What is Cloud Concentration Risk?
Since the financial crisis of 2008, regulators have been consistently working to identify emerging risks that can potentially result in financial stability events. The growth in cloud adoption across the Financial Services Industry (FSI) and the associated increase in reliance on third-party infrastructure providers has gained the attention of regulators at global, regional, and national levels.
At a high level, a core regulatory concern around cloud adoption is focused on operational resiliency. In particular, regulators are evaluating the complexities involved in the “shared responsibility model” that exists between a cloud customer and the cloud service provider (CSP) to ensure that sufficient oversight and controls are in place. A subset of these regulatory operational resiliency concerns is Cloud Concentration Risk.
Cloud Concentration Risk concerns arise from an institution’s over-reliance on one service provider to support key banking services. This not only presents operational risks for individual institutions but creates financial stability risks for the financial system within a single country as well as globally. Concentration risks also arise if a significant number of institutions have a key operational or market infrastructure capability (e.g. payment, settlement, and clearing systems) running on a single CSP.
While detailed IaaS cloud market share estimates for the Financial Services industry are not publicly available, the Bank of England has recently published some high-level results of an annual survey of the 30 largest banks and the 27 largest insurers that they supervise to understand how these institutions utilize the cloud. This includes a good selection of some of the largest global banks since many have significant operations in London.
As revealed in Figure 1, the top two CSPs have a significant market share in the Financial Services industry.
It should be noted that in this publication the Bank of England stated:
“Our survey indicates that for banks and insurers, the provision of IT infrastructure in the cloud is already highly concentrated.”
Furthermore, they mentioned that,
“We will use the results of the survey to inform and adjust our supervisory approach to cloud oversight.”
These concerns are reflective of many global regulators.
Key Factors Driving Cloud Concentration Risk?
From a Cloudera perspective, we see two distinct Cloud Concentration Risk categories:
Firm-Specific Cloud Concentration Risks:
We highlight four types of operational risks that are firm-specific and a function of each firm’s enterprise architecture:
- Lack of Unified Data Security & Governance – Each cloud-native product re-creates its own silo of metadata making data management, security, and governance much more complex. Without a unified security and governance framework, institutions will be challenged to identify, monitor, and address crucial issues in data management that are critical for proper measurement of risk exposures across different platforms. This is especially true for Hybrid or Multi-Cloud environments.
- Cyber Attack Resiliency– The consolidation of multiple organizations within one cloud service provider (CSP) presents a more attractive target for cybercriminals than a single organization. A further complication is that cloud security is a shared responsibility between the CSP and the institution.
- Vendor Lock-In – The market share concentration of a small group of cloud service providers can result in significant lock-in effects, whereby an institution is unable to easily change its cloud provider either due to the terms of a contract, a lack of feasible alternatives, proprietary technical features or high switching costs.
- Operational Resiliency – Much of the operational resiliency concerns by regulators is the “shared responsibility” model inherent in the relationship between a cloud customer and the CSP. Regulators have consistently made it clear that institutions at all times remain fully responsible for all the operational functions they outsource to 3rd party providers.
Systemic Cloud Concentration Risks:
Systemic Cloud Concentration Risks consist of risks that affect the stability of the financial system and are not directly under the control of any single firm. We identify two specific factors impacting financial stability:
- Lack of Transparency – A cloud service provider is unlikely to share detailed information about its processes, operations, and controls. This restricts not only an individual institution but also the regulators from full visibility on the applications that reside with a CSP. The EBA Outsourcing Guidelines provide that banks should gradually build an Outsourcing Register which should be complete by 31 December 2021. ESMA has also recently outlined similar reporting requirements.
- Systemic Risk Concerns – Regulators are concerned about the systemic risk arising from a concentration of many large financial service firms’ critical application(s) residing on the same CSP. These include applications such as payment, settlement, and clearing systems.
Fortunately, recent innovations in developing a comprehensive hybrid, multi-cloud architecture, generically referred to as the Enterprise Data Cloud, directly eliminates many of the concerns around vendor lock-in dangers as well as the lack of unified multi-cloud data security and governance capability that in turn helps address several key concerns of Firm-Specific Cloud Concentration Risks.
