The DevOps field (and we at Metrist) have always realized how important reliability is. But according to Information Week, governments in the US, UK, and EU are now also starting to recognize the importance – and develop legislation to support it.
But while all three governing bodies are pushing to develop or expand current legislation to cover cloud providers, they are also taking different (and in some instances questionable) approaches to such “reliability regulation.” And in our opinion, some of these ways are smart moves that benefit the industry, while other methods are questionable.
We’ll explore some of the advantages and challenges presented in these proposals in this article. All three of these governing bodies recognize the importance of the public cloud in the infrastructure of their societies. And while each country is seemingly at a different stage in regard to urgency, and has slightly different sets of priorities.
Three Governing Bodies, Three Sets of Priorities
The way to start evaluating the legislation of these governing bodies is to look at their seeming motivations, such as security, data transparency, and protecting financial institutions.
- The EU is developing the Digital Operational Resilience Act (DORA) in order to protect financial institutions in the event of a severe cyberattack. Financial institutions that employ cloud services to build their products must ensure that their cloud providers meet the security standards as defined by DORA so that they will be resilient in the case of a “severe operational disruption.” Due to the comprehensive nature of the proposal, it may take years for it to be finalized as law.
- The UK generated a proposal that deems cloud platforms as “critical” services – especially as they relate to the financial system – and should be regulated. Notably, the regulations want to make it possible to “request information directly from critical third parties on the resilience of their material services to firms, or their compliance with applicable requirements.” This is an important measure to take, so important that Metrist essentially does this for its users – without needing regulation to force third parties to divulge the information.
- The US began its initiative to classify third-party cloud vendors as systemically important financial market utilities (SIFMUs) under the Dodd-Frank act. The move began in 2019 after Capital One’s (AWS-supported) data breach and was furthered in the Data breach Federal Secure Cloud Improvement and Jobs Act of 2021. However, third parties were still not classified as SIFMUs under the most recent act. Interestingly, the proposal not only covers the government’s use of cloud platforms but also “financial markets” (like Capital One which is famously on AWS). The laws essentially seem to want to find a single party who is to blame for bank downtime – who are not the banks.
With these priorities in mind, it’s interesting to consider the implications of the legislation, especially when it comes to financial markets in the US and UK.
US & UK: Reliability Blame Game?
Both the US and UK seem to want to ensure the stability of financial markets and institutions. But while the UK seems to want to require and standardize data transparency (good), the US seems to want to pin the blame of reliability failures squarely on the third party’s shoulders.
This approach may come from a simple misunderstanding of how the platforms work. For example, US congressperson Velazquez talked about a “Microsoft Azure failure” in reference to the issue when in reality it is very rare for an entire platform to fail. Usually, parts of the platform fail, like regions and/or products.
Because only parts of these platforms fail, banks could realistically engineer their systems to maximize reliability, such as hosting their software in multiple regions, rather than one. As a result, banks and other institutions are also responsible for maximizing their own reliability – it’s not only the responsibility of the third-party vendor.
The US legislation also appears to place the blame on third parties and hold them liable for reliability failures, rather than factoring in how the banks/institutions utilized the third parties. Essentially, both could be at fault, but only one is held liable.
Cloud vendors do have outages, but the big three are highly reliable, and there are well-documented ways to be resilient to regional outages. So, maybe they should regulate how banks use their systems and build on the cloud, not regulate the cloud platforms themselves.
Other US Proposal Issues
In addition to determining the liable party in the case of an outage, there were some other issues that arose with the US legislation pertaining to security, customer confidence, and general technical misunderstandings.
- Security in the hands of vendors. The US proposal indicated that security is included in reliability. However, it is potentially dangerous to make AWS/Azure/GCP responsible for the security of customer systems, because the largest security implications come from how the bank’s systems are architected and access is managed, not through how these cloud platforms are built. So the systems are as secure, or insecure, as the customers want them to be.
- Consumer confidence claims. Another dangerous aspect of the US draft is that it drives regulation based on consumer confidence in the cloud. One reason this approach is a problem is that it continues to ignore the fact that financial institutions could architect for better reliability. Another important reason is that consumers’ opinions on the cloud do not equal reality. For example, since AWS is the most talked about, consumers may perceive it as being unreliable. However, this perception is not true because Metrist data indicates that it is actually the MOST reliable of the “Big 3.”
- Technical misunderstandings. As mentioned previously, there may be an overall misunderstanding of how these platforms work. Platform failure is rarely “all or nothing.” Understanding how these systems work could inform better policy.
Despite the issues mentioned, the proposals being developed have many good, important components which deserve support. But perhaps simple (even standardized) data transparency on the part of third-party vendors could eliminate the need for such regulation/legislation.
Overall Takeaways from the Proposals
Legislation exists to ensure the reliability of electricity and (to an extent) the internet, so perhaps regulating the reliability of third parties could have precedence. However, can one hold an electricity provider responsible for not having light if the power went out and one didn’t have a candle, flashlight, or generator to provide light? Or to blame them if the house lost electricity but the outage was due to faulty wiring?
On the other hand, we fully support standards and visibility for third parties. Customers both need and deserve this. And with better visibility, regulations like the ones being proposed may not be necessary. But this visibility is not always easy to provide (or receive).
That’s one reason for Metrist. Before any legislation requires third parties to disclose their data, we already have it – in real time, delivered to customers as soon as they need it. We want to promote visibility for all, now, because we all need and deserve this important information not only for business but for a well-functioning society.