Cloud computing has transformed how enterprises operate. However, new risks are emerging as cloud adoption accelerates.
Recent cloud failures by notable cloud providers have raised questions about the operational resilience of the singular cloud model. Regulators and IT leaders are increasingly concerned that critical systems could fail if they rely on a single cloud provider.
How can enterprises reduce cloud concentration risk?
In this LinkedIn Live discussion, Yellowbrick’s Mark Cusack, CTO, Umair Waheed, Head of Product Marketing, and Heather Brodbeck, VP of Revenue Operations, examine how to minimize cloud concentration risk and maximize the benefits of cloud migration by taking a multi-cloud approach.
All right, here we are. Hi everyone. Thanks for joining today. I’m Heather Brodbeck. I am the VP of RevOps with Yellowbrick and we’ve got an exciting topic today and some great panelists to discuss with us. So we’ll be talking about a multi-cloud approach to minimize concentration risk.
I’ll introduce our panelists here first. So first we have Mark Cusack, he’s our CTO at Yellowbrick. He’ll share insights of his 20+ years experience in the data warehousing industry, and Umair Waheed, who’s our VP of product marketing, also 20+ years of experience helping organizations build data warehouse and analytics solutions.
Also, you can submit questions as we go and when we get to the end, we can try to field some of those for you if we don’t get them answered throughout. So I think we will go ahead and just get started. So Mark, we’ll kick it over to you first. Can you just give us a simple explanation for the group on the concept of cloud concentration risk?
Absolutely, Heather. Well, cloud concentration risk really refers to an over-reliance on a technology from a single cloud provider, or in fact a single SaaS vendor as well. And because deploying a single solution in one cloud can kind of lead to single points of failure and reduce system availability. And if you look at over 2021, both you know AWS, Azure, and Google Cloud as well as SaaS providers that put all their eggs in one cloud provider basket suffered outages and this really had an impact on their customers’ ability to do business.
Great, thanks. And Umair, could you add maybe just some insights into what sectors are maybe most concerned with this type of risk?
Yeah. In theory, cloud concentration risk applies to any sector that has national infrastructure or some criticality. But right now the focus is pretty much coming from the regulators in the Financial Services sector. So SCC, FINRA, the UK Financial Services authorities are really leaning in on this topic right now; getting slightly worried about what the dangers are of over-reliance, as Mark said, on a single cloud or a single vendor.
Okay, great. So maybe you can give us a little more specifics about that then. So when we talk about risk factors with a single cloud provider, can you maybe give some examples, maybe some focus in Financial Services where we’ve all seen some of these risks come to fruition? And either one of you, Mark or Umair, whoever wants to jump in.
Yeah, I mean I’ll chime in first. I think cloud concentration risk from a Financial Services perspective is particularly concerning. Not only if a single organization, a single bank puts all of their critical analytics and operational infrastructure in one cloud provider, but there’s a broader systemic risk to the financial system if all Financial Service institutions put all of their services in a single cloud provider as well. You can think about the risk to critical clearing, settlement, and payment systems if all of these banks are using the same cloud-native services, for example.
Yeah, you can imagine what would happen if people can execute trades and settle trades. Or we’ve seen situations in past years where at Christmas time people couldn’t receive their paychecks on time or couldn’t process payments. And that obviously leads to a lot of pain for individuals. But as a whole, imagine if businesses couldn’t pay each other for a period of time. That would cause all sorts of contract disruptions and disruptions in the market and supply chain, and really impact the way that businesses operate or don’t operate. But they’re also regulatory concerns as well in terms of just needing to be compliant.
Yeah, I’d also add this. I think another risk as well about the buildup of data over time in a single cloud provider. And that makes it harder to move away even if you wanted to. There’s a certain amount of inertia that builds up as your systems and infrastructure and data estate grows in one cloud provider. And I think you enter into this kind of vicious cycle where the ecosystem gets increasingly entrenched with a particular cloud provider and it becomes difficult to make and de-risk decisions moving forward as well.
