Cost, security concerns dampen banks' appetite for multi-cloud infrastructures

A multi-cloud architecture hosting critical applications should, in theory, be the gold standard for a resilient and cost-effective technology stack in financial services. But in practice, the reality looks very different, banks say.

Several years into their cloud journeys, some firms have realized that using multiple cloud service providers (CSPs) for each critical function can cancel out the benefits of moving to the cloud. One senior executive at a large global investment bank says that using multiple CSPs for the same use case would introduce unnecessary inefficiencies and double—or even triple—the cost of the outsourced services.

“We have chosen not to use Google Cloud, Amazon Web Services [AWS], and Microsoft Azure for similar uses cases. We haven’t gone down that route because it presents challenges and inefficiencies, and honestly and it’s not worth the price you pay in those inefficiencies for the theoretical benefit you get in terms of workload mobility,” the executive says.

One of the recommendations from EU regulators on outsourcing critical functions to the cloud is to develop exit strategies where a bank could transfer their data to an alternative cloud service provider or an on-premise system in the event of an outage.

In practice, porting data between two or more CSPs is a painful and complex exercise. A second senior executive at another global investment bank says that different cloud providers have different technical provisions and different ways of formatting their data, making it a nightmare to move the data from one CSP to another.

“Regulators ask, ‘If AWS goes down, can you move your data to Azure?’. The answer is ‘No, not easily, because the infrastructure setup between Azure and AWS is different’. It typically takes a long lead time to put your data in AWS and go live; you can’t just snap your fingers and make it happen in Azure,” the second senior executive says.

James Fox, director of technology consulting for enterprise cloud services at Protiviti in London, says that at the beginning of their cloud journeys, many banks are “tripped up” by opting to use two or more cloud providers per application, but it quickly becomes clear that they would have to “rein that back” to avoid overcomplicating their technical footprint.

He says banks must now explain to regulators that opting for a multi-cloud approach, for individual business units, can inadvertently make their IT stacks less resilient.

“Because of those complexities and those issues, rather unintuitively, it makes you less resilient, because you can’t do two [cloud integrations] as well as one,” Fox adds

Using more than one cloud provider per business unit, such as the front or middle office, could also mean some banks end up sacrificing parts of their security. Matt Barrett, co-founder and CEO of London-based trading systems developer Adaptive Financial Consulting, says banks are now discovering that they must make compromises to meet a minimum level of security that works across each of the CSPs they use.

This is made even more complex when considering the size and scale of a heavily regulated global entity.

“If you’re a huge investment bank, you have a lot of cross-organizational concerns that span multiple countries, regions, and regulatory environments, and you need to comply with a lot of regulation around the identity of your client’s authentication, storing of data, and jurisdictional control over data, etc,” Barrett says. “If you’re in one cloud provider, you can centralize that and the controls and the logic around that in one place within your organization. If you’re in two or maybe three cloud providers, you have to do that twice or three times.”

Losing the valuable differentiating factors of each provider is another cause for concern, Fox says. When opting to choose multiple providers, the bank might have to compromise some of the commercial strengths that set each CSP apart.

“One might be stronger in the compute side, or one might be better in some of the data pieces. But when we’re talking about achieving portability, you must get that lowest common denominator,” in terms of technical provisions, Fox says. “Therefore, you lose differentiation, and you lose the real benefit of adopting cloud services,” he says.

In September 2021, the European Securities and Markets Authorities (Esma) published its Report on Trends, Risks, and Vulnerabilities (TRV) in which the European regulator discusses the benefits of a secondary cloud provider or backup system to prevent service disruption in the event of a failure.

An Esma spokesperson tells WatersTechnology that the article on Cloud Outsourcing and Financial Stability Risks, within the TRV report, was conducted to conceptualize risks of cloud outsourcing, but that it recognizes that “the migration strategy of the multi-cloud backup is treated in an idealized way.” The regulator acknowledges that challenges involving data portability could deter banks from using different CSPs, but that interoperability could play a role in resolving this issue in the future.

The Esma spokesperson adds that the regulator’s guidance is not prescriptive on the type of cloud strategy that financial firms should adopt.

“The aim [of the article] is to inform future risk assessments and policy considerations from a broad financial stability perspective, rather than to be prescriptive on what solutions are optimal, which will depend on the details of any given real-world situation,” the spokesperson adds. “We explicitly recognize in the article that we are modeling risks only and that the costs of risk mitigation also need to be considered.”

Spreading the risk

The idea of adopting a multi-cloud strategy was born from the need to avoid a financial firm’s critical business unit or service coming to a complete standstill. To mitigate such failure, CSPs are dividing up their computing resources in different locations across the globe, known as “availability zones.” Because these zones are designed independently of one another, if one fails, the others continue to operate.

The second senior bank executive says that a firm’s operational resilience can be strengthened by distributing its critical data across the different availability zones of a single provider. Also, not all data within a business unit would be deemed critical, and firms can choose to locate their data in different zones, protected by different layers of security, based on their bespoke resiliency needs, they add.

Having this option to use these different zones can also help reduce costs.

“You’re balancing building resiliency with cost pressures, and that goes to the heart of why you are moving to the cloud, and that’s to benefit from cheaper, easier, faster IT,” the second bank executive says.