This blog is part of our wider series on managing cloud and digital risk. It explores the risk considerations of multi-cloud, the benefits it brings and challenges it presents.
For many years, organisations widely accepted that a single-cloud strategy was advantageous, as it would enable economies of scale financially, accelerated by only needing to maintain capabilities for one cloud service provider (CSP). Organisations where cloud use grew organically and resulted in services from multiple CSPs, often realised this approach was technically complex, difficult to manage and not commercially feasible. However, with growing focus on operational disruption, competitive advantage from unique offerings, concentration risk and more, organisations are revisiting and challenging these preconceptions to select a cloud strategy that meets multiple needs, with many questioning whether using multiple CSPs is the way forward to achieve an optimal balance of operational efficiency, risk management, and resilience.
In this article, we will explore what ‘multi-cloud’ is, our view on why organisations are considering multi-cloud architecture and the key benefits and challenges of adopting this approach. We will summarise the key steps to consider when defining your cloud strategy.
Organisations have varying definitions of multi-cloud. In this article we have defined it as: the pursuit of a strategy to leverage cloud services from more than one vendor. Multi-cloud falls into one of the four commonly accepted categories :
Operational Resilience
Operational Resilience is an organisations’ ability to prevent disruption to its operations or their ability to adapt, respond to, and recover its’ services and functions in a timely manner when a disruptive event occurs. This is achieved through continuous learning from testing, incidents, near miss events, and disruptions experienced by the organisation and within industries.
Over the years, the increasing customer demand for ‘always on’ digital services has resulted in organisations increasing their reliance on cloud technology to deliver products and services. In the Financial Services (FS) sector, we have seen these matched with major and minor incidents directly affecting customers i.e. poor change management practices and outages at CSP data centres. The EU and UK regulators are now responding at pace, and in the last two years we have seen discussion papers, supervisory and policy statements published to mitigate these risks, such as the EU’s DORA and UK’s Operational resilience and an HM Treasury policy paper on ‘critical third parties to the finance sector’. We will discuss these later in the cloud risk blog series. In the UK we have started seeing instances where the regulators have instructed cloud native FS firms to transition to multi-cloud1, removing internal decision-making.
Operators of essential services (OES) (e.g., utility, transport, healthcare providers), are required to comply with the Security of Networks & Information Systems (NIS) Directive which is aimed at raising levels of cyber security and resilience across the EU and UK. We have observed increasing discussion around joint, cross-sectoral approaches to resilience testing with the UK FS authorities, Department of Digital, Culture, Media & Sport (DCMS) and the Information Commissioner’s Office (ICO) expected to engage with other public bodies to contribute towards the designation of Critical Third-Parties. Given the cross-industry and cross-jurisdictional nature of the services CSPs provide, increased dialogue and scrutiny from competent authorities and public bodies is expected on the horizon.
Concentration risk
This risk is ‘multiple outsourcings to the same provider and/or the risk posed by outsourcing critical or important functions to a limited number of service providers’2. In the context of cloud, if a CSP suffered a disabling IT outage or cyber attack, this could result in a single point of failure and disrupt large parts of an organisations’ operations. From a macro perspective, it could impact a whole sector, causing consumer, market and/or societal harm. In a recent sector review performed by Deloitte, we saw most organisations had decided to maintain a single-cloud strategy. This decision is because the benefits of using a single CSP outweighs the potential risks – ironically the organisations that had undertaken the assessment had determined the additional security and operational resiliency risks introduced from a multi-cloud architecture is greater than the impact of concentration risk. Currently, there is no well executed industry approach for measuring aggregated cloud concentration risk (for third, fourth and extended parties). This gap continues to be an area of concern for regulators and the FS sector.
Vendor lock-in
Vendor lock-in is when an organisation is restricted from using another CSP due to the impracticalities of doing so. This restriction could result from the high level of investment the organisation has already made in the first service provider e.g., commercially, investment in relevant technology architecture, use of CSP’s native services and more. Vendor lock-in can modify or multiply concentration risk. This has been apparent since the early days of cloud adoption but was widely accepted as a risk and managed through exit strategies and exit plans because the level of critical services supported in the cloud was minimal. The onset of the pandemic has seen an acceleration in the move to cloud, leading those that have, to date, pursued a single vendor cloud strategy to be more aware of their increased reliance on a single CSP.
A proportionate risk-based approach should be followed when determining utilising multi-cloud services. Key risk management steps are:
If you would like to discuss the content of this blog with any of our experts, please get in touch.
------------------------------------------------------------------------------------------------------------------------
1In the case of fintech’s and special cases only