Okay, great. So maybe just to build on some of that regulatory piece. So just briefly explain the importance of compliance and what is the engagement; or what does that look like between cloud providers and regulators, and really what’s expected of companies going forward with this?
One of the things that I think regulators are concerned about today is also the transparency of the technology and the stacks and the processes and organizational makeup of banks that deployed their infrastructure purely in one cloud provider. There’s potentially a lack of transparency, it’s more difficult for regulators to go in and do the auditing that they need to ensure that bank’s critical systems are going to remain online and available to process all of these critical tasks that Umair referred to earlier.
And the regulators have put the onus on Financial Service institutions to prove that they’re able to operate in the most difficult of circumstances, and that includes when cloud services potentially down. Financial Services were late to the party in terms of adopting cloud services because of some of these risks and the lack of control that you have. It’s not your service, you are relying on multiple layers of services provided by these operators. It could be the simplest misconfiguration in the cloud that causes a massive cascade of outages to other services. And it might only be a fraction of a 10, 15-minute outage, it might be a 10, 12-hour outage. But the knock-on impacts of that are huge.
And we’ve already seen examples of institutions that have been fined by their regulatory authorities for not being able to deliver compliance reporting on time and as a result of some of these systems not being available. And those fines can run into millions of pounds as well, millions of dollars. So some major impacts of not being able to report liquidity positions or standard compliance reports, compliance submissions that organizations are required to submit to their regulator.
And just to build on that as well, I think I was speaking with one New York-based bank quite recently who was telling me that the Federal Reserve Bank and the New York Department of Financial Services are recommending that it’s best practice to follow a multi-cloud approach to avoid these kinds of issues. But what’s also really interesting is this bank believes that within the next two to three years, this is going to become a mandate from regulators. That it’s not just a recommendation, you’ll be required to take a multi-cloud approach to how you support these critical infrastructure systems.
Okay, thanks, Mark. That’s a good lead into the next question I have here. So now that we understand the risk and what it’s about, how do companies avoid that risk, and what’s the best approach that they should be taking forward with it?
Yeah, and if I think about how they can start to avoid this risk, they obviously need to take a multi-cloud approach from the start. Which actually can be very difficult because often, as I mentioned earlier, banks get entrenched in a particular cloud provider, but they also need to start to think about how they can broaden their solutions and take advantage of similar technology stacks that are available in different public clouds.
One of the big difficulties in avoiding these risks is getting locked into a particular technology stack or way of doing things with a particular cloud vendor. And so what you really need to look at is how you can take advantage of the same skill sets you have in your business today and the same technologies in the broader ecosystem that work the same way on different clouds so you can help to reduce this risk.
So rather than getting locked in one technology stack or one provider look at, I would say third-party providers that provide the same features and functionality and capabilities that can support your needs on all clouds, you’re going to reduce the barrier for migrating and using all of these different cloud providers.
Okay, great. Thanks. For me, in my past life working at a bank, one of the things that I was always concerned with was the cost element of this and what does that look like going forward. And when we start talking multi-cloud, to me it sounds almost like building cost, right? So can you guys talk a little bit about what that cost looks like as we think about multi-cloud?
Yeah, and I think we’ve got a little graphic which in kind of second-grader math kind of talks about this stuff. And I know Heather’s like itching, but where’s the spreadsheet? Where’s the data? This is just a really simplified example of some conversations we’ve had with a particular customer where they had a particular run rate in the cloud in terms of on-premises of their analytics solution.
In this case, we put it down to seven and a half million. Obviously, these numbers aren’t real, but in the right ballpark. And they moved that service out to the cloud now costing them $5 million a year. Great, they’ve had a two-and-a-half million saving year on year and that’s going on ongoing. And now later in the game, they’re having to consider this multi-cloud approach and at the very least they’re going to be doubling up on their costs. And we’ll talk a little bit more about that in the second. So they’ve gone from their $5 million in the cloud potentially to $10 million across two clouds. And so they really wiped out, reversed that saving.
