The next BriefingsDirect cloud adoption best practices discussion focuses on some of the strictest security and performance requirements that are newly being met for an innovative global finance services deployment.
We’ll now explore how a major financial transactions provider is exploiting cloud models to extend a distributed real-time payment capability across the globe. Due to the needs for localized data storage, privacy regulations compliance, and lightning-fast transactions speeds, this extreme cloud-use formula pushes the boundaries -- and possibilities -- for hybrid cloud solutions.
Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.
Stay with us now as we hear
from an executive at Mastercard
and a cloud deployment strategist about a new,
cutting-edge use for cloud infrastructure. Please welcome Paolo Pelizzoli,
Executive Vice President and Chief Operating Officer at Realtime Payments
International for Mastercard, and Robert
Christiansen, Vice President and Cloud Strategist at Cloud Technology Partners (CTP), a Hewlett Packard Enterprise (HPE)
company. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions.
Here are some excerpts:
Gardner: What
is happening with cloud adoption that newly satisfies such major concerns as
strict security, localized data, and top-rate performance? Robert, what’s allowing
for a new leading edge when it comes to the public clouds’ use?
Christiansen: A
number of new use cases have been made public. For the front runners like Capital One [Financial Corp.], and
some other organizations, they have taken core applications that would
otherwise be considered sacred and are moving them to cloud platforms. Those have
become more-and-more evident and visible. The Capital One CIO,
Robert Alexander, has been very vocal about that.
Christiansen |
So now others have followed
suit. And the US federal government regulators have been much more accepting
around the audit controls. We are seeing a lot more governance and automation
happening as well. A number of the business control objectives – from security
to the actual technologies to the implementations -- are becoming more accepted
practices today for cloud deployment.
So, by default, folks like
Paolo at Mastercard are considering the new solutions that could give them a
competitive edge. We are just seeing a lot more acceptance of cloud models over
the last 18 months.
Gardner: Paolo,
is increased adoption a matter of gaining more confidence in cloud, or are there
proof points you look for that opens the gates for more cloud adoption?
Compliance challenges cloud
Pelizzoli: As we
see what’s happening in the world around nationalism, the on-the-soil [data sovereignty] requirements
have become much more prevalent. It will continue, so we need the ability to
reach those countries, deploy quickly, and allow data persistence to occur
there.
Pelizzoli |
The adoption side of it is a
double-edged sword. I think everybody wants to get there, and everybody intuitively
knows that they can get there. But there are a lot of controls around privacy,
as well as the SOX
and SOC 1 reports compliance, and
everything else that needs to be adjusted to take into the cloud into account.
And if the cloud is rerouting traffic because one zone goes down and it flips
to another zone, is that still within the same borders, is it still compliant, and
can you prove that?
So while technologically this
all can be done, from a compliance perspective there are still a lot of
different boxes left to check before someone can allow payments data to flow
actively across the cloud -- because that’s really the panacea.
Gardner: We
have often seen a lag between what technology is capable of and what regulations,
standards, and best practices allow. Are we beginning to see a compression of
that lag? Are regulators, in effect, catching up to what the technology is
capable of?
Pelizzoli: The
technology is still way out in the front. The regulators have a lot on their
plates. We can start moving as long as we adhere to all the regulations, but the
regulations between countries and within some countries will continue to have a
lagging effect. That being said, you are beginning to see governments understand
how sanctions occur and they want their own networks within their own borders.
Those are the types of things
that require a full-fledged payments network that predated the public Internet to
begin to gain certain new features, functions, and capabilities. We are now basically
having to redo that payments-grade network.
Gardner: Robert,
the technology is highly capable. We have a major player like Mastercard interested
in solving their new globalization requirements using cloud. What can help close
the adoption gap? Does hybrid cloud help solve the log-jam?
Christiansen: The
regionalization issues are upfront, if not the number-one requirement, as Paolo
has been talking about. I think about South Korea. We just had a meeting with
the largest banking folks there. They are planning now for their adoption of public
cloud, whether it’s Microsoft Azure,
Amazon Web Services (AWS), or Google Cloud. But the laws are just now
making it available.
Prior to January 1, 2019, the
laws prohibited public cloud use for financial services companies, so things
are changing. There is lot of that kind of thing going on around the globe. The
strategy seems to be very focused on making the compute, network, and storage localized
and regionalized. And that’s going to require technology grounding in some sort
of connectivity across on-premises and public, while still putting the proper security
in-place.
