Is Amazon’s cloud service too big to fail?
Source – fnlondon.com
Gavin Jackson, head of Europe, the Middle East and Africa at Amazon Web Services, loves to talk about snowballs. Not the lumps of mush and ice that children chuck at each other, but Amazon’s portable information storage devices, big grey suitcases that hold huge amounts of data.
When clients such as banks sign on with Amazon Web Services, the ecommerce juggernaut’s cloud-computing service, they upload encrypted data from their old legacy IT systems into the snowball, or the larger-capacity snowball edge. These are then shipped to an Amazon data centre where the data is transferred into the AWS cloud.
With AWS’ customer base growing almost exponentially, however, a 50-terabyte snowball was no longer cutting it. “Even that wasn’t [big] enough for some customers,” Jackson explained in an interview at AWS’ office in Aldgate. Responding to the demand, Amazon created much, much larger storage devices and mounted them on tractor-trailers. Naturally, they call them snowmobiles.
“It’s a purpose-built container on a truck,” said Jackson. “It’s data centre on a truck, so you plug the snowmobile into the customer data centre. It gets encrypted, ingested, shipped over to our data centres and then uploaded and encrypted again.”
Since AWS’ relaunch in 2006 (its origins go back to 2002), the cloud provider has taken the tech world by storm, becoming the industry standard and attracting deep-pocketed rivals such as Microsoft to introduce competing services such as Azure. AWS counts Nasdaq and 100% of the Fortune 50 companies as customers. AWS’ revenues were $14bn this year, a significant increase from last year’s $10bn.
As financial services has become increasingly digital, it too has joined the cloud, albeit haltingly. But with a raft of tier-one banks on AWS’ platform, including Citigroup, JPMorgan, HSBC and even regulators themselves such as the Financial Conduct Authority and, in the US, the Financial Industry Regulatory Authority (Finra), regulators have expressed concern that the financial sector has concentrated too much of its resources in a small number of providers.
Their worries are painfully reminiscent of discussions ensuing from the financial crisis: Does the dominance of AWS, and to a lesser extent, Azure, represent a systemic risk? Are they too big to fail?
The future at a snail’s pace
From the first stock ticker in 1867 to the Monroe Bond Calculator to algorithmic trading, technology has long been at the core of modern finance. Banks are nothing if not conservative, however, and their move into the cloud has taken quite a bit of time, Jackson admitted. “If it’s revolutionary, it’s been a slow revolution”, he said.
It has been a similar experience for Richard Peers, director financial services industry at Microsoft. Even a few years ago, banks were not interested in having their systems online. Getting banks signed up to run their systems on Azure, Microsoft’s cloud software, was “frustrating”, he admitted. But today, Microsoft Azure has signed up 85% of systemically important banks to its platform, including firms ranging from old hands UBS to new challengers ClearBank.
The rapid expansion of the two cloud providers had not gone unnoticed by regulators. In June, the Financial Stability Board raised concerns around the potential threat arising from banks’ use of third-party providers “especially in the area of cloud computing and data services”.
‘The moment that there is a security flaw or an availability flaw within the Amazon fabric, for us that is a catastrophic failure’
More recently, one person familiar with the regulator’s thinking said that the FSB was unsure whether systemic risks could emerge because of cloud providers, but added that it was “certainly looking” as to whether or not “there could be risk” of these providers becoming too big to fail.
The FSB has also urged local regulators to assess whether tougher rules are needed. One of the biggest problems financial watchdogs face is a lack of data in this area, the person said. In the future, they added, banks could be required to list the third-party providers they use, to give insight into possible systemic risks.
Ironically, banks often feel more comfortable using software from fintech startups precisely because they are reassured by the security records of AWS and Azure. FN surveyed over 40 fintechs in London on which cloud provider they use. The vast majority of fintechs are using AWS, while the remainder uses Azure. Only three used a combination of the two providers.
But Ankur Modi, CEO of cyber security startup StatusToday said that even AWS is not invincible. “We all assume their infrastructure cannot be breached but it can go down,” he said.
Javvad Malik, security advocate at AlienVault agreed, and said that while many entities trust Amazon, “it doesn’t offset the risk that a company faces when they put all their eggs in the Amazon basket”.
Hey, you, get off of one cloud
The solution is not as simple as ordering financial services firms to diversify the providers they use. The nature of services like AWS and Azure makes changing providers both challenging and costly — not only are clients paying for online storage space, they often also rely heavily on a myriad of products and services built into their respective provider’s platform, including analytical software, security software, artificial intelligence and machine learning tools. As a result, these platforms have become as much a part of the fabric of their products and services as the programming languages they use.
The difficulty of switching providers is a “real issue”, admitted Microsoft’s Peers. Jackson said AWS is frequently asked whether banks or fintechs should use two or more providers, but he said this is an old-fashioned way of looking at today’s cutting edge cloud computing.
“We think that notion comes initially from technology companies of another era — where some database software companies had more of a hostile approach to how they serve customers — and this concept of a ‘lock-in’,” he said. He insisted it is not hard for customers to leave AWS, and that the products and services within their ecosystem are built on so-called open standards, which developers often produce collaboratively and which can generally be adopted freely by anyone, without charge.
“A lot of our services are based on open source [software] so you are not locked into proprietary technologies. We want you to be with us because you want to be with us, not because it’s hard to leave.”
