In this Q&A, Leasing Life Editor Alejandro Gonzalez (AG) speaks with Alex Barnes (AB), Director of Cloud Hosting at Alfa, about how shifting regulatory demands and increasingly sophisticated threats are reshaping backup strategies.
Under EU’s DORA and the EBA/PRA guidelines, banks and lenders must treat outsourced digital services as integral parts of their operational resilience, enforcing a full ICT risk-management cycle, from rigorous pre-outsourcing due diligence and detailed contractual SLAs covering data security, audit rights and exit plans, to continuous monitoring, periodic reviews and clear incident-reporting protocols. The rules also mandate regular scenario-based resilience testing, including threat-led penetration exercises, and for critical providers direct supervisory oversight to ensure third-party systems can withstand disruption without compromising business continuity or compliance.
Barnes explains how Alfa Cloud’s Data Guardian architecture — with its three-layer approach to storage and recovery — is designed to meet these pressures.
AB: There’s definitely an ongoing evolution of ever-more sophisticated cyber threats – not a day goes by without hearing of a new ransomware or attack, often at supply chains.
On top of that, increased regulatory focus – such as DORA or EBA/PRA regulations – means that outsourcing to a SaaS provider doesn’t remove the obligations for continued service obligations for our customers.
We’ve always architected and operated Alfa Cloud, such that we could automatically rebuild any customer’s isolated infrastructure in a few hours, so we recognised that by evolving our backup strategy, we could provide resilience against almost any reasonably foreseeable incident. We decided to make this part of our standard platform at no additional cost to our customers because we consider this to be a critical part of incident preparedness.
AB: Our overall strategy, of which Data Guardian is a key component, is based on considering the worst-case outcomes: What if an attacker was somehow authenticated and inside our network via a phishing attack? What if there was a significant terrorist event or other outage in a particular region? What if the primary cloud platform had an extended, multi-regional outage?
Each of the different layers play a part in reducing the risk for a different scenario whether it’s a deliberate attack or otherwise. As we mentioned above, complete end-to-end infrastructure-as-code underpins all of it. Having the option to rebuild in a new account, in a new region, in a matter of hours is why cloud platforms such as AWS are so important when designing for resilience. This simply wouldn’t be possible using legacy approaches and on-premises data centres.
But we have to still be careful: it’s not possible to reduce the risk to zero, so we also augment Data Guardian with 24/7 security anomaly detection backed up by expert Alfa teams around the world.
AB: Regulatory obligations for our customers are always evolving and cover many different operational aspects of their business operations. We talked earlier about DORA and EBA/PRA guidelines which require our customers to verify the capabilities of their outsourced suppliers and therefore require transparency from vendors such as Alfa. Being transparent about our architecture, and capabilities including Data Guardian, as well as pointing to our certifications and external assessments (such as ISO 27001, ISO 27018, SOC 1 Type II and SOC 2 Type II) help give our customers those assurances.
Our commitment to infrastructure-as-code and automated deployments using standard AWS platform features allows our customers to self-select their primary and secondary regions. This allows them to meet data residency requirements whilst still getting the benefits of our SaaS platform Data Guardian is built on top of this regionally agnostic deployment approach to allow that self-selection.
We see excess data retention as an unnecessary risk for our customers and for Alfa as well as a potential compliance issue. Therefore, our triple shield is based on immutable retention policies which ensure that we keep our customer’s data in the optimum number of locations for exactly as long as we are required to do so and not longer.
AB: Data Guardian is a backend technology which describes our best-in-class resilience to unexpected scenarios for our cloud platform. It’s important that the security of the triple shield doesn’t inhibit authorized uses of that data: if customers can’t get at their data, there’s no point storing it!
We take a security-first approach to building new features and consider authentication, authorization and zero-trust techniques when implementing any new API. Data is encrypted when stored anywhere in our platform and end-to-end in transit.
Alfa Systems running in Alfa Cloud provides our customers with a variety of options for data integration both embedded in the Alfa platform via REST APIs or using Changed Data Capture streaming via Kafka and Kinesis, and we make sure that all of those provide appropriately transparent access to the data – even while it’s secured with Data Guardian.
AB: Although we value all our partners, and keep Alfa Systems agnostic on its deployment platform (ref: self-managed customers on GCP, Azure, AWS and data centres – as well as development locally at Alfa), we have a great partnership with AWS that we use as our primary deployment platform at the moment. This gives us the benefit of scale and support from a single vendor, while ensuring we regularly review and consider whether or not we’re tied in.
AB: With Data Guardian we wanted to put a name to the table stakes offerings that all enterprise software companies should be offering to their customers. We strongly think the single-tenant SaaS model, supported by Data Guardian, is the best way of getting Alfa Systems’ rich functionality to our customers in the financial sector.
When it comes to resilience, we firmly believe that we have pushed the envelope for single-regional excellence, and with Data Guardian we have laid the foundations for even more cross-regional capabilities. Our customers are increasingly asking us to consider how we can make multi-regional failover part of business-as-usual operation, even going as far as switching regions every month.
From a regulatory perspective, apart from things like DORA, mentioned earlier, the importance of understanding your software supply chain is moving from hygiene factors for a responsible company but to regulatory expectation. Even in a SaaS world, we think it’s important to explain how our software is put together – not least because we’re proud of it! In practice, that means providing our customers with Software Bill of Materials (SBOM) and Vulnerability Exploitability eXchange (VEX)-like information.
We are also continuing to leverage our relationship with AWS to review how their existing and future offerings can continue to enhance the security of our platform.
Also see
Alfa introduces ‘triple shield’ data protection for asset finance SaaS
Alfa unveils preconfigured SaaS solution for European asset finance sector
“Q&A: Alfa on meeting rising regulatory demands on cloud resilience” was originally created and published by Leasing Life, a GlobalData owned brand.
The information on this site has been included in good faith for general informational purposes only. It is not intended to amount to advice on which you should rely, and we give no representation, warranty or guarantee, whether express or implied as to its accuracy or completeness. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content on our site.
