations alike, but its resilience is essential to ensure services can be up and running quickly in the event of any outage anywhere within the distributed infrastructure.
Diversity, Redundancy and Geographical Distribution Mitigating the Risk of Concentration
True mitigation of the cloud concentration risk doesn’t simply stop at using multiple clouds. Why? Because it’s also important to be able to access those clouds from physically independent locations. What good is a multi-cloud strategy if a bank is limited to one single location—or one single connectivity provider—to connect to the chosen clouds? If one connection fails, or one provider or data center experiences an outage, there is still the risk of a single point of failure. Your eggs are still all in the one basket, so to say. Therefore, digital infrastructure must be conceived of not only in terms of a diversity of providers, but also as geographically distributed infrastructure involving multiple redundant pathways. This creates the resilience necessary for critical applications and data.
Managing all of this will be complex undertaking, and it’s certainly a challenge, but there are ways of simplifying it. One solution is to use a distributed Cloud Exchange built on a carrier and data center neutral interconnection platform: this allows a multi-home set-up and a diversity of not only cloud providers, but also connectivity providers, network operators, and data center operators. In this way, it is possible to ensure redundant connections to multiple clouds from physically separated locations, and to manage all of the connections easily via a single portal and API. This dramatically increases the resilience of connections and ensures continuous access to critical data, no matter what happens on a local level. And this strategy has the added advantage of protecting the institution against vendor lock-in.
Critical Data – Not One Basket, but Many
You may ask, ‘Won’t the Cloud Exchange in this scenario then become the next single point of failure?’ It would seem that the concentration risk will raise its ugly head at some point, no matter what strategy is implemented. In this case, however, the answer is: No, it won’t. And here’s why: The design of the distributed platform—which is cloud, carrier and data center neutral interconnection—operated by DE-CIX, for example, offers a model on the macro scale for exactly the kind of geographical distribution, diversity, and redundancy that I also recommend for the design of enterprise-owned digital infrastructure for any critical use case. Although such an interconnection platform may appear to the outside world to be a single entity, it is, in actual fact, composed of a multitude of redundantly implemented servers, services, software, and other components, distributed across multiple locations, and supported by the services of a myriad of infrastructure providers.
Within the company premises, or within a single connected network or data center, a localized incident could lead to a situation where the given location is temporarily unable to access or send data. This is the reality that all companies and providers need to recognize, and a risk that must be mitigated—for example, through redundant power supplies and emergency generators —for critical use cases. However, for a distributed and provider-neutral interconnection infrastructure, there is no “off-switch” that could bring the entire infrastructure to a standstill. All other locations – that is, other non-related networks and data centers – will remain unimpeded by the localized incident. This is the strength of taking a cloud, data center, and carrier neutral approach to designing enterprise infrastructure: a multi-strategy approach on all levels, with redundancy across all infrastructure and providers, creates the greatest possible resilience for critical data pathways, data storage, and workloads.