Can Technical Standards Help Cloud Service Providers?

By Sam Tyfield, of Shoosmiths LLP

On 21 November, Waters Technology published an opinion piece on the use by cloud providers of hardware which, under previous policies, would have been retired. They are doing this due to exponential growth in the demand for their services – not profits.

On the same day, it published an article highlighting the work the DTCC has been undertaking with AWS to produce technical standards “to enhance multi-region resiliency”, which were published on 20 November.

While the opinion post can be chalked-up to the debit side of the “operational resilience” balance sheet, there is potentially an equal-and-opposite addition on the credit side of that balance sheet with the publication of the technical standards.

While the AWS and DTCC report is comprehensive and covers a lot more topics, my focus is on its assessment that resiliency can be improved by:

  • the development and consumption of reusable components and on designing systems to ensure “loosely coupled, independent microservices” which “minimizes the blast radius of a failure to an individual component”; and
  • the use of idempotent components (i.e. components which, no matter how many times they are duplicated or how many times they receive the same request, always produce the same, single result).

If cloud service providers follow these technical standards, then the likelihood of a single-point-of-failure of an obsolete, past-useful-life component is reduced (thereby allowing providers to use components for longer than previously). However, it will become more important for customers to understand the exact make-up of their cloud providers’ infrastructure and whether they believe it is compliant with the technical standards. In other words, it will no longer be sufficient for cloud users to work on the assumption either that (a) their systems are resilient because they are “cloud-based” or (b) it is not necessary to understand the technical details of its providers arrangements.

Regulators will play a particularly important role here. There are numerous examples of speeches and publications from global regulators regarding cloud services and financial stability, but I will pick a recent one. On 18 October, Elisabeth Stheeman of the Bank of England gave a speech at the London School of Economics during which she said “because the provision of these [cloud] services is often concentrated in a small number of third parties, the more important these services become, the greater the threat to UK financial stability if they were to face disruption. This makes the case for greater direct regulatory oversight of the services they provide.” Unless the Bank (or its peer regulators) bring cloud providers directly within the regulatory net, the “oversight” those regulators will have necessarily must be indirect, through the regulated users of them.