Q&A: Alfa on meeting rising regulatory demands on cloud resilience
In this Q&A, Leasing Life Editor Alejandro Gonzalez (AG) speaks with Alex Barnes (AB), Director of Cloud Hosting at Alfa, about how shifting regulatory demands and increasingly sophisticated threats are reshaping backup strategies.
Under EU’s DORA and the EBA/PRA guidelines, banks and lenders must treat outsourced digital services as integral parts of their operational resilience, enforcing a full ICT risk-management cycle, from rigorous pre-outsourcing due diligence and detailed contractual SLAs covering data security, audit rights and exit plans, to continuous monitoring, periodic reviews and clear incident-reporting protocols. The rules also mandate regular scenario-based resilience testing, including threat-led penetration exercises, and for critical providers direct supervisory oversight to ensure third-party systems can withstand disruption without compromising business continuity or compliance.
Go deeper with GlobalData
Barnes explains how Alfa Cloud’s Data Guardian architecture — with its three-layer approach to storage and recovery — is designed to meet these pressures.
AG: The financial services industry faces increasingly sophisticated cyber threats and stringent regulatory demands. What specific market shifts or client feedback prompted Alfa to evolve its cloud backup strategy and develop the “triple shield” approach with Data Guardian?
AB: There’s definitely an ongoing evolution of ever-more sophisticated cyber threats – not a day goes by without hearing of a new ransomware or attack, often at supply chains.
On top of that, increased regulatory focus – such as DORA or EBA/PRA regulations – means that outsourcing to a SaaS provider doesn’t remove the obligations for continued service obligations for our customers.
We’ve always architected and operated Alfa Cloud, such that we could automatically rebuild any customer’s isolated infrastructure in a few hours, so we recognised that by evolving our backup strategy, we could provide resilience against almost any reasonably foreseeable incident. We decided to make this part of our standard platform at no additional cost to our customers because we consider this to be a critical part of incident preparedness.
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataAG: Beyond the foundational concept of having backups in three locations, could you elaborate on the technical architecture of Data Guardian? How do the distinct storage locations, the isolated vault, the geo-redundant region, and the separate cloud platform each play a role in mitigating risk, particularly in worst-case scenarios like a vendor-specific catastrophe or a ransomware attack?
AB: Our overall strategy, of which Data Guardian is a key component, is based on considering the worst-case outcomes: What if an attacker was somehow authenticated and inside our network via a phishing attack? What if there was a significant terrorist event or other outage in a particular region? What if the primary cloud platform had an extended, multi-regional outage?
Each of the different layers play a part in reducing the risk for a different scenario whether it’s a deliberate attack or otherwise. As we mentioned above, complete end-to-end infrastructure-as-code underpins all of it. Having the option to rebuild in a new account, in a new region, in a matter of hours is why cloud platforms such as AWS are so important when designing for resilience. This simply wouldn’t be possible using legacy approaches and on-premises data centres.
But we have to still be careful: it’s not possible to reduce the risk to zero, so we also augment Data Guardian with 24/7 security anomaly detection backed up by expert Alfa teams around the world.
AG: For finance professionals, compliance with regulations like GDPR and navigating data residency requirements are critical. How does Data Guardian’s architecture, particularly its multi-cloud and multi-region deployment, provide assurance that clients are meeting their regulatory obligations, and what internal processes ensure this operational promise is consistently delivered?
AB: Regulatory obligations for our customers are always evolving and cover many different operational aspects of their business operations. We talked earlier about DORA and EBA/PRA guidelines which require our customers to verify the capabilities of their outsourced suppliers and therefore require transparency from vendors such as Alfa. Being transparent about our architecture, and capabilities including Data Guardian, as well as pointing to our certifications and external assessments (such as ISO 27001, ISO 27018, SOC 1 Type II and SOC 2 Type II) help give our customers those assurances.
Our commitment to infrastructure-as-code and automated deployments using standard AWS platform features allows our customers to self-select their primary and secondary regions. This allows them to meet data residency requirements whilst still getting the benefits of our SaaS platform Data Guardian is built on top of this regionally agnostic deployment approach to allow that self-selection.
We see excess data retention as an unnecessary risk for our customers and for Alfa as well as a potential compliance issue. Therefore, our triple shield is based on immutable retention policies which ensure that we keep our customer’s data in the optimum number of locations for exactly as long as we are required to do so and not longer.
AG: Alfa Systems often operates within a customer’s broader technology ecosystem. How does Data Guardian integrate seamlessly with a client’s existing data architecture, and what challenges did your team face in ensuring robust integration for third-party systems while maintaining operational efficiency and without creating new vulnerabilities?
AB: Data Guardian is a backend technology which describes our best-in-class resilience to unexpected scenarios for our cloud platform. It’s important that the security of the triple shield doesn’t inhibit authorized uses of that data: if customers can’t get at their data, there’s no point storing it!
We take a security-first approach to building new features and consider authentication, authorization and zero-trust techniques when implementing any new API. Data is encrypted when stored anywhere in our platform and end-to-end in transit.
Alfa Systems running in Alfa Cloud provides our customers with a variety of options for data integration both embedded in the Alfa platform via REST APIs or using Changed Data Capture streaming via Kafka and Kinesis, and we make sure that all of those provide appropriately transparent access to the data – even while it’s secured with Data Guardian.
AG: The triple shield relies on strategic partnerships, including using AWS and Microsoft Azure. How do you manage the complexities of a multi-cloud environment and what measures are in place to mitigate the risks associated with depending on multiple vendors?
AB: Although we value all our partners, and keep Alfa Systems agnostic on its deployment platform (ref: self-managed customers on GCP, Azure, AWS and data centres – as well as development locally at Alfa), we have a great partnership with AWS that we use as our primary deployment platform at the moment. This gives us the benefit of scale and support from a single vendor, while ensuring we regularly review and consider whether or not we’re tied in.
AG: Looking ahead, how do you see the conversation around data resilience and security evolving in the financial sector? What’s next for Data Guardian and Alfa Cloud in anticipating and addressing future threats and regulatory changes?
AB: With Data Guardian we wanted to put a name to the table stakes offerings that all enterprise software companies should be offering to their customers. We strongly think the single-tenant SaaS model, supported by Data Guardian, is the best way of getting Alfa Systems’ rich functionality to our customers in the financial sector.
When it comes to resilience, we firmly believe that we have pushed the envelope for single-regional excellence, and with Data Guardian we have laid the foundations for even more cross-regional capabilities. Our customers are increasingly asking us to consider how we can make multi-regional failover part of business-as-usual operation, even going as far as switching regions every month.
From a regulatory perspective, apart from things like DORA, mentioned earlier, the importance of understanding your software supply chain is moving from hygiene factors for a responsible company but to regulatory expectation. Even in a SaaS world, we think it’s important to explain how our software is put together – not least because we’re proud of it! In practice, that means providing our customers with Software Bill of Materials (SBOM) and Vulnerability Exploitability eXchange (VEX)-like information.
We are also continuing to leverage our relationship with AWS to review how their existing and future offerings can continue to enhance the security of our platform.
Also see
Alfa introduces ‘triple shield’ data protection for asset finance SaaS
Alfa unveils preconfigured SaaS solution for European asset finance sector
Sign up for our daily news round-up!
Give your business an edge with our leading industry insights.
Content Original Link:
" target="_blank">
