Highly regulated BFSI industry faces the risk of running the critical business applications on one cloud platform. Risks arise out of failure on the part of cloud vendor disrupting the business. Cloud portability is a regulatory and risk avoidance paradigm
that promotes the ability to move applications and data from one cloud environment or one provider to another with minimal disruption to the business. BFSI enterprises have been attempting to address this concern either by multi cloud adoption or combination
of on-prem infrastructure for failover or making application portable that can be moved to another cloud or on-prem very quickly. This article deep dives into the finer details of the portability and adjacent area of cloud exit for BFSI industry.
Cloud portability: Regulatory and business paradigm
BFSI cloud adoption has been slower because these firms are heavily regulated due to critical nature of the business, and the large amount of confidential financial customer information they possess. The security risk and compliance, ecosystem management,
integration, and control preferences are exceedingly high. Critical business functions require zero tolerance of business disruption that may not be possible to achieve by utilizing one particular cloud as it creates concentration of massive infrastructure
for BFSI enterprise.
The concept of cloud portability allows movement of applications and data between one public cloud to another public cloud, or between a public cloud and private cloud, or between public or private cloud and on-premises data centers. Cloud exit refers to
a situation where a BFSI firm would move from one cloud to another without possibility of returning to the former. Cloud portability and cloud exit go hand in hand; while both might get triggered due to IT failure, contractual disputes, geo-political events,
natural or man-made disasters, cloud exit is generally considered a permanent event. Cloud-native offerings such as PaaS or serverless architecture from cloud providers have little in common, which makes it difficult for the enterprises to exit from a cloud
vendor and move their workload easily to another cloud vendor.
Highly regulated UK BFSI enterprises must ensure that their cloud strategy follows the regulatory requirements for cloud adoption.
To understand the regulatory requirements for cloud adoption better, let’s look at three key FCA guidelines for cloud adoption (https://www.fca.org.uk/publication/finalised-guidance/fg16-5.pdf)
Concentration risk: Acquiring services from a single cloud provider for running a large number of business workloads significantly increase the risk of lock-in. This leads to the inability to move out to another cloud or hosting platform
in case the cloud provider fails to meet its obligations. BFSI enterprises by design must secure the usage of multi-cloud in combination with possible hybrid platforms to mitigate the risk of excessive reliance on a single cloud provider.
Oversight of cloud service providers (CSPs): Oversight function is an integral part of the cloud adoption strategy. BFSI enterprise must acquire adequate IT capability in cloud engineering, DevOps, and FinOps. Oversight function requires
a thorough understanding of the commercial and legal contracts between BFSI enterprises and CSPs. They must also manage the exit or transfer services from the current provider to another or inhouse.
Continuity and business planning: BFSI enterprises must assume the likelihood of unexpected disruption to its cloud services. This requires proper documentation and regular testing of the BCP infrastructure.
Cloud portability and exit challenges can be addressed by a combination of technology, contractual obligations, proper planning, and strategy.
Deployment of workload with higher degree of portability
BFSI enterprises can address cloud portability and exit strategies with one or a combination of the below approaches:
1. Usage of anti patterns
Many actors to enable cloud portability are selective adoption of cloud-native services, selective adoption of application architecture patterns, non-native cloud cost management and multi or hybrid cloud adoption. Many patterns may not be generally acceptable
architecture patterns, however, it can benefit businesses in the long term in avoiding costly risks associated with portability and exit.
2. Prioritise critical business process (CBP)
Critical business processes (CBPs) for an enterprise’s operations start with identifying and addressing the portability concerns. Some of the high-critical CBPs are credit or debit card transactions, ATM cash withdrawals, and digital banking login. This
can be followed by medium-critical CBPs like mortgage disbursement, telephone banking login, branch counter transaction, make and receive bankers’ automated clearing system (BACS) direct debit, general insurance claims, and claims resolution. Some of the low-priority
CBPs include reporting of lost or stolen card, loan or commercial finance disbursement, automated fraud screening, payments of salaries or pensions to staff, and regular income replacement payment. Businesses can benefit from tiering the business process,
as the highly critical process may require expensive solution whereas others may be addressed with inexpensive options.
3. Exit strategy
A clear exit strategy in case of any eventuality must be part of the cloud strategy and must address the specific contractual obligation on the cloud provider to maintain business continuity. Selection of the right tools along with data ownership issues
must be planned to switch over both the application and data workload from the existing cloud provider to the new locations
Interoperability is defined as the ability to move and deploy all application and data components successfully to the new cloud environment, regardless of the provider, platform, operating system, and storage and then resume business operations as usual.
Container-as-a-service (CaaS) makes a strong case for a enterprise’s cloud strategy in improving interoperability of containerized or portable workloads between different clouds.
Resilience is the system’s ability to recover from failures and continue to function. On the cloud, an application may have multiple events that cause a software component failure. When designing cloud architecture, architects must ensure that the solution
can cope and react to these failures. All cloud providers have in-built resiliency with high availability (HA) access to data and workload by replicating it across multi-availability zones in a region and have provision for multi-regional replication if customer
chooses so. Some of the key patterns for achieving cloud portability in single or multi-cloud environments are multi-zone with single region and same cloud provider deployment; multi-region with same cloud provider deployment; multi-cloud with multi-region
deployment; and multi-cloud and on-premises deployment for business-critical processes or applications.
It’s apparent that Cloud use has been growing, but so is regulatory requirements to protect customer’s interest and assurance of financial services. It is evident that cloud portability and exit strategies must be planned for and included as part of cloud
strategy. When BFSI firms switch from one cloud service provider to the other cloud service provider, it touches upon many of the challenges associated with interoperability and portability associated with data and application. The degree challenges of will
vary depending on the nature of the cloud services being consumed by the firm.
As a way forward, a common architecture standard between all cloud providers is a good place to start off. Firms also need to plan for the additional IT resources, skill, training, and complexities of replication and compliance that will come along with
building the ideal setup for portable workloads.
Contributor: Amit Sidhwani and Dr. Asim Kar