Mitigating cloud concentration risk in the banking sector

An opinion piece by Jeffrey DiMuro, deputy chief information security officer at ServiceNow.

In the financial services industry, concentration risk is a component of operation risk, which, along with market, credit, and liquidity risk, comprise financial regulators’ four main areas of concern.

Today, as organizations in the sector have embraced cloud services, cloud concentration risk — an overreliance on a critical technology provider — has become the central risk conversation. With the mass adoption of cloud services in recent years, financial regulators have become increasingly concerned that cloud concentration risk could threaten individual institutions and create instability in not just a single bank’s financial operations but also in the global banking system.

So, what are the elements of cloud concentration risk, and how can each be addressed and mitigated through resiliency and contingency planning?

Industry versus enterprise concentration risk

Financial regulators serve banking customers’ interests by ensuring a balance between innovation and risk. Every bank undergoes supervisory audits to ensure compliance with the four foundational risk measurements. The 2008 global financial crisis increased regulatory scrutiny and enforcement actions and spawned additional compliance requirements that focused on promoting fair play and protecting the interests of banks’ customers while ensuring the stability of national and global banking systems.

Outsourcing agreements with cloud service providers (CSPs) offer banks significant benefits, including reduced complexity, overhead, and costs. However, regulators need to ensure these arrangements don’t allow banks to also outsource their data protection, privacy, and resiliency responsibilities to the CSP. Banks, for their part, have to be sure that outsourcing doesn’t increase the risk of service interruptions and overall failure, especially if the outsourcing arrangement is considered “material.”

Not all clouds are created equal

The term “cloud” is often incorrectly used to describe any of the three major models — Infrastructure-as-a-service (IaaS), Platform-as-a-service (PaaS) and Software-as-a-service (SaaS) — leading, unfortunately, to confusion about the risk of each.

Just as cumulus and cumulonimbus clouds — to take two examples of atmospheric clouds—sound similar yet are nothing but, so too should SaaS never be confused with IaaS. The concentration risks associated with each of these tech clouds are very different.

The vast majority of SaaS services provide operational efficiencies (value, speed, quality, and innovation, for instance) and ensure immediate access to the latest code features. The SaaS model continually pushes innovation through never-ending code releases.

IaaS, by contrast, allows organizations to operate the IT and computing functions (servers, storage, networking, and virtualization) associated with hardware requirements, by leveraging centralized, third-party hardware and middleware services. These robust IaaS services can be used to support critical back-office functionality. In the financial services industry, when these services involve real-time transaction processing, global regulators take notice.

Most IaaS services and few, if any, SaaS or PaaS services support real-time financial settlement transactions. The concern is that, given a sufficient concentration of banks leveraging cloud service providers, the industry could be negatively impacted if a major third-party CSP failed. In fact, regulators have come to rely on CSPs to mitigate the pitfalls associated with service outages, via resiliency and contingency planning that exceed those of many FinServ providers.

Cloud services mitigate concentration risk

Cloud-based services are less expensive than developing and maintaining proprietary in-house software. Through strategic outsourcing relationships with cloud providers, companies that adopt SaaS/PaaS services disperse in-house (concentration) risk that comes with maintaining qualified resources, developers, and state-of-the-art facilities.

CSPs, especially SaaS providers whose sole focus is to create software-based solutions, can reduce operational risk by incorporating the latest Secure Software Development Lifecycle (SSDLC) processes into their code to mitigate downtime associated with patching.

Additionally, CSPs that offer multi-instance architecture, as opposed to multi-tenancy, can further spread the concentration risk across their highly redundant and available services by offering each enterprise physical and logically segregated services.

System of record, system of engagement, system of intelligence

How the cloud service is used, greatly affects the risks rating of the service and the overall concentration risk. Most cloud services are used as systems of engagement or systems of intelligence, where the enterprise leverages a CSP’s software to analyze, enrich, integrate, and consolidate data from disparate internal systems. In most cases, the data still exists within the enterprise’s on-prem system, providing an instant continuity-of-business solution if the CSP experiences a service disruption.

Mitigating cloud risk: Resiliency, respond, and recover

Availability is one of the three foundational elements described in the data protection authority (DPA) policy of almost every nation. The CSP must, in addition to confidentiality and integrity, demonstrate an uptime availability history that is equal to or better than what the enterprise could achieve on its own. The resiliency of the CSP’s services must include disaster recovery sites and continuity of business plans that include resourcing to operate the contingency site (or sites). Continually testing these plans is essential to ensure it is ready and able to perform if an outage occurs.

A CSP must also show how well its solution can respond and fail-over to a geographically dispersed secondary site, and instantaneously recover from an outage.

The enterprise must also build in contingency plans to recover from an outage and perform the outsourced tasks either internally or with an alternative provider.

Remain vigilant

Not all clouds are created, maintained, and architected equally. Concentration risks can exist at the individual enterprise and industry level.

One of the best ways to mitigate concentration risk is to evaluate your provider’s high availability and disaster recovery plans and procedures to ensure continual service if a service interruption occurs. Enterprises should also create, maintain, test, and continually update their continuity of business plans, which can support the outsourced service(s) should a long-term service interruption affect the CSP.

Demonstrating these critical processes, as well as the ability to recover from a service disruption, are essential to mitigating a regulator’s concerns about cloud concentration risk.