AWS outage serves as a stark reminder for banks not to put all their resilience eggs in one cloud

In the latest of a series of high profile technology outages, market leading cloud provider AWS experienced a major outage on Tuesday evening. Affected were its own website, Prime Video and services like its Ring security cameras. Given that over a third of the internet runs on AWS, far ahead of rival providers like Google and Microsoft, the outage also affected competing services, such as Spotify and Netflix, who also run on AWS. Whilst the outage seems to have been limited to the US-EAST-1 Region, the blast radius is far wider than that, with issues being reported across Europe too.

In recent years there have been moves towards cloud from historically technologically conservative industries like financial services. Attracted by the promise of resilience, agility, hands-off management of infrastructure and off the shelf machine learning/AI services, 54% of US banking workloads are on the cloud with the UK following closely at 48% (Statista). It is highly likely that a significant majority of them run on AWS - and there lays the crux of the issue. 

According to Gartner, 80% of the cloud market is handled by just five companies - and AWS dominates with 41%. This concentration of applications from hundreds of banks all running on a small number of third party providers poses systemic risk to the financial ecosystem. That’s why UK and EU Digital Operational Resilience regulations include specific provisions for managing this third party risk. 

These regulations will introduce requirements on both financial organisations and critical technology providers (eg, cloud service providers), with heavy financial and legal penalties for non-compliance. Financial organisations will be required to compile a standard register of third party technology providers, the service they provide and the critical functions they underpin. This poses significant challenges for regulated providers, including maintaining an up to date register of applications, their dependencies, and their locations inclusive of how third parties like AWS support critical business services. The regulators also require firms to outline what measures they have in place should a third party provider suffer an outage, including how they intend to recover between environments. For a practical guide to resilience regulation, download Your DORA Explorer.

These new regulatory frameworks also reflect the spiralling hybrid complexity of the technology ecosystems we now inhabit. That’s why resilience (the ability to spring back), rather than availability (always-on), is now the measure of success and why it’s driving two-thirds of emerging tech investments in 2022).

Learn more about the building blocks of resilient technology estates, and how what Gartner are calling Digital Platform Conductors complement existing technology investments, and enable you to deliver resilience (and value) across your entire hybrid technology portfolio.

Worried about the resilience of your estate? Let’s talk.

You can also read about the resilience implications of the Facebook outage and the Fastly outage on our blog.