Many banks and other clients are coming around to the idea of just using a single cloud provider, Jackson said.
Andrew White, co-founder of FundApps, said the majority of financial institutions that have chosen AWS find it “very comforting… that we are an AWS shop”. He added that “certainly no one is insisting we run on both [AWS and Azure]. “They are both so different that it would pretty much require near duplication of all operational infrastructure and staff and would be a nightmare for any company, large or small.”
Charlie Henderson, co-founder of Feedstock, said he often tries to persuade banks to use AWS, because that is the system he built his business on. “[Otherwise] you have to rebuild it to [match] Azure, which is very costly.” He added that running all of a company’s products or services on two or more cloud providers would be cumbersome.
“As you grow the business, it means you have to maintain two systems”, which he said “is obviously a pain”. But Henderson pointed out that it can depend on the size of the contract. He added that he could run on different systems if it were deemed absolutely necessary.
Credit Benchmark, a financial technology company, took the maverick path of using neither AWS nor Azure, opting for a third provider, CenturyLink, instead. Donal Fleming, the company’s chief technology officer, described embracing the more prominent platforms’ ready-made solutions as a trade off.
“[These] things will make your life easier… but then it will be harder to move providers. It’s the classic [thing of] being locked into a technology.”
For banks that have decided a single provider is the best route to take, the question of how they prepare for a possible outage or security breach looms large. AlienVault’s Malik argued for the existence of a serious weakness that lies outside of the cloud provider’s infrastructure — namely whether banks’ IT teams are up to date with the latest cloud technology. He described a “distinct lack of actual cloud expertise” and he said that where there is a knowledge gap, “there’s definitely a risk”.
“Amazon is responsible for the cloud, but all the client encryption, the data, that’s all the customer’s responsibility,” Malik said. He described a persistent thought process that is “wrongly embedded” among bank management: “‘We put it on Amazon so it must be secure.’ But that doesn’t look after your firewalls, your operating systems and how you can configure your database.”
AWS’ Jackson also raised the question of the customer’s responsibility for security. “If you are architecting your applications for a single data centre in a single availability zone in a single region, then you could argue there’s an accident waiting to happen,” he said.
Jackson insisted Amazon it does not actually see any of its customers data, which Henderson said is “perfect” for fintech founders when they sell products to banks.
READ An audience with Spencer Lake: Goodbye HSBC, hello fintech
Jackson added: “The data always rests with the customer so they have complete access to how they set the rules, where they want to store their data, what country that want to store their data in, what region and everything else. They have control over their data at all times.”
As far as Amazon’s own infrastructure is concerned, Jackson said there is no issue. AWS has data centres in multiple counties and multiple regions across the world, he argued, and said clients can put the data anywhere they like and have it replicated in different centres to ensure their data is safe. Though he refused to disclose how much Amazon is investing in security, he was keen to point out that in the 11 and a half years since AWS’ relaunch, the company had an “unblemished security record”.
‘If you are architecting your applications for a single data centre in a single availability zone in a single region, then you could argue there’s an accident waiting to happen’
“We have an entire business that is built on trust. The moment that there is a security flaw or an availability flaw within the Amazon fabric, for us that is a catastrophic failure. I can pretty confidently say that I don’t think that there’s any other company on the planet that has as many people thinking about security every day.”
However, critics argue that no service is outage-proof, and point to the havoc wreaked when an AWS S3 outage in February 2017, caused by human error, shut down a number of sites, including Business Insider, Quora, Medium and even AWS’ own dashboard, for several hours.
All together now
Microsoft’s Peers says concentration risk is a “genuine issue”. “I don’t think you can have the world’s financial systems in the hands of one bank or on one cloud provider. It seems completely incomprehensible to think that a Microsoft or Amazon would ever disappear but you can’t allow for that possibility.”
Peers said the risk analysis has to be “proportionate”, arguing that for critical financial infrastructure such as the Swift payments system, systemic risk needed to be considered. “If a small fintech is 0.01% of the balance of the UK’s payment, is it really important that they run on two platforms? Probably not.”
Another concern voiced by Malik, and echoed by regulators, is that some banks outsource the management of the AWS accounts. “That’s fine in some cases, but again, you are adding another third part to the chain. It can be misunderstood in that process.”
A person familiar with the FSB’s thinking said that while outsourcing in itself is not an issue, “it can introduce new complexities”. This person added that “there’s often a human element to [things that go wrong]”, and said that the more people are involved, the more risks you have.
Despite reservations in some quarters, the financial sector’s move into the cloud continues to accelerate. According to Jackson, there is “massive appetite” from financial services to move to the cloud.
“The pendulum has shifted from, ‘How do I think about security in the cloud?’ to, ‘I have to get into the cloud, because of security’. That’s the biggest shift we have seen,” he said. And although moving legacy systems to the cloud is not easy, banks are encouraged by the fact that it is a one time job. “And once you are done… you are free to go and act like a startup. ‘Freedom’ is the word we use most often”.
AWS’ overall customer base is currently several times larger than the next 14 providers combined, and according to Jackson, this is because Amazon had a six or seven year head start on its peers. “We fully expected — and now it’s coming true — that there are other players in the market. We don’t think there will be 30, we think it will be a fewer number than that.
“It’s a multi trillion-[pound] market now. [We are] big, but it’s still so early.”