The US Treasury report outlines three main concerns in the cloud sector: concerns over concentration risk with multiple large financial institutions operating on the same cloud provider, exposure and potential threats to these users in case of operational incidents at these clouds, and regulatory fragmentation across the international landscape.

The key focus of the report is not to discourage modernisation and innovation, but to ensure risk is minimised and high levels of security and data privacy are maintained.

Pattni explains that IBM is addressing these concerns by taking an “industry vertical approach,” meaning that the company is building their cloud specific to the security, regulatory and compliance needs of the financial services industry rather than as a general purpose cloud. IBM have done this in partnership with the industry by establishing a cloud council that now has over 130 members from across the financial sector.

He expounds on the concept further: “Rather than putting everything as default on the cloud, we help clients assess the workloads across the dimensions of resiliency, performance, security, compliance and cost and then place workloads where it makes the most sense. That could sometimes be on-premises, it could be on an industry cloud (like IBM’s Cloud for Financial Services), it could be on a general purpose cloud.”

The concept of the ‘Franken-cloud’ emerges as Pattni describes how the multi-cloud approach, if not designed and developed considerately, can end up with lots of different clouds stitched together over time, resulting in inefficiency, potential control gaps and lack of complete observability. He says that the hybrid cloud strategy is the future of the sector, but needs to be established as the target model from the start and then be built to deliver compliance and security policy fully automated as code. An amalgamation of different technologies and strategies that are patched together can be costly and ineffective whilst opening up stitches of vulnerability.

Pattni advises adoption of this holistic approach, where security and control can be viewed through a single pane of glass and the architecture of the cloud is unified and seamless.

In response to the regulatory fragmentation, Pattni insists that to combat the growing complexity of multiple global regulatory efforts, cooperating with financial authorities is essential: “We end up with this intersection of horizontal and vertical regulations, and the way to address it is through collaboration with policymakers and regulators, and working to craft outcome-based regulations or precision regulation that is risk-based, targeted, and can still be pro-innovation. It's like a double-edged sword. Yes, there is complexity and some fragmentation, but you can work together. I think this will become more important especially as you see new technologies like AI and quantum accelerating.”

Pattni observes that there are a great deal of new innovations emerging in the space, such as quantum computing technology, and says that the US Treasury’s report indicates an increase in regulatory scrutiny. He also highlights the challenges of talent for the industry: “I think the final challenge is really around people and skills. You end up needing people with security skills, compliance skills, and different cloud skills in this multi-cloud hybrid world, which is challenging. We want to help the industry by reducing this burden and doing a lot of that work, by building security and compliance automation into the cloud, so each financial institution doesn’t need to do this themselves and ultimately to make it easier to operate safely on the cloud.”

Commenting on future challenges within the cloud sector, Pattni talks about complexity and reiterates that the multi-cloud hybrid world is coming. If an organisation goes down the 'Franken-cloud' route, with lack of observability, differing levels of controls and inefficiency, risk can increase. “I think there's a challenge of complexity, which we have done a lot of work on to simplify,” Pattni says. To overcome these threats, cloud applications need to be precise, transparent, and designed to solve these issues.