So, you may see more use of
things like OpenShift or Cloud Foundry’s Pivotal platform and
some overlay that allows folks to take advantage of that so that you can push
down an appliance, like a piece of equipment, into a specific territory.
I’m not certain as to the cost
that you incur as a result of adding such an additional local layer. But from a
rollout perspective, this is an upfront conversation. Most financial
organizations that globalize want to be able to develop and deploy in one way while
also having regional, localized on-premises services. And they want it to get
done as if in a public cloud. That is happening in a multiple number of
regions.
Gardner: Paolo,
please tell us more about International
Realtime Payments. Are you set up specifically to solve this type of regional-global
deployment problem, or is there a larger mandate? What’s the reason for this
organization?
Hybrid help from data center to the edge
Pelizzoli: Mastercard
made an acquisition
a number of years ago of Vocalink.
Vocalink did real-time secure interbank funds transfer, and linkage to the automated
clearing house (ACH) mechanism for the United Kingdom (UK), including the
BACS and LINK extensions to facilitate payments across the banking system. Because
it’s nationally critical infrastructure, and it’s bank-to-bank secure funds
transfer with liquidity checks in place, we have extended the capabilities. We can
go through and perform the same nationally critical functions for other governments
in other countries.
Vocalink has now been integrated
into Mastercard, and Realtime Payments will extend the overall reach, to
include the debit/credit loyalty gift “rails” that Mastercard has been traditionally
known for.
I absolutely agree that you
want to develop one way and then be able to deploy to multiple locations. As hybrid
cloud has arrived, with the advent of Microsoft Azure Stack and more recently AWS’s
Outposts, it gives you the cloud inside of your data center with the same
capabilities, the same consoles, and the same scripting and automation, et cetera.
As we see those mechanisms
become richer and more robust, we will go through and be deploying that
approach to any and all of our resources -- even being embedded at the edge within
a point of sale (POS) device.
As
we examine the different requirements from government regulations, it
really comes down to managing personally identifiable information.
As we examine the different
requirements from government regulations, it really comes down to managing personally
identifiable information.
So, if you can secure the
transaction information, by abstracting out all the other stuff and doing some
interesting cryptography that only those governments know about, the [transaction]
flow will still go through [the cloud] but the data will still be there, at the
edge, and on the device or appliance.
We already provide for
detection and other value-added services for the assurance of the banks, all
the way down to the consumers, to protect them. As we start going through and
seeing globalization -- but also the regionalization due to regulation – it
will be interesting to uncover fraudulent activity. We already have unique
insights into that.
No more noisy neighbors
Christiansen: Getting
back to the hybrid strategy, AWS Outposts
and Azure
Stack have created the opportunity for such globalization at speed. Someone
can plug in a network and power cable and get a public cloud-like experience yet
it’s on an on-premises device. That opens a significant number of doors.
You eliminate multi-tenancy
issues, for example, which are a huge obstacle when it comes to compliance. In
addition, you have to address “noisy neighbor” issues, performance issues,
failovers, and stuff like that that are caused by multi-tenancy issues.
If you’re able to simply
deploy a cloud appliance that is self-aware, you have a whole other trajectory
toward use of the cloud technology. I am actively encouraged to see what
Microsoft and Amazon can do to press that further. I just wanted to tag that onto
what Paolo was talking about.
Pelizzoli: Right, and these self-contained deployments can use Kubernetes. In that way, everything that’s required to go through and run autonomously -- even the software-defined networks (SDNs) – can be deployed via containers. It actually knows where its point of persistence needs to be, for data sovereignty compliance, regardless of where it actually ends up being deployed.
This comes back to an earlier
comment about the technology being quite far ahead. It is still maturing. I don’t
think it is fully mature to everybody’s liking yet. But there are some very,
very encouraging steps.
As long as we go in with our eyes
wide open, there are certain things that will allow us to go through and use
those technologies. We still have some legacy stuff pinned to bare-metal
hardware. But as things start behaving in a hybrid cloud fashion as we’re
describing, and once we get all the security and guidelines set up, we can migrate
off of those legacy systems at an accelerated pace.
Gardner: It seems
to me that Realtime Payments International could be a bellwether use case for
such global hybrid cloud adoption. What then are the checkboxes you need to
sign off on in order to be able to use cloud to solve your problems?
