Are cloud providers too big to fail?

Too big to fail used to apply exclusively to banks and financial services institutions, but now regulators around the world are concerned about a different type of organisation creating systemic risks to the global financial system. As more and more banks move critical processes to the cloud, reliance upon a very small number of dominant cloud service providers is creating risks to operational resilience.

Regulators have been quick to act to ensure that these risks are mitigated and that banks can manage stressed exits from cloud providers should the need arise. To prepare for inevitable tests of ability to manage these stressed exits, and for potential actual cloud failures, banks need to move to connected hybrid, multi-cloud platforms.

Errors and outages do occur

Cloud service providers pride themselves on their very high levels of availability and, mercifully, widespread outages are rare. But they can and do happen. Recently a configuration error at Facebook saw 3.5 billion internet users affected and shut out of any services that depended on Facebook for almost six hours.

During that time, potentially billions of users found themselves without the social media tools they rely upon to keep in touch with friends and family. Also impacted were the many thousands of businesses that rely on Facebook for their digital presence. The outage took place in the middle of a bad week for Facebook and saw over $6 billion wiped off the firm’s value.

In recent weeks Cloudflare suffered a major outage, shutting down significant proportions of the internet and crippling major global services including Amazon, Discord and Steam. These outages were annoying but imagine the impact if one or more banks lost all core systems for an hour, a few hours, or even an entire day.

Small number of major players

Only a handful of cloud providers are large and sophisticated enough to handle the critical data processing and compute the needs of today’s banks. But dependency on a tiny group of cloud providers to deliver key services is keeping regulators awake at night. According to Gartner, nearly 80% of the cloud market is handled by just five companies, with AWS dominating at 41% market share. An over-reliance on a single cloud provider could bring large numbers of banks to a standstill instantly and potentially undermine the stability of the financial system.

Regulators are concerned that reliance by many banks on the same providers could create systemic risk if one of the cloud companies were to go down. In response, regulators are working on ways to model and test how quickly banks can migrate data and processing from one cloud to another in a ‘forced exit scenario’. In other words, they want to know what banks will do if their primary cloud provider suddenly becomes inaccessible, as Facebook did.

What would you do if this happened at your bank? Could you switch to alternative platforms, and if so, how long would it take? Can you guarantee continuity of service if you have a technical or commercial failure with your cloud service provider?

Multi-cloud a partial solution

Multi-cloud presents a partial solution. Any move to the cloud should certainly not be a move to a single cloud — but multi-cloud strategies on their own do not solve the operational resilience issue. Running individual systems in different clouds does not provide redundancy. Business continuity plans must include capability to move data quickly and securely from one vendor’s cloud to another.

Maintaining an on-prem, or private cloud capability as part of a hybrid-cloud solution also provides some risk mitigation, but only if vendor-cloud-based work can be quickly repatriated. And what happens if hybrid platforms are provided by a single cloud vendor? They could also be impacted by an outage. In Facebook’s case its own servers were also taken offline by the fault — engineers could not even get into the building as authentication servers controlling physical access also went down.

Banks need to invest in both approaches simultaneously. Hybrid, connected multi-cloud data platforms are the only way to maintain operational resilience to potential failures at cloud service providers. To pass the inevitable stressed exit tests, and to prepare for actual outages, banks must demonstrate that they have no single point of failure for their cloud infrastructure.

Connecting multiple clouds and offering a hybrid solution is just the first step. To successfully manage a forced exit from a cloud requires fast and secure movement of petabytes of data and the ability to stand-up operations on new infrastructure as quickly as possible.

Image credit: ©stock.adobe.com/au/Mila Gligoric