Financial Institutions: The time to plan a ‘Cloud Exit’ is before you need one 

Jens Koegler Financial Services , , ,

Originally posted on http://www.vmware.com By Joe Chenevey, Principal Solutions Architect & Samuel Awonuga, Business Development, Financial Services Solutions.

In an article published earlier this year, Martin Hosken, Worldwide Chief Technologist for VMware Cloud Services, discussed the concept of cloud exit and instances where a cloud exit strategy may be necessary for businesses. We highly recommend you revisit that article and his earlier series on the same topic.

Leading on, we will take a closer look at why cloud exit is especially relevant for the financial services industry. In addition, we will discuss how VMware solutions can assist financial institutions in implementing cloud exit strategies.

To start, let’s examine an underlying problem statement: 

As financial institutions, particularly banks, become increasingly invested in the public cloud, cloud service providers (CSPs) become de facto extensions of critical national infrastructure. As such, concerns about cloud concentration risk have grown among banking regulators, which are recommending that banks develop cloud exit plans to mitigate the impact of public cloud outages on digital operations and avoid lock-in. Many banks continue to look for agile and cost-effective contingencies rather than owning dedicated IT infrastructure for business continuity / disaster recovery.

Industry Regulatory Landscape

Regulatory authorities in the European Union and the United Kingdom have issued guidelines, consultations and draft legislation regarding cloud exits and outsourcing to address perceived systemic and institution-level concentration risks. Specifically, the incoming EU Digital Operational Resilience Act (DORA) addresses operational resilience and the ability of banks to recover from operational disruptions that could be caused by cloud outages. 

In another example, the European Banking Authority’s (EBA) guidelines (2019 Final Guidelines on Outsourcing Arrangements) require institutions to have a comprehensive, documented and sufficiently tested exit strategy (including a mandatory exit plan) when they outsource “critical functions” to a CSP. The EBA further reinforced its cloud adoption guidelines in an additional consultation paper issued by the European Securities and Markets Authority (ESMA) and European Insurance and Occupational Pensions Authority (EIOPA) on draft guidelines for outsourcing to CSPs. 

In the United Kingdom, the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) issued guidance expecting financial institutions “to be operationally resilient by having a comprehensive understanding and mapping of the people, processes, technology, facilities and information necessary to deliver each important business services.” In their most recent report, the PRA specifically addressed the issue of concentration risk, which is caused by banks being locked into contracts with vendors or outsourcing their connectivity to the cloud.  

While concerns of cloud concentration risk are being raised most prominently in the European region, cloud concentration risk is no less of a concern in other regions . According to Cornerstone Advisors’ 2022 “What’s Going on in Banking” study, two-thirds of US banks and credit unions already have apps running in the cloud or expect to by the end of 2022.  Considering clear evidence of increased use of cloud computing in the securities industry by US banks, US regulatory authorities may eventually strengthen guidelines such as those originally set forth by the Financial Industry Regulatory Authority (FINRA) in 2021.  Financial institutions should keep an eye out for more public consultations and not miss the opportunity to engage with regulators with feedback.

Forms of Cloud Exit

As Martin stressed in his article, an exit strategy should not be an afterthought. A financial institution’s cloud exit strategy should be developed in conjunction with the selection of the cloud service provider(s) and their respective cloud services. Generally, the more business processes rely on the cloud (e.g., core financial processes) and/or the number of proprietary cloud services used (e.g., those specific to a CSP) to run those processes increases, the more complicated the cloud exit plan will be. 

In this article, we do not intend to describe every possible scenario or form of cloud exit. To simplify things, we’ll categorize cloud exit strategies by financial institutions into two groups: 

  • Banks that have yet to move substantial numbers of core financial processes (or none at all) to the cloud and need to create an exit strategy before doing so.
  • Banks that have already gone “all-in” with a single CSP and need to devise an exit strategy based on varying use of certain cloud services of the CSP.

Although some of the methods for cloud exit are similar between the two scenarios, it is reasonable to assume the cost and complexity will be substantially different. Taking the first scenario into account, we will now examine three forms of “cloud exit” we believe banks should consider:

Cross Cloud Migration

This is perhaps the most active managed form of cloud exit. Migrations from one cloud to another (e.g., cross-cloud) or back to on-premise (e.g., repatriation) can be made more or less difficult depending on the architectural choice to:

  • Utilize services and/or interfaces proprietary to a CSP, or to 
  • Utilize a multi-cloud architecture at either the infrastructure platform or application platform layer respectively

For banks a hybrid architecture provides the most flexibility when considering cloud entry and cloud exit strategies. As Martin notes in his article, “the key to the hybrid cloud model is application and data portability, which is one of the most challenging issues when it comes to pairing private and public cloud solutions. For this reason, the first step in any hybrid cloud strategy should be the deployment of a model that will support this critical functionality. By its very nature, the ability to seamlessly migrate workloads and their respective applications across public and private clouds is a key step that will support any cloud exit strategy.”

In this respect, VMware’s software defined data center (SDDC) architecture shines, since it enables a hybrid cloud infrastructure platform that can be deployed across a wide variety of cloud endpoints, whether they are on-premises, in public clouds, in sovereign clouds (participating in the VMware Cloud Provider Program), or increasingly at the edge. 

The ubiquity of VMware’s hybrid cloud infrastructure platform is a key value which allows banks the ability to innovate quickly by taking advantage of one or more public clouds and their respectively differentiated services while providing sufficient separation to ease a bank’s migration between providers, should the need or desire arise. 

