Cloud-based computing is an integral element to any forward-looking digital transformation strategy for financial institutions. This article will explore the key attributes of multicloud adoption being undertaken by many financial institutions, and features
commentary from Commerzbank, Wells Fargo, and McKinsey.
Multicloud strategy is now increasingly favoured by banks, allowing them to source their cloud computing and storage services from a number of cloud service providers (CSPs), therefore spreading their cloud reliance across a number of vendors. This is often
viewed as an essential risk mitigation decision.
In order to complete cloud evolution, however, banks must assess and manage the challenges inherent to cloud migration in order to minimise any negative impact that may arise.
Benefits of a parallel multicloud strategy
Carsten Bittner, CTO and head of group technology foundations for Commerzbank AG, states that the German bank relies on a multicloud approach, first and foremost, through its strategic partnerships with Google and Microsoft. “It’s crucial for us to remain
independent of a specific provider as we benefit from the respective advantages and know-how. Working with different partners also gives us more flexibility in case of an exit scenario.”
“For Commerzbank, we believe that the multicloud approach is key to building a cloud transformation organisation and to innovate new solutions for our customers.”
Similarly, Christopher Marsh-Bourdon, head of hybrid environments, technology infrastructure at Wells Fargo, explains that the bank chose a multicloud approach to reduce the dangers around concentration risk and data monopolies. “That has been a core concern
of regulators globally over the last few years, and it is at the forefront of what we drive out as part of our strategy.”
Vijay D’Silva, advisor to McKinsey’s Global Banking & Securities Practice and former senior partner, also states that financial institutions are targeting a multicloud strategy to take advantage of different capabilities of cloud service providers and minimise
lock-in and commercial risks.
D’Silva also highlights the point of increased regulatory attention, explaining that watchdogs such as the Bank of England have also voiced concerns publicly about the need for greater oversight to ensure resilience and financial stability from the overreliance
on few vendors. “Many large FIs see some level of multicloud strategy as inevitable
While it is clear that spreading cloud reliance over multiple CSPs is frequently cited by institutions seeking to avoid concentration risk, it also guarantees a level of flexibility to adapt or exit should circumstances ever change. Reducing the concern
around data monopolies will also ease regulators’ minds in the long term, as their focus shifts toward bolstering operational resilience in financial services.
Challenges of transitioning to a multicloud strategy
Cloud transformation involves a combination of strategy and management, business domain adoption, and foundational capabilities, explains D’Silva.
In order to reap the full benefits of cloud, financial institutions are compelled to modify large numbers of applications -this necessitates substantial investment. D’Silva explains that this cost is amplified further when compared to the high running costs
of (already depreciated) on-prem systems. He continues that establishing a multicloud strategy also demands the reassessment of the operating model and acquisition and training of new engineering talent. “A move to a multi-cloud strategy will in turn require
financial institutions to build up talent capable in operating in multiple CSP environments.”
Bittner cites organising the migration of decentralised applications on the cloud, and training staff on handling cloud-based applications as key challenges financial institutions face in this transition. “Another major objection is to achieve a mindset
change concerning cloud technology within the organisation, but also among external stakeholders.”
Marsh-Bourdon adds that for every individual CSP a financial institution works with, it must learn their unique services and approaches. It is not all bad news though, because while the service names may differ, there are a lot of commonalities in this space
and they do share a lot characteristics.
Adding to these challenges is the fact that not all financial institutions are equally prepared to launch multicloud strategies. For financial institutions to effectively operate in a multicloud environment, the level of engineering skills and resources
required are considerably higher. D’Silva argues that digitally mature institutions that already have effective cloud operating models will be better positioned to make the transition to multicloud.
While qualifying that only the financial institutions themselves can truly answer this question, Marsh-Bourdon says that Wells Fargo’s view is that selecting only one single cloud service provider poses too many questions from a concentration risk perspective,
“and it limits your ability to leverage services that may be specific to a given CSP.”
Cost will always accompany a change in operations, and both the sourcing and training of new talent will remain a challenge for as long as innovation is pursued. Maintaining a culture which promotes an innovation-first mindset will therefore remain essential
as institutions evolve and capitalise on the opportunities presented by the cloud. Despite the challenges, with an innovation first culture which leverages the commonalities across CSP offerings, there is no reason for the challenges of multicloud adoption
to overshadow the significant upside it presents.
Data security and reduced data loss as pillars of multicloud strategy
Cloud and data go hand in hand. Financial institutions depend on the cloud’s computational capacity to leverage the value of data, but in doing so they must have confidence that data will remain secure and protected.
Cybersecurity, explains D’Silva, is one of the biggest risks being faced by financial firms currently, and it is seeing increased focus within the boardroom. “Five years ago, executives in McKinsey research identified cybersecurity as a barrier to cloud
adoption. Today, many recognise that resources dedicated by cloud service providers to cybersecurity dwarf their own capabilities. One of the advantages of moving to the public cloud is that the major CSPs have built-in tools and mechanisms to minimise cyber-risk.”
Despite this, he adds, almost all breaches to date have resulted from misconfiguration. In this sense the emergence of security as code (defining cybersecurity policies and standards programmatically) can work to increase resilience.
Conversely, Marsh-Bourdon points to the positive impact that strong data management can have, noting that public cloud object storage services “have been a boon around retention and data resiliency in recent years. Not only do they minimise the potential
for data loss, but they also do so at a much more completive rate than traditional storage, especially for data that is accessed infrequently. We fully intend to leverage them.”
According to Bittner, it goes without saying that data protection has top priority within Commerzbank given that General Data Protection Regulation (GDPR) compliance is an absolute must. “Our cloud strategy does not change this rationale.”
Will it ever be possible to completely avoid downtime?
We understand all too well the frustrations that accompany an outage. While a disruption to social media or entertainment access can be an annoyance, when financial institutions’ online presence experiences an outage, their customers can find themselves
unable to make payments. Not only is this terrible for reputation (and business), it can put customers at risk.
D’Silva observes that “as long as we have a dynamic environment, in which manual error or external shocks are possible, downtime, no matter how remote or diminishing the likelihood, is a reality that institutions need to plan for.” Managing this risk is
therefore of the utmost importance.
The potential for zero downtime is available to us now, argues Marsh-Bourdon, however, applications need to be architected for zero downtime. “That doesn’t mean just the business logic itself, but also how an application is built and deployed. Leveraging
patterns such as blue/green deployments not only allow for zero (or minimal) downtime, and it also provides a resilient pattern for roll-backs, should a release not go as planned.”
Bittner furthers that cloud data centres and services offer the advantage of a 24/7 and high availability – 99.9% of the time. Furthermore, he notes that there is no need for a downtime window for maintenance work and updates are carried out seamlessly and
on a rolling basis.
While achieving zero downtime (or getting as close it as possible) should remain a fundamental objective for financial institutions hoping to perfect their cloud delivery, risk management and smoothing out deployments go a long way toward developing a resilient
strategy that is sufficiently robust to weather unexpected events, and the integration of new technology.