Cloud is now ubiquitous, but not all clouds are the same. In this blog we will look at the different types of cloud – Private, Public, Hybrid and Multi-Cloud, and think about their suitability and use in financial organisations.
Private clouds are facilities created for a single organisation: they may be provided as dedicated infrastructure and services by a cloud provider (e.g. HPE or Dell), or sometimes built internally by re-purposing tech that is already present in the company’s data centre.
If built internally, private clouds are challenging to construct and support. Specialist staff are required to build out the cloud, the internal pricing model must be well crafted to encourage adoption, and then the organisation needs to accurately predict its capacity needs.
Public clouds provide extensive IaaS and PaaS services at huge scale and globally, with the services offered on a multi-tenant basis, sharing the underlying hardware infrastructure across many companies and individuals.
Services are accessible via the internet, immediately available for use and have clear, “opex”-style pricing models. Pricing typically includes both charge-for-use (‘on-demand’) and discounts for long term use (‘reservations’).
Availability, performance and durability are critical features for public cloud providers, and as a result services are usually far more reliable and performant than companies can create internally. Additionally, providers invest heavily in security and compliance features, and are certified against stringent industry standards (e.g. PCI DSS Level 1 for payments; ISO 27001/02 for security etc.).
AWS has consistently been the market leader with Microsoft Azure second. As the hyperscale providers have grown, smaller providers have either consolidated or pivoted to offer supporting services rather than cloud itself, leading to AWS, Azure, Google (GCP), and Alibaba being the dominant suppliers:
Public cloud is now used extensively, as shown by the 2019 RightScale State of Cloud report:
This is true of enterprises (1000+ employees) as well; of the respondents who were enterprises, 38% spend over $2.4M annually and 50% more than $1.2M.
Hybrid cloud aims to leverage the features of both private clouds (or other company owned infrastructure) and public clouds.
Organisations establish a private connection to the cloud provider, ensuring both consistent latency and more security for data in transit. Systems deployed to the public cloud typically run inside private networks (e.g. VPCs for AWS) that have no (or very secure) connections to the internet, so the public cloud is essentially an extension of the organisation’s own network, but with access to the providers services:
Some cloud providers offer hardware appliances (e.g. AWS Outposts, Azure Stack) that can be installed on-premises, bringing cloud services into an organisation’s own datacentre as an alternative to other private cloud approaches. This can help alleviate issues with hybrid cloud where the different technologies available in private/public clouds cause challenges in integrating systems between the environments.
Hybrid clouds can often lead to a deep integration with the selected cloud provider (public or private), which can have unintended consequences:
- Large scale temporary failure of provider services can result in the organisation not being able to offer its own services to its customers (e.g. Open APIs, Apps etc.)
- Providers may have particular specialisms (e.g. AI), so using only a single provider could lead to sub-optimal solutions being created by an organisation for its customers
- As with any vendor, tight coupling to products and services makes switching expensive and challenging, which in turn makes contractual negotiations more difficult
Multi-cloud strategies aim to mitigate these downsides. By having contracts in place with several providers, switching becomes easier (if required), whilst business continuity planning is simplified.
Amongst enterprises this is a growing trend:
Solutions either use a specific provider to leverage their specialist features (perhaps AWS for ‘burst’ computation, or GCP for AI-driven business insights), or are designed to be able to run on all providers (often using containerisation techniques such as Docker containers and Kubernetes clusters as these are available on all public clouds).
With the latter approach, a further benefit is the extended global reach offered for deployments, as each provider has different datacentre location strategies. However, managing technical inconsistencies between providers can be a major design challenge and once in production, ensuring data consistency can be both complex and expensive.
How to choose the right approach
Within an overall cloud strategy, financial organisations need to adopt a risk-based approach based on the processing, locality and data requirements of each solution, and this is reflected in guidelines issued by regulators (e.g. EBA, revised Feb 2019).
Public clouds are a good choice when delivering non-critical solutions for a single country or jurisdiction that involve non-confidential data.
Where more sensitive data is processed by non-critical solutions, public cloud can still be a good choice, but more thought must be given to data security. Factors such as appropriate data encryption, locality, access management and monitoring are important, as is how the data will be deleted when the solution is no longer required.
A hybrid or multi-cloud approach is likely to be expected by regulators for solutions performing critical functions, intended for global use, or those containing confidential or restricted data from multiple countries. Due to the additional data security concerns and potentially contradictory regulatory requirements, such solutions will likely be designed to facilitate an incremental jurisdictional roll-out, so that any issues with a single regulator do not derail the entire delivery.
Finally and inevitably, there will be some functions that are either too critical (or the journey to full regulatory approval so onerous) that private cloud represents the best option.
We have taken a look at the various types of clouds and their features, as well as considering how to select the approach cloud model for different kinds of applications.
With strong resiliency and security, public cloud is generally the best choice for many, if not most applications.
For critical high risk functions, a hybrid or multi-cloud approach is still likely to be possible, if the solution is appropriately designed, allowing organisations to take advantage of cloud features and economies of scale.