Does the cloud really make digital operational resilience simple?
Last week AWS published guidance for users regarding the upcoming EU and UK digital operational resilience regulations: DORA, currently under consultation by European Commission, and CP30/19, recently concluded by the UK’s Bank of England, Prudential Regulation Authority and Financial Conduct Authority. The UK’s regulations will come into effect in March 2022 and DORA is likely to follow in 2023, so take a look at our timeline outlining the key requirements and when they are due to come into effect.
Whilst there are differences between the FCA regulations and DORA, both share a common aim to ensure financial entities deliver robust digital systems, improved choice for consumers and which contribute to the overall stability of the financial system. One aspect of this which will be of particular concern to third parties like AWS and their clients are requirements regarding outsourcing and operational resilience.
Cloud and compliance
In their guidance AWS’ Head of Financial Services Public Policy EMEA Maria E. Tsani notes that "Continuity of service, especially for critical economic functions, is a key prerequisite for financial stability. AWS recognises that financial institutions need to comply with sector-specific regulatory obligations and requirements regarding operational resilience."
AWS’ continuity of service, and hence its reliability, is excellent. The SLA for EC2 Reliability guarantees 99.99% uptime for customers, with credits issued should this guarantee not be met. The distributed nature of cloud computing makes downtime incredibly unlikely, when combined with the right kinds of monitoring and recovery automation.
BUT reliability and resilience are not the same thing. Reliability implies that a system has limited downtime whereas resilience is the ability of that system, and those dependent upon it, to recover quickly when failures inevitably occur. And in the complex, hybrid reality occupied by the Financial Services sector, these failures are occurring all the time.
The complex reality
This complex, hybrid reality also raises other problems around ensuring the levels of digital operational resilience UK and EU regulators are looking for.
According to Advanced's Mainframe Modernization Business Barometer Report, ⅔ of large enterprises are still running mainframe apps dating back well over a decade. Andrew Bartels, VP and Principal Analyst at Forrester says that:
We're talking typically about industries like financial services, insurance, utilities or government as being prime examples of having those applications that were built 30 or 40 years ago.
The scale and complexity of modern technology estates can be seen in the image below, showing that as businesses transform digitally by adopting new technologies like cloud they add to the complexity and risk the operational resilience of their business.
So whilst you might have some confidence that your cloud-based workloads are highly-available, what about workloads that can’t be, or won’t be, migrated to cloud? DORA and the FCA guidance also push financial service organisations to consider the risks of reliance on a single third-party cloud provider - what will you do with your critical workloads which are running in the cloud in the, unlikely yet still possible, event that your third party cloud provider suffers a catastrophic failure?
If an application fails can you guarantee that you can bring it back online? Could you identify the problem, its location and dependencies and do your developers have the skills to fix it? Could you quickly and securely failover from one public cloud to another, should the situation call for it (for example, the need to keep data within a specific geographic region)? Could you automate the orchestration of a workload to move from your private cloud environment to a public cloud one if necessary? These are all questions that complex organisations need to be asking themselves.
The answer: continuous resilience
The kind of resilience regulators are aiming for - continuous resilience - can only be delivered with orchestration, a combination of intelligent infrastructure automation and panoramic observability that provides the control, governance and visibility you need to ensure every part of your disparate technology environment functions in harmony with the other. Regulators don’t just require you to be resilient - they require you to demonstrate how you are resilient.
Find out more about delivering continuous resilience at the same time as complying with DORA and FCA regulations in our practical guide to resilience regulation for Tech leaders, Your DORA Explorer.
Your DORA Explorer summarises the key requirements and how tech leaders can both deliver continuous resilience of their critical business applications and demonstrate compliance across their entire tech stack.