Response to consultation on recommendations on outsourcing to cloud service providers
Go back
(1) The nature of the shared responsibility model between cloud consumer and cloud provider and the need for this to be explicit. As firms embark on their cloud journeys, we consider there need to be clear lines of responsibilities, embedded in a very operational way to “mind the gap”.
(2) With cloud, resilience can be achieved in many different ways. Within a single cloud provider with availability zones and the like, and also across cloud providers through architectures that consume multiple CSP offerings and are designed to be fault tolerant. We believe multi-sourcing of CSPs in combination with resilient architectures designed by the institution (who best understand their needs) is good for systemically important services, reduces concentration risk and makes exiting a provider less disruptive. Consequently, we would like to see the EBA encourage this approach through these Guidelines by placing less emphasis on the resilience of a single CSP in a multiple CSP deployment.
Question 1: Are the provisions from these recommendations clear and sufficiently detailed to be used in the context of cloud outsourcing?
Our members would like to see greater clarity around the specific requirements. These points are raised in the detailed feedback and we would encourage the EBA to provide the next level of detail, without losing the overall ‘principle driven’ approach.Question 2: Are there any additional areas which should be covered by these recommendations in order to achieve convergence of practices in the context of cloud outsourcing?
There are two areas which we believe should be covered by the recommendations:(1) The nature of the shared responsibility model between cloud consumer and cloud provider and the need for this to be explicit. As firms embark on their cloud journeys, we consider there need to be clear lines of responsibilities, embedded in a very operational way to “mind the gap”.
(2) With cloud, resilience can be achieved in many different ways. Within a single cloud provider with availability zones and the like, and also across cloud providers through architectures that consume multiple CSP offerings and are designed to be fault tolerant. We believe multi-sourcing of CSPs in combination with resilient architectures designed by the institution (who best understand their needs) is good for systemically important services, reduces concentration risk and makes exiting a provider less disruptive. Consequently, we would like to see the EBA encourage this approach through these Guidelines by placing less emphasis on the resilience of a single CSP in a multiple CSP deployment.