Regulated industries face challenges with cloud resilience due to unknown data center locations, impacting disaster recovery plans.
Prasanna Venkat, vCISO of CyberQuotient, highlights the need for physical distance in disaster recovery, which is often missing in cloud-based solutions.
Compliance with multi-region strategies in the cloud involves significant architectural changes and additional expenses.
Future cloud trust may depend on a guidance framework similar to SOC 2, as past outages raise concerns.
In the rush to the cloud, resilience lost its bearings. Physical distance was once nonnegotiable. Now disaster plans rely on unknown data center locations and vague infrastructure claims, a leap of faith regulated industries can no longer take.
Prasanna Venkat is a vCISO and founder of CyberQuotient, a company helping startups meet security and compliance requirements. With deep expertise navigating the regulatory maze set by bodies like the Reserve Bank of India, he’s seen firsthand where the cracks in the cloud’s resilience model are appearing.
Location, location: "When auditing a large bank, we needed to know how far apart their multi-zone data centers were for resilience planning," Venkat says. "I spoke to an employee of the cloud provider who told me, ‘Even our own employees don't know where exactly these data centers are.’ It’s a huge blind spot when you’re trying to perform a real risk assessment." In traditional DR planning, physical distance is a non-negotiable. But in the cloud that visibility disappears, leaving regulated enterprises to plan around promises, not facts.
Tectonic mandates: That uncertainty has moved beyond a theoretical risk, especially for companies in regulated sectors like finance and healthcare. In traditional IT architecture, disaster recovery was defined by tangible distance. "We had one hard rule: they had to be at least 100 kilometers apart," Venkat explains. "I was in a closed-door meeting where an Indian regulator explicitly said that when fintechs leverage the cloud, their disaster recovery testing must be done between two different seismic zones," says Venkat. "That kind of broad directive essentially mandates a multi-region strategy for any new startups and fintechs operating in that space."
The cost of compliance: The regulatory push forces a difficult and expensive conversation. "You have to be realistic about the trade-offs, because there is a significant cost difference," Venkat warns. "Multi-AZ itself is an additional cost, and a multi-region deployment will also require some kind of architectural change. These are factors that must come into play during the initial design and threat modeling phase."
SOC it 2 me: "It may be a bit premature, but sooner or later we may see some kind of a guidance framework come into effect, similar to a SOC 2," Venkat says. "The past outages are a cause of concern, and there has to be a collaborative effort between all stakeholders to move this forward." In other words: trust in the cloud may soon require a seal of approval, not just a service-level agreement.