And that’s a major challenge. And that doubling of cost is kind of an underestimate I think actually, when you think about running and managing two different services. And if you lean on some of the cloud-native capabilities in each of these providers, they’re completely different solutions. Requiring completely different management. So that’s probably more than double because you’re having to rethink and then put in layers on top to harmonize and make sure things are working.
Then of course test all, test it all, make sure it’s all working because none of those vendors are working together. You can have to pull all that together yourself. And one of the things that we do with Yellowbrick – and I think Mark’s touched on this a little bit – is that we have the same solution that operates in multiple clouds. So it’s exactly the same service that runs in Azure, as runs in GCP, as runs in Amazon Web Services.
So we are a more efficient solution which results in overall lower costs. But when you’re doubling up, actually the effort required to do that is particularly low. So even if your run cost is doubled – and I think again that’s probably an overestimate because there are ways to optimize that – then you can run the same service anywhere in both locations with low effort and really maintain some of those cloud savings, not lose them.
So part of this is around what Mark was saying about planning for cloud – you plan for it, that’s great. But if you haven’t planned for it and you need to think about what you’re going to do in this space, and try and maintain those savings that you’ve gained by moving to the cloud, talking to us is obviously one way to do that.
And just to add to that. Obviously, Yellowbrick provides a data warehousing solution that as Umair says, runs the same in all of these different clouds and even on-prem. But of course, I think it’s a broader problem than just data warehousing itself. You have to look at the broader analytical ecosystem and the costs and challenges with expanding and broadening up. And many banks today and Financial Services are in some cases on an early journey to the cloud, they have on-premises data warehousing that they’re interested in modernizing as well. And there’s a broader ecosystem around that. If data integration tasks of legacy, data pipelines that are feeding data warehouses and downstream business intelligence, tooling and reporting, and other applications that are feeding off that entire chain.
And so, one of the things I think that’s important is also how can I move to the cloud or move to multi-cloud without massively disrupting all of this sort of connective tissue around my data warehouse and around my core data estate as well. And so I think it really does pay to look for third-party vendors, again, not just out in the data warehousing environment, but in the broader ecosystem that runs the same on every cloud and even on-prem because you’re really helping to reduce your risk and not doing a “boil the ocean” exercise of trying to integrate and provide the same level of services at the same time to everywhere. You can do it piecemeal where there’s much lower risk.
And I think it’s an element of control there as well. You are absolutely right Mark, just to talk about the fact that cloud concentration risk is a broader topic than data warehousing and analytics. When you’re talking about virtual machines where you are installing software and you are more in control of the domain, it’s almost easier to manage that risk. The great thing about the cloud is these managed platforms, these SaaS solutions and PaaS solutions which save you the effort of management, give you that agility, those cloud benefits of elastic scale on all goodness, there have been not having to manage anything, manage as little as possible.
But when you are using one of those platforms, there is an element of loss of control. So you’re not in control of what those guys are doing, what software they’re using. The protection’s great, you can audit them and can, I’m sure we can all of them have processes where you can go in and really get deep into their operational practices.
But technologies like Yellowbrick that are built to deploy across multi-cloud that give you that transparency with everything on your side of the fence effectively with no Yellowbrick layer between yourself and your data actually provided differentiate capability. I think the data warehousing analytics specifically around cloud concentration risk.
So maybe we can talk a little bit about what are some of the benefits or new use cases that are opened up with a multi-cloud option that organizations may not have today?
Yeah, we’ve talked a lot about the challenges and the risks associated with it, but there is opportunity there too. And I think, you look at the ability to start to factor in data sovereignty, governance, latency requirements that maybe it makes sense to have data within a certain cloud provider. And not to mention, the cloud providers themselves provide different native services that some may be better at doing than others. And you might start to build up a best-of-breed multi-cloud capability by combining services across different cloud providers that you couldn’t do before and that actually could provide some level of competitive advantage. You might be using your data factory for some of your pipe-lining and job orchestration sides of things, but then you might want to use SageMaker for machine learning or Glue for some of the cataloging side of things.