Perpetual personal data protection
Pelizzoli: I
can’t give you all the criteria, but the persistence layer needs to be highly
encrypted. The transports need to be highly encrypted. Every time anything is
persisted, it has to go through a regulatory set of checks, just to make sure
that it’s allowed to do what it’s being asked to do. We need a lot of
cleanliness in the way metrics are captured so that you can’t use a metric to
get back to a person.
If nothing else, we have
learned a lot from the recent [data intrusion] announcements by Facebook, Marriott, and others. The data
is quite prevalent out there. And payments data, just like your hospital data,
is the most personal.
As we start figuring out the nuances
of regulation around an individual service, it must be externalized. We have to
be able to literally inject solutions to regulatory requirements – and not by coding
it. We can’t be creating any payments that are ambiguous.
That’s why we are starting to
see a lot of effort going into how artificial
intelligence (AI) can help. AI could check services and configurations to test
for every possibility so that there isn’t a “hole” that somebody can go through
with a certain amount of credentials.
As we go forward, those are
the types of things that -- when we are in a public cloud -- we need to account
for. When we were all internal, we had a lot of perimeter defenses. The new perimeter
becomes more nebulous in a public cloud. You can create virtual private clouds,
but you need to be very wary that you are expanding time factors or latency.
Gardner: If
you can check off these security and performance requirements, and you are able
to start exploiting the hybrid cloud continuum across different localities,
what do you get? What are the business outcomes you’re seeking?
Common cloud consistency
Pelizzoli: A
couple of things. One is agility, in terms of being able to deploy to two
adjacent countries, if one country has a major outage. That means ease of
access to a payments-grade network -- without having to go through and put in hardware,
which will invariably fail.
Also, the ability to scale
quickly. There is an expected peak season for payments, such as around the Christmas
holidays. But there could be an unexpected peak season based on bad news -- not
a peak season, but a peak day. How do you go through and have your systems
scale within one country that wasn’t normally producing a lot of transactions?
All of a sudden, now it’s producing 18 times the amount of transactions.
Those types of things give us a different development paradigm. We have a lot of developers. A [common cloud approach] would give us consistency, and the ability to be clean in how we automate deployment; the testing side of it, the security checks, etc.
Before, there were a lot of
different ways of doing development, depending on the language and the target.
Bringing that together would allow increased velocity and reduced cost, in most
cases. And what I mean by “most cases” is I can use only what I need and scale
as I require. I don’t have to build for the worst possible day and then
potentially never hit it. So, I could use my capacity more efficiently.
Gardner:
Robert, it sounds like major financial applications, like a global real-time
payment solution, are getting from the cloud what startups and cloud-native
organizations have taken for granted. We’re now able to take the benefits of
cloud to some of the most extreme and complex use cases.
Cloud-driven global agility
Christiansen: That’s
a really good observation, Dana. A healthcare organization could use the same technologies
to leverage an industrial-strength transaction platform that allows them to
deliver healthcare solutions globally. And they could deem it as a future-proof
infrastructure solution.
One of the big advantages of
the public cloud has been the isolation of all those things that many central IT
teams have had to do day-in and day-out. That is to patch releases, upgrade
processes, constantly looking at the refresh. They call it painting the Golden
Gate Bridge – where once you finish painting the bridge, you have to go back
and do it all over again. And a lot of that effort and money goes into that
refresh process.
And so they are asking
themselves, “Hey, how can we take our $3 or $4 billion IT spend, and take x
amount of that and begin applying it toward innovation?”
Right
now there is so much rigidity. Everyone is asking the same question,
"How do I compete globally in a way that allows me to build the agility
transformation into my organization?"
And if someone can take a piece
out of that equation, all things are eligible. Everyone is asking the same
question, “How do I compete globally in a way that allows me to build the
agility transformation into my organization?” Right now there is so much
rigidity, but the balance against what Paolo was talking about -- the industrial-grade network and transaction
framework -- to get this stuff done cannot be relinquished.
So people are asking a lot of
the same questions. They come in and ask us at CTP, “Hey, what use-cases are
actually in place today where I can start leveraging portions of the public
cloud so I can start knocking off pieces?”
Paolo, how do you use your
existing infrastructure, and what portion of cloud enablement can you bring to
the table? Is it cloud-first, where you say, “Hey, everything is up for grabs?”
Or are you more isolated into using cloud only in a certain segment?
Follow a paved path of patterns
Pelizzoli: Obviously,
the endgame is to be in the cloud 100 percent. That’s utopian. How do we get
there? There is analysis being done. It depends if we are talking about
real-time payments, which is actually more prepared to go into the cloud than
some of the core processing that handles most of North America and Europe from an
individual credit card or debit card swipe. Some of those core pieces need more
rewiring to take advantage of the cloud.
