Reducing the Risk of Multi-Cloud: How to Align with FCA Guidelines

By Ben Saunders, VP Consulting EMEA at Contino

As public cloud adoption continues to accelerate, the financial Conduct Authority (FCA) has released new guidelines on outsourcing IT, which require financial services firms to know how they would transition to an alternate service provider and maintain business continuity, should they need to.

Most modern businesses understand that the future of financial services lies in the cloud, however, they need to easily transition to an alternate provider suggests a need for a multi-cloud solution.

But multi-cloud is notoriously tricky to get right. To stay in line with the new regulations, businesses need to work out how they can reduce risks. This can be approached from four main angles: operational, concentration, data and exit risk.

Reducing Operational Risk 

The operational perspective is all about securing day-to-day operations. Key requirements to meet this include documented and tested risk assessments, skills and resources to mitigate risk and a documented business case justifying risks. The central pillar of an operational risk strategy must be a solid risk assessment.

This must identify all the critical or important functions that the financial institution provides (e.g. current accounts, payments, loans, credit cards, savings accounts) and the risks associated with these services (e.g. technical, financial, political etc.).

Your risk assessment must be documented and reviewed on a regular basis. All the risks that are identified must be assigned to someone to be accepted, managed or mitigated with a clear action plan, with a Material Risk Taker (MRT) wholly accountable for the risks identified as part of the overarching cloud strategy.

The key takeaway here is that many financial organisations, upon first adopting the cloud, struggle to fully understand how their core products, business service lines and customer journeys hang together architecturally. So, the starting point is always to understand the as-is state is and what your provisional to-be architecture could look like.

As a starter for ten, choose one business service line across each of your core product sets. Identify the components where value could be derived through the adoption of public cloud and establish a repeatable framework that can be used by other sections of the organisation.

Mitigating Concentration Risk  

Concentration risk is defined as “the reliance that firms themselves may have on any single provider.” It’s about making sure that you don’t put yourself in a situation where you have all your mission-critical eggs in one basket.

So, what do businesses need to do to mitigate concentration risk in the eyes of the FCA? They need to know the criticality of workloads in the cloud, know where these workloads are and test a plan for how you can transfer these to a different provider in the event of provider failure.

Regarding workloads, note that different requirements apply to different functions. Most important here is whether the function being outsourced is “critical or important”. A critical or important function is one whose failure would “materially impair the continuing compliance of a firm”. Undertake a discovery assessment so you know what workloads you have where and what level of material importance they carry.

When it comes to creating a tested plan for moving to a different provider, one suggested method is:

1. Identify a small, low-risk workload in your organisations existing cloud that would make a good candidate for an experimental migration to a new cloud
2. Execute the experimental low-risk migration
3. Whether you fail or succeed: learn from what went well and what didn’t go so well
4. Apply the lessons learned to the next experiment
5. Continue experimenting, scaling the migration more widely each time
6. Write up the results of your experiments into a documented strategy along with evidence of the experiments
7. Consult with the FCA to see if they approve of your battle-tested strategy!

Being transparent is a crucial part of an effective engineering culture and here it applies as much externally as internally. Update the FCA frequently and ensure a tight feedback loop between them and your cloud teams.

Reduce Data and Security Risk  

How you approach data and security are critical when it comes to reducing risk. Firms “should carry out a security risk assessment that includes the service provider and the technology assets administered by the firm … consider data sensitivity and how the data are transmitted, stored and encrypted, where necessary”.

Regarding security readiness for public cloud, a poorly thought-out method is taking existing ‘on-premise’ security and compliance controls and enforcing them in a cloud environment.

As part of a cloud adoption strategy, businesses should consider which of your existing security controls should be adopted, which should be adapted, and which should be retired. Using frameworks such as the Cloud Security Alliance (CSA), Centre for Internet Security (CIS) and National Institute for Standards Technology (NIST) and embedding these using practices such as compliance-as-code will provide organisations with a consistent security pattern that can be applied across each of the major cloud providers, in turn establishing a heterogeneous way of handling security in the cloud.

Regarding data, it’s important to build a view of data tiering and sensitivity of data you’re prepared to push into cloud. This assessment must be wide reaching and include a data residency policy, a data loss strategy, and a data segregation strategy.

Reduce Exit Risk 

What if you need to leave a cloud? Your organisation needs to be prepared. Regulations make it clear that you need a documented and tested exit strategy that will, crucially, enable you to meet the regulated level of service for a given workload.

Say, for example, that you had a critical payments system that regulations mandated be 99.99999% available, with a recovery point objective of zero. Your exit strategy would have to ensure that you can still meet this level of service, while you exit your cloud provider.

Achieving this goes back to having really good configuration management practices and architectural principles. No one wants to deal with a monolithic app here! Make sure all applications are as modular as possible, which will support incremental migration patterns to maintain system uptime.

Critical here is that when you are in negotiations with a cloud service provider that you have a contractual agreement in place that guarantees that they will help you to exit with minimal disruption and provide you with the required support to do so.

The FCA guidelines will make most financial institutions consider a multi-cloud strategy, however, before this, they need to consider how they can reduce risk in the four areas outlines above. By creating a strategy with risks and exit-strategy in mind, businesses will meet the guidelines and continue successful operations.