Is going multi-cloud the future for managing risk?

This blog is part of our wider series on managing cloud and digital risk. It explores the risk considerations of multi-cloud, the benefits it brings and challenges it presents.

For many years, organisations widely accepted that a single-cloud strategy was advantageous, as it would enable economies of scale financially, accelerated by only needing to maintain capabilities for one cloud service provider (CSP). Organisations where cloud use grew organically and resulted in services from multiple CSPs, often realised this approach was technically complex, difficult to manage and not commercially feasible. However, with growing focus on operational disruption, competitive advantage from unique offerings, concentration risk and more, organisations are revisiting and challenging these preconceptions to select a cloud strategy that meets multiple needs, with many questioning whether using multiple CSPs is the way forward to achieve an optimal balance of operational efficiency, risk management, and resilience.

In this article, we will explore what ‘multi-cloud’ is, our view on why organisations are considering multi-cloud architecture and the key benefits and challenges of adopting this approach. We will summarise the key steps to consider when defining your cloud strategy.

What is multi-cloud?

Organisations have varying definitions of multi-cloud. In this article we have defined it as: the pursuit of a strategy to leverage cloud services from more than one vendor. Multi-cloud falls into one of the four commonly accepted categories :

• Parallel multi-cloud seeks to run the same service across the infrastructure of multiple CSPs concurrently, to achieve the greatest level of availability and resilience of the system or service by switching easily from one infrastructure provider to another. Due to the complexity of this architecture, this structure is only pursued for select critical systems and applications.
• Segmented is the opposite of parallel. It is a multi-cloud architecture where different services are sought to be hosted on a specific CSPs’ infrastructure based on their inherent technical or commercial advantages, potential regional regulations and sovereignty requirements.
• Portable is what many may think of when they hear ‘multi-cloud’ and is the approach to utilise cloud-agnostic services to be deployed to different CSPs, enabling deployment across multiple CSPs. It requires large levels of abstraction and sophisticated automation to enable practically.
• Choice is a strategic approach to host a given service on the infrastructure of the CSP deemed most suited to its specific use case. It considers cost, service quality, business and technical requirements to arrive at the appropriate selection of CSP. This approach is desirable for shared IT functions in large organisations due to their need to cater to an extensive set of business requirements and preferences.

Industry risk drivers for considering multi-cloud

Operational Resilience

Operational Resilience is an organisations’ ability to prevent disruption to its operations or their ability to adapt, respond to, and recover its’ services and functions in a timely manner when a disruptive event occurs. This is achieved through continuous learning from testing, incidents, near miss events, and disruptions experienced by the organisation and within industries.

Over the years, the increasing customer demand for ‘always on’ digital services has resulted in organisations increasing their reliance on cloud technology to deliver products and services. In the Financial Services (FS) sector, we have seen these matched with major and minor incidents directly affecting customers i.e. poor change management practices and outages at CSP data centres. The EU and UK regulators are now responding at pace, and in the last two years we have seen discussion papers, supervisory and policy statements published to mitigate these risks, such as the EU’s DORA and UK’s Operational resilience and an HM Treasury policy paper on ‘critical third parties to the finance sector’. We will discuss these later in the cloud risk blog series. In the UK we have started seeing instances where the regulators have instructed cloud native FS firms to transition to multi-cloud¹, removing internal decision-making.

Operators of essential services (OES) (e.g., utility, transport, healthcare providers), are required to comply with the Security of Networks & Information Systems (NIS) Directive which is aimed at raising levels of cyber security and resilience across the EU and UK. We have observed increasing discussion around joint, cross-sectoral approaches to resilience testing with the UK FS authorities, Department of Digital, Culture, Media & Sport (DCMS) and the Information Commissioner’s Office (ICO) expected to engage with other public bodies to contribute towards the designation of Critical Third-Parties. Given the cross-industry and cross-jurisdictional nature of the services CSPs provide, increased dialogue and scrutiny from competent authorities and public bodies is expected on the horizon.

Concentration risk

This risk is ‘multiple outsourcings to the same provider and/or the risk posed by outsourcing critical or important functions to a limited number of service providers’². In the context of cloud, if a CSP suffered a disabling IT outage or cyber attack, this could result in a single point of failure and disrupt large parts of an organisations’ operations. From a macro perspective, it could impact a whole sector, causing consumer, market and/or societal harm. In a recent sector review performed by Deloitte, we saw most organisations had decided to maintain a single-cloud strategy. This decision is because the benefits of using a single CSP outweighs the potential risks – ironically the organisations that had undertaken the assessment had determined the additional security and operational resiliency risks introduced from a multi-cloud architecture is greater than the impact of concentration risk. Currently, there is no well executed industry approach for measuring aggregated cloud concentration risk (for third, fourth and extended parties). This gap continues to be an area of concern for regulators and the FS sector.

Vendor lock-in

Vendor lock-in is when an organisation is restricted from using another CSP due to the impracticalities of doing so. This restriction could result from the high level of investment the organisation has already made in the first service provider e.g., commercially, investment in relevant technology architecture, use of CSP’s native services and more. Vendor lock-in can modify or multiply concentration risk. This has been apparent since the early days of cloud adoption but was widely accepted as a risk and managed through exit strategies and exit plans because the level of critical services supported in the cloud was minimal. The onset of the pandemic has seen an acceleration in the move to cloud, leading those that have, to date, pursued a single vendor cloud strategy to be more aware of their increased reliance on a single CSP.

Key benefits and challenges of multi-cloud

Key recommendations

A proportionate risk-based approach should be followed when determining utilising multi-cloud services. Key risk management steps are:

1. Understand the critical business processes and identify the respective technology1. planned for and already operating in the cloud. Understand the digital and technology control patterns which exists to support an incremental migration, augmentation or modernisation and accelerate innovation and transformation.
2. Identify the relevant cloud risks and understand cloud risk exposure, including impact to operational risk, to determine whether this impact is within your cloud risk appetite. If it does not already exist, build metrics that enable you to accurately validate that you are still operating within your risk appetite.
3. Undertake Benefits vs Risk (BvR) analysis for operational risks, considering:
   • Legal and regulatory expectations, including consideration of horizon regulatory requirements e.g., critical third-party regime and accounting rule changes.
   • Current risk and control environment, including alignment to policies, standards and risk and control frameworks.
   • Enterprise architecture
   • Business continuity, exit strategy and testing, including normal and abrupt exit scenarios.
   • Commercial feasibility i.e. organisation’s financial position and potential impact on firm’s P&L to maintain the cloud strategy selected, including maintaining the right skills and capability.
   • Considering Environmental, Social and Governance (ESG) impact and reporting.
4. Identify mitigation procedures for risks that exceed your organisations’ appetite. For example, if the critical enterprise architecture is not designed for portability, there is a stress tested approach to bring the critical process supported by that architecture on-premise.
5. For unmitigated risks that exceed your organisations’ appetite, determine whether this risk can be mitigated through other means or through implementing a multi-cloud architecture.

If you would like to discuss the content of this blog with any of our experts, please get in touch.

------------------------------------------------------------------------------------------------------------------------

References

¹In the case of fintech’s and special cases only

²https://www.eba.europa.eu/sites/default/documents/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf?retry=1