[LINK] Banks now rely on a few cloud computing giants. That's creating some unexpected new risks

Roger Clarke Roger.Clarke at xamax.com.au
Sun Jul 18 14:10:53 AEST 2021


On 18/7/21 1:37 pm, Kim Holburn wrote:
> https://www.zdnet.com/article/banks-now-rely-on-a-few-cloud-computing-giants-thats-creating-some-unexpected-new-risks/
>> ... the Bank of England ... voiced concerns about [cloudsourcing]
>> services being provided by only a handful of huge companies that
>> dominate the market ...

Takes them a while, doesn't it.  Would some forethought have helped?

Contingent Risks:  http://www.rogerclarke.com/II/CCBR.html#TRC
Security Risks:    http://www.rogerclarke.com/II/CCBR.html#TRS
Business Risks:    http://www.rogerclarke.com/II/CCBR.html#BR
That was all pretty obvious in late 2009, published mid-2010

Short version of 2011:  http://www.rogerclarke.com/EC/CCSec.html
Summary-table of 2012:  http://www.rogerclarke.com/EC/CCEF.html#Exh2

Could it be that they listened to consultants-who-spruik, failed to
apply any scepticism, and failed to perform effective risk assessment?

_____________

>> Banks' growing reliance on cloud computing
>> <https://www.zdnet.com/article/what-is-cloud-computing-everything-you-need-to-know-about-the-cloud/>
>> could pose a risk to financial stability and will require stricter
>> oversight, according to top executives from the UK's central bank.
>>
>> In a report focusing on financial stability in the UK over the past
>> few months, the Bank of England drew attention to the increasing
>> adoption of public cloud services, and voiced concerns about those
>> services being provided by only a handful of huge companies that
>> dominate the market.
>>
>> Outsourcing key banking data and services to a small number of cloud
>> service providers (CSPs), said the Bank of England, means that those
>> providers have the power to dictate their own terms, potentially to
>> the expense of the stability of the financial system.
>>
>>
>>       Cloud
>>
>>   * The top cloud providers
>>    
>> <https://www.zdnet.com/article/the-top-cloud-providers-of-2021-aws-microsoft-azure-google-cloud-hybrid-saas/>
>>
>>   * What is cloud computing? Everything you need to know
>>    
>> <https://www.zdnet.com/article/what-is-cloud-computing-everything-you-need-to-know-about-the-cloud/>
>>
>>   * The best cloud storage services
>> <https://www.zdnet.com/article/best-cloud-storage/>
>>   * OneDrive tips and tricks: How to master Microsoft's free cloud
>> storage
>>    
>> <https://www.zdnet.com/article/onedrive-tips-and-tricks-how-to-master-microsofts-free-cloud-storage/>
>>
>>
>> For example, cloud providers might fail to open up the inner workings
>> of their systems to third-party scrutiny, meaning that it is
>> impossible for customers to know if they are ensuring the level of
>> resilience that is necessary to carry out banking operations.
>>
>> "As regulators and people concerned with financial stability, as
>> (CSPs) become more integral to the system, we have to get more
>> assurance that they are meeting the level of resilience that we need,"
>> Andrew Bailey, the Bank of England governor, told reporters in a press
>> conference.
>>
>> In the past years, financial institutions have accelerated their plans
>> to scale up their reliance on CSPs. From file sharing and
>> collaboration to fraud detection, through business management and
>> communications: banks have used cloud outsourcing both to run software
>> and access additional processing capacity, and to support IT
>> infrastructure.
>>
>> Until recently, cloud services were used mostly to run applications at
>> the periphery of banking operations, such as HR systems with no direct
>> impact on financial services. According to the Bank of England,
>> however, this is now changing, with CSPs being called in to process
>> operations that are more integral to the core running of banks.
>>
>> "We've crossed a further threshold in terms of what sort of systems
>> and what volumes of systems and data are being outsourced to the
>> cloud," said Sam Woods, the chief executive officer of the Prudential
>> Regulation Authority (PRA). "As you'd expect, we track that quite
>> closely."
>>
>> Last year, the Bank of England opened bidding for a cloud build
>> partner
>> <https://www.digitalmarketplace.service.gov.uk/digital-outcomes-and-specialists/opportunities/11682>,
>> with the goal of creating a fit-for-purpose cloud environment that
>> could better support operations in a digital-first environment. At the
>> time, the institution said that it had already been in talks with
>> Microsoft's Azure, Google Cloud and Amazon's AWS, and that it would
