Fannie Mae, Freddie Mac Overcome Risks of Cloud Transition

Despite tech and efficiency benefits, the Federal Housing Finance Agency (FHFA) – which oversees Fannie Mae, Freddie Mac, and the 11 Federal Home Loan Banks – documented “third-party, information security, and business resiliency risks” in its transition to and use of the public cloud.

In 2018, Freddie Mac began its Infrastructure Transformation Program to first migrate legacy applications to the cloud and then optimize those applications for the cloud environment. The agency expects to migrate 70 percent of its legacy systems to a third-party cloud service provider by the second quarter of 2020 before it begins the second phase.

The other 30 percent of applications are not able to be transitioned in its current form and, therefore, will complete the modernization during the second phase. While Freddie Mac initially reported its transition as an operational risk, as of January 2020, the number of tech-related incidents “dropped significantly,” according to an agency official.

Fannie Mae is approaching its cloud transition through three concurrent streams: preparing the cloud environment; migration of applications; and data migration. The approach causes some data to be duplicated, which could lead to confusion, but the agency officials have assured the Office of the Inspector General (OIG) that they are “actively monitoring the risk and exercising a high level of rigor.”

While Fannie Mae hopes to complete its on-prem warehouse data migration by the end of calendar year 2020, the full transition to the cloud will span several years.

OIG noted four agencywide benefits of FHFA’s cloud transition: economies of scale, improvements to disaster recovery, elastic response, and proprietary functions. However, the agency also faces some considerable pitfalls:

  • Cloud computing requires extensive risk management;
  • Organizations are exposed to third-party risks when outsourcing their technology infrastructure
  • Cloud provider concentration presents the risk that technology failure, cyberattack, disaster, or corporate failure;
  • Relocation to a cloud environment introduces new risks and challenges; and
  • Inadequate staffing.

Categories

Recent