Additionally, VMware HCX™ continues to enable portability among those of our financial services customers who are not only looking to make their initial migrations from the data center to a public cloud, but also to enable cross-cloud migrations and cloud exits. As a refresher, HCX is an application mobility platform designed to simplify application migration, workload rebalancing, and disaster recovery.  Banks can benefit from its capabilities for a variety of commercial, governance, and regulatory reasons when they move from one cloud to another, permanently or temporarily, such as in the case of disaster recovery which we will discuss more in the next section.

Cross Cloud Disaster Recovery

Disaster recovery capabilities are necessary for banks to bolster their operational resilience and readiness. For several years, the cloud has offered banks an agile and cost-effective contingency in lieu of owning and operating a dedicated on-premise infrastructure solely for business continuity / disaster recovery purposes.  Similarly, banks should also consider using the cloud for disaster recovery for its digital operations that are already running within a particular CSP.

Nevertheless, in many cases we see financial institutions relying on a single CSP and spreading workloads across multiple availability zones and/or regions, believing this will be sufficient to address workload availability. The spread of bank workloads among several AZs and regions is in and of itself a sound architectural approach, but it does not eliminate the possibility of widespread cloud service failures across multiple regions. No matter the state of technology, a cloud service outage can occur.  In case of a multi-region service failure, an outage can last for a significant period of time, and the SLOs of the public cloud provider will not provide a remedy to protect a bank’s goodwill with its customers.

As we noted earlier, proposed legislation like the EU’s DORA is looking to address business continuity risk, which inherently involves avoiding cloud concentration risk. In context to of disaster recovery, rather than relying solely on the same public cloud provider could banks utilize a second or alternative public cloud? Given the commercial and competitive dynamics between public clouds and the need to look for third-party DR solutions to facilitate failovers/failbacks, the answer has usually been, “yes, but…” 

However, this past August VMware announced a public preview of bi-directional cross-cloud DR between VMware Cloud on AWS and Azure VMware Solution. With this managed cloud-based approach, VMware is bringing a new and leading capability which offers substantial value to our financial services customers. This news is exciting for our Financial Services Industry Solutions team, as it addresses a large need for banks lacking viable disaster recovery solutions which complies with the intent of legislation like DORA by utilizing a multi-cloud approach. Learn more about this new cross-cloud DR solution here and stay tuned for more updates!

Ransomware Recovery as a Service

For banks and other financial institutions, perhaps there is no area that keeps associates up at night more than the threat of ransomware attacks. According to the US Treasury’s Financial Crimes Enforcement Network (FinCEN), 1489 ransomware-related filings were received in 2021, a 188 percent increase from 2020. While their Financial Trends Analysis report cites increasing ransomware incidents or improved reporting and detection as possible explanations for the increased number of ransomware filings in 2021, the dollar values remain eye opening.

As part of our ongoing effort to help our customers combat this threat, VMware announced our new Ransomware Recovery service in August and subsequently announced its general availability recently in mid-October. For banks seeking operational resilience, VMware Ransomware Recovery for VMware Cloud DRTM brings these industry leading capabilities for cloud-based ransomware recovery as a service:

  • Ransomware recovery workflow – Streamline recovery with a step-by-step guide
  • Guided restore point selection – Confidently assess and identify recovery points
  • Next-Gen AV + Behavioral Analysis – Embedded in a single UI
  • Air-gapped, immutable recovery points – Preserve data integrity of restore points
  • On-demand IRE and VM network isolation – Prevent reinfection at recovery
  • Instant VM Power-On – Conduct rapid recovery point iterations

Again, VMware continues to address our financial services industry customers’ most pressing technology challenges like ransomware with a differentiated solution!

Key Takeaways for Banks and other Financial Institutions

In summary, managing cloud concentration risk and ensuring operational resilience are key drivers for cloud exit strategies for banks and other financial institutions.

Ideally, a bank’s cloud exit strategy is developed as part of its initial decision-making when choosing a cloud service provider(s) and their respective cloud services. 

To ensure the greatest flexibility when considering cloud entry and cloud exit, banks that have not migrated any substantial number of core financial processes to the cloud should consider a hybrid architecture. 

Three forms of “cloud exit” that we believe every bank needs to consider are:

  • Cross Cloud Migration
  • Cross Cloud Disaster Recovery
  • Ransomware Recovery as a Service

The ubiquity of VMware’s hybrid cloud infrastructure platform (available on-premises and in hyperscaler & VCPP clouds) coupled with our cloud migration, disaster recovery, and ransomware recovery capabilities allows firms to leverage the advantages of public cloud while mitigating concentration risk amid an evolving regulatory climate. Ultimately, VMware offers our financial services customers unequivocal choice in both application platform and infrastructure platform layers enabling them to strike the right balance between agility and cost!

Jens Koegler

Jens Koegler is VMware's Healthcare Industry Director in EMEA. He is helping our healthcare customers develop and run modern applications to drive innovation and ensure better patient care through a digital foundation that includes data center, hybrid cloud, mobile, networking and security technologies. VMware plays a strategic role in the healthcare industry. Its leading innovations in enterprise software help ensure consistent patient care and reduce IT access time for healthcare professionals so they can spend more time with their patients. Jens plays a key role in helping customers understand how new applications, devices, the latest IT technologies and digital transformation are driving innovation in healthcare.