And so you can start to build up an idea of how you can combine these things together to get more value out of them. And another area I think is really of interest as well is, starting to think about how you can integrate data across different cloud providers. So to give you an example, with Yellowbrick, you could have some capabilities, some applications running on Yellowbrick on AWS, integrated with some capabilities running on Yellowbrick in Azure. And you might want to do that for data sovereignty reasons. But you can start to federate that data together, replicate between these two instances. So you not only have resilience and availability, but you can choose to provide low latency access to applications in one case, granular access to data in a particular geographic region, but then aggregate access across regions, and so on and so forth. So I think there are value-added ways of combining data that you couldn’t do before without a multi-cloud strategy.
And I think multi-cloud is going to become even more important as those different cloud service providers start to innovate in different areas. And you’re going to want to be part of some of these ecosystems that are cloud specific. So the traditional one as being Google, has being great at Google Analytics in the marketing, advertising ecosystem and reporting around that. Amazon has a financial services data product. Azure’s been doing a lot of work around their genomics and healthcare and life sciences. So whatever industry you’re in, you’ll probably want to be part of the multiple different ecosystems that are growing on each of these cloud vendors that are providing higher value-added levels of service. So yeah, I think multi-cloud for a number of reasons is going to be the way forward in the future.
Okay, great. Thanks. And I know we touched on this a little bit before and I’ll just remind everybody, if you do have questions, go ahead and put them in the chat and I’ll have a cue for that if we want to go over those.
But one of the things that like in my past work was always something I was thinking about was whenever we’re going to make a big shift or change in our infrastructure, it was really about how do we get started. And I think the places I’ve worked – and I think this is true for a lot of places – you almost “boil the ocean” because you want to take everything into account as you do that upfront planning. And working at Yellowbrick and being on some of our calls with our customers, with Mark, and learning what their challenges are and how they’re thinking about it, I’ve learned a lot about this “start small and expand” approach, which I think is the most really low-risk way to go about it.
Obviously, you want to have the broader understanding of what your end goal is. Mark, maybe you could talk a little bit about how do organizations get started with this. Because I’ve learned a lot, honestly listening to you on calls with different customers of ours.
Well, I think part of it is good old fashion program management and project management around identifying what are your priorities here? What are the most critical applications and infrastructure that you need to provide multi-cloud access for? And then start to plan the end-to-end two or three or whatever use cases that you can prove value out of this.
And not just taking a, like you say, a “boil the ocean” approach to it as well. I think that’s probably one of the standout areas for me. But what I find is really interesting talking to a lot of customers is, sometimes you don’t have the benefit of starting from a blank piece of paper to go from a single cloud to a multi-cloud perspective. We see a lot of banks that go through acquisitions and have multi-cloud forced on them because another bank that they’ve acquired runs on AWS there and Azure shop for example.
So to some degree, you are forced into that. I remember I used to ask customers years ago, “Which databases and data warehouses do you have?? And the answer from every major bank was, “We have all of them.” And I think that’s where we’re going to get to in a multi-cloud stance.
Or I’ve spoken to a very, very large financial provider quite recently that was all in on AWS. They were going to move 50 petabytes of their most important structured data and leave it in AWS. Now they’ve reverted to, “Hang on, we need to look at all three clouds and think about how we’re going to share and spread the risk there.”
Yep, yep. Great. Well, thank you. Well, since we have no questions from the group that’s on, I’ll just say if you do have questions in the future, you’ve got our contact info here. Feel free to reach out to any of us on LinkedIn. Happy to further the discussion.
So just to wrap it up, so we learned about what is cloud concentration risk, what is a multi-cloud strategy, and learned a lot from Mark and Umair here on regulatory and compliance requirements and what to really expect going forward.
Thank you all for your time. And yeah, anybody on here, if you want to reach out to further the conversation, just go ahead and do so. All right, thank you.