When we look at it, we are
decomposing all of the legacy systems and seeing how well they fit in to what
we call a paved path of patterns. If there is a paved path for a specific type
of pattern, we put it on the list of things to transition to, as being built as
a cloud-native service. And then we run it alongside its parent for a while, to
test it, through stressful periods and through forced chaos. If the segment
goes down, where does it flip over to? And what is the recovery time?
The one thing we cannot do is
in any way increase latency. In fact, we have some very aggressive targets to
reduce latency wherever we can. We also want to improve the recovery and security
of the individual components, which we end up calling value-added services.
There are some basic services
we have to provide, and then value-added services, which people can opt in or
opt out of. We do have a plan and strategy to go through and prioritize that
list.
Gardner:
Paolo, as you master hybrid cloud, you must have visibility and monitoring
across these different models. It’s a new kind of monitoring, a new kind of
management.
What do you look to from CTP and
HPE to help attain new levels of insight so you can measure what’s going on,
and therefore optimize and automate?
Pelizzoli: CTP
has been a very good and integral part of our first steps into the cloud.
Now, I will give you one
disclaimer. We have some companies that are Mastercard companies that are
already in the cloud, and were born in the cloud. So we have experience with
AWS, we have experience with Azure, and we have some experience with Google Cloud
Platform.
It’s not that Mastercard isn’t
in the cloud already, it is. But when you start taking the entire plant and moving
it, we want to make sure that the security controls, which CTP has been helping
ratify, get extended into the cloud -- and where appropriate, actually removed,
because there are better ones in the cloud today.
Extend the cloud management office
Now,
the next phase is to start building out a cloud management office. Our cloud management
office was created early last year. It is now getting the appropriate checks
and audits from finance, the application teams, the architecture team, security
teams, and so on.
As that list of prioritized applications
comes through, they have the appropriate paved path, checks, and balance. If
there are any exceptions, it gets fiercely debated and will either get a pass
or it will not. But even if it does not, it can still sit within our on-premises
version of the cloud, it’s just more protected.
As we route all the traffic,
that is where there is going to be a lot of checks within the different network
hops that it has to take to prevent certain information from getting outside
when it’s not appropriate.
Gardner: And
is there something of a wish list that you might have for how to better fulfill
the mandate of that cloud management office?
Pelizzoli: We
have CTP, which HPE
purchased along with RedPixie. They cover, between those two acquisitions,
all of the public cloud providers.
Now, the cloud providers
themselves are selling you the next feature-function to move themselves ahead
of their competitor. CTP and RedPixie are taking the common
denominator across all of them to make sure that you are not overstepping
promises from one cloud provider into another cloud provider. You are not
thinking that everybody is moving at the same pace.
They also provide
implementation capabilities, migration capabilities, and testing capabilities
through the
larger HPE organization. The fact is we have strong relationships with
Microsoft and with Amazon, and so does HPE. If we can bring the collective
muscle of Mastercard, HPE, and the cloud providers together, we can move
mountains.
Gardner: We hear
folks like Paolo describe their vision of what’s possible when you can use the
cloud providers in an orchestrated, concerted, and value-added approach.
Other people in the market may
not understand what is going on across multi-cloud management requirements. What
would you want them to know, Robert?
O brave new hybrid world
Christiansen: A hybrid world
is the true reality. Just the complexity of the enterprise, no matter what
industry you are in, has caused these application centers of gravity. The latency
issues between applications that could be moved to cloud or not, or impacted by
where the data resides, these have created huge gravity issues, so they are
unable to take advantage of the frameworks that the public clouds provide.
So, the reality is that the
public cloud is going to have to come down into the four walls of the
enterprise. As a result of that, we are seeing an explosion of the common abstraction
-- there is going to be some open sourced framework for all clouds to
communicate and to talk and behave alike.
Over the past decade, the on-premises
and OpenStack world has been
decommissioning the whole legacy technology stack, moving it off to the side as
a priority, as they seek to adopt cloud. The reality now is that we have
regional, government, and data privacy issues, we have got all sorts of things
that are pulling it all back internally again.
Out of all this chaos is going
to rise the phoenix of some sort of common framework. There has to be. There is
no other way out of this. We are already seeing organizations such as Paolo’s at
Mastercard develop a mandate to take the agile step forward.
They want somebody to provide the
ability