The Next Generation Enterprise Data Cloud
The original Big Data open-source platform, Hadoop, has experienced continuous innovation throughout the past decade. The advent of the wide adoption of cloud computing and the need to manage data, workloads, and security across many platforms has led to the development of the next generation Big Data platform. At Cloudera, we call this next-generation hybrid, multi-cloud architecture the “Enterprise Data Cloud”. Gartner calls this the emergence of “Cloud Data Ecosystems” while 451 Research describes this as “Enterprise Intelligence Platforms.” Regardless of the terminology chosen, the clear understanding is that the future of cloud computing needs to support an agile hybrid, multi-cloud environment that enables the full portability of data and applications across all relevant platforms.
From a high-level perspective, an Enterprise Data Cloud needs to support:
– Hybrid and multi-cloud – to provide data management capabilities to manage, analyze, and experiment with data in any public or private cloud or on-premise data center environments for maximum choice and flexibility.
– Multi-function capabilities – to address the most demanding business use cases requires applying real-time stream processing, data warehousing, data science, and iterative machine learning across shared data at scale.
– Secure and governed – simplifies data privacy, security, and compliance for diverse enterprise data with a common security model to govern data on any cloud – public, private, and hybrid.
– Open Source – facilitates innovation within the open source community, the choice of open storage and compute architectures without vendor lock-in, and the confidence and flexibility of a broad ecosystem supporting both legacy systems and innovative partners.
While hybrid cloud environments bring substantial advantages in terms of rapid deployment and reduced infrastructure costs, they bring a new set of data management challenges. As cloud environments multiply, new cloud data silos can appear, some of which bypass IT altogether. Securing and governing data that lives across multiple clouds, each with their own architecture is difficult. Furthermore, cloud vendor lock-in effects can make it difficult and costly to migrate applications or data.
Cloudera is leading the industry in offering the world’s first Enterprise Data Cloud. We call this the Cloudera Data Platform (CDP).
As illustrated in Figure 2, the Cloudera Data Platform provides three form factors; CDP Public Cloud, CDP Private Cloud and CDP Data Center (the on-premises version of CDP) in a single unified platform that prevents cloud lock-in supports the complete data lifecycle, provides a single control plane to secure, govern and track data lineages across all platforms and allows for the portability of data and applications as required.
How Cloudera’s CDP Supports Reducing Cloud Concentration Risk
With the continued development and deployment of CDP, Cloudera supports Financial Services Institutions, Regulators, and CSPs in reducing several key factors driving Cloud Concentration Risk exposures. We briefly outline how we support each market segment.
Financial Service Institutions:
CDP uniquely provides Financial Services Institutions with the ability to migrate towards a hybrid, multi-cloud environment while addressing several regulator concerns around Firm-Specific Cloud Concentration Risks:
– Cloud Lock-In: CDP avoids Cloud Lock-In with portability of data & applications across any platform.
– Single Control Plane: CDP provides a single control plane to manage all workloads on any CSP.
– Shared Data Exchange (SDX): CDP provides unified data security and data governance across all environments.
From a Regulator perspective, CDP provides the following benefits:
– Reduce Firm-Specific Cloud Concentration Risk: As discussed above, CDPs ability to address several key concerns around Firm-Specific Cloud Concentration directly reduces several key factors driving Cloud Concentration Risk concerns.
– Data Collection and Analysis: CDP supports regulators by providing a centralized data & analytics platform that can be utilized to support cloud monitoring, analysis, and reporting against vast quantities of data and applications.
– Risk and Policy Analysis: We enable the use of ML, AI & Simulation capabilities to help identify potential systemic cloud concentration risk trigger points and to evaluate policy and structural approaches to address these concerns.
Cloud Service Providers (CSPs)
With Cloudera’s CSP partners, CDP provides the following benefits:
– Driving Growth in the Overall Cloud Market: CDP directly helps CSPs by supporting their business growth through accelerated cloud adoption and workload migration of our financial services customers.
– Reduce Regulator Concerns: CDP helps prevent Cloud Lock-In effects and other cloud-related operational risks thereby reducing some key regulatory concerns around Cloud Concentration Risk.
To learn more about Cloud Concentration Risk, read my whitepaper.