The financial services industry has avoided entrusting its data to public cloud vendors, even as Amazon Web Services quietly acquired thousands of business users. Banks and insurance firms feared rigorous regulatory scrutiny should their data become compromised in a breach at one of their cloud vendors.
Not anymore. More banks are coming around to the public cloud even if they’re not shouting the fact from the rooftops, says Jim O’Neill, senior analyst with Celent’s banking practice.
“It’s the worst kept secret in banking that everybody is experimenting with cloud,” O’Neill says. “It’s just that no one wants to be the first one to get a full proctology exam from the regulators as to how they planned out their cloud environment.”
O’Neill says the tipping point may have occurred last October, when Capital One CIO Rob Alexander revealed that the bank was a heavy user of AWS. “The ability to provision infrastructure on the fly is huge for our productivity and speed to market,” Alexander said at AWS’ RE:Invent developer show. As it hosts more of its software in AWS, Capital One is gradually reducing its data center footprint from eight in 2014 to three by 2018.
Cloud provides business agility
When Stephanie von Friedeburg became the CIO of the World Bank in 2012, the nonprofit bank was profoundly averse to risk. She recalls explaining the potential benefits of cloud computing to her legal team, only to have a lawyer tell her, “That’s like taking every important piece of information the bank has, putting it in a cardboard box, writing ‘free’ on it and setting it on the curb.” Though a gross exaggeration, this stance underscored the paranoia accompanying public cloud.
But von Friedeburg wouldn’t be denied; she made her case that the business agility of public cloud outweighed the risks. The World Bank soon began migrating several functions to public cloud software, and stated an ambitious goal to reduce the bank’s data center footprint from five to two.
Flexibility is particularly important for the World Bank, which offers financing and other programs to help governments fight poverty. Although her team initially proposed switching to Microsoft Exchange from Lotus Notes email, von Friedeburg decided she didn’t want the burden or cost of maintaining a mail server in every office in all 186 countries in which the World Bank operates. The World Bank replaced 30,000 Notes licenses with Microsoft Office 365, cutting the annual costs of running email from $12 million to $6 million and enabled employees to continue working in the event of political unrest or natural disasters.
This keystone migration also let the World Bank’s business management become more comfortable with the cloud. The World Bank software developers now use public cloud infrastructure from Microsoft Azure and Amazon Web Services to build and test apps. Employees also use Box to exchange files, including documents for loans and investments, as well as OneDrive and Dropbox.
Public cloud pitfalls
The World Bank’s path to the cloud wasn’t always easy, a common finding among many CIOs who adopt public cloud services. Von Friedeburg said it took 10 months to negotiate and close a deal with AWS last year as the parties hammered out a satisfactory contract. At issue was AWS’ acceptable use policy, in which it maintains the right to shut down a computing instance if a customer violates its terms. However, AWS also reserves the right to change its policies without notice. So if a customer violates the changed policy, their service can simply be switched off.
Von Friedeburg’s says she told AWS that wouldn’t work. “There was no sense of the magnitude of [the World Bank’s] risk, or any sort of escalation period whatsoever, and no way for me to know if they changed their policy.” Ultimately, after “a lot of back and forth and a lot of legal work to get to a point where we had a contract where I could hand on heart say I’m comfortable using AWS.”
The World Bank uses AWS to test Linux-based apps served by Oracle database software, and hosts SQL Server-fed apps in Microsoft Azure. However, she says she’d like to get to a point where the bank could connect the two systems. “We need both,” von Friedeburg says.
To determine what should go into the public cloud and what she stay home von Friedeburg created a security framework in which apps are designated as ready for the public cloud; those that require remediation work or those that include too much complexity or sensitivity don’t move. Ultimately, senior management must sign off on what does or doesn’t go on the public cloud, based on the residual risk. “We have a very good dialogue with the business to say ‘does this belong in the cloud?’” von Friedeburg says.