>> likely be targeting Azure in a first instance. The possibility of
>> adopting a multi-cloud strategy was also raised.
>>
>> There are many benefits to moving financial services to the public
>> cloud. For example, while using old-fashioned, on-premises data
>> centers incurs extra expenses, a recent analysis by the Bank of
>> England estimated that adopting the ready-made services offered by
>> hyperscalers could reduce technology infrastructure costs by up to 50%
>> <https://www.bankofengland.co.uk/research/future-finance>.
>>
>> Another advantage of public cloud services is that they are more
>> resilient. The sheer scale of CSPs enables them to implement
>> infrastructure that integrates multiple levels of redundancy, and as
>> such, is less vulnerable to failures.
>>
>> Moving to the cloud, therefore, is not intrinsically detrimental to
>> banking services – quite the contrary. But the main sticking point,
>> according to the regulators, lies in the concentration of major
>> players that dominate the cloud market. According to tech analysis
>> firm Gartner's latest numbers, the top five cloud providers currently
>> account for 80% of the market
>> <https://www.gartner.com/en/newsroom/press-releases/2021-06-28-gartner-says-worldwide-iaas-public-cloud-services-market-grew-40-7-percent-in-2020>,
>> with Amazon holding a 41% share and Azure representing nearly 20% of
>> the market.
>>
>> "As of course a market becomes more concentrated around one supplier
>> or a small number of suppliers, those suppliers can exercise market
>> power around of course the cost but also the terms," said Bailey.
>>
>> "That is where we do have a concern and do have to look carefully
>> because that concentrated power on terms can manifest itself in the
>> form of secrecy, opacity, not providing customers with the information
>> they need in order to be able to monitor the risk in the service. And
>> we have seen some of that going on."
>>
>> As Bailey stressed, part of the reason for CSPs to remain secretive
>> comes down to better protecting customers, by not opening up key
>> information to potential hackers. But the regulator said that a
>> careful balance has to be maintained on transparency, to enable an
>> appropriate understanding of the risks and resilience of the system
>> without compromising cybersecurity.
>>
>> Leighton James, the CTO of UKCloud, which provides multi-cloud
>> solutions to public sector organizations across the country, explains
>> that these issues are not unprecedented, and it is unsurprising to see
>> them trickle down to the financial services.
>>
>> "We're anxious about cloud providers becoming so big that the terms
>> and conditions are pretty much 'take it or leave it'. We're definitely
>> seen that happening already in the public sector, and we can
>> definitely see it happening in the financial services sector if we are
>> not careful," James tells ZDNet.
>>
>> According to James, part of the risk stems from traditional banks
>> attempting to compete against new disruptive players in the sector.
>> Financial institutions are now rushing to overhaul their legacy
>> infrastructure and catch up with the digital-native customer
>> experiences that were born in the cloud and are now widely available
>> thanks to fintech companies.
>>
>> "It's clearly imperative for the financial sector to modernize and
>> adopt digital technologies," says James. "The question becomes how
>> best they can do that by balancing the risk of digital transformation."
>>
>> And in this scenario, the risks of placing all of banks' eggs in a
>> handful of CSP's baskets is too high, argues James.
>>
>> The Bank of England has similarly urged financial institutions to
>> exert caution when developing their digital transformation strategies,
>> and is currently in talks with various regulators to discuss how to
>> best tackle those risks.
>>
>> With cloud concerns widely shared by other nations, especially in the
>> EU
>> <https://www.zdnet.com/article/meet-gaia-x-this-is-europes-bid-to-get-cloud-independence-from-us-and-china-giants/>,
>> those discussions are likely to become international, and the UK's
>> central bank predicts that global standards will be created to develop
>> a consistent approach to the issue.
>>
> 


-- 
Roger Clarke                            mailto:Roger.Clarke at xamax.com.au
T: +61 2 6288 6916   http://www.xamax.com.au  http://www.rogerclarke.com

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA

Visiting Professor in the Faculty of Law            University of N.S.W.
Visiting Professor in Computer Science    Australian National University



More information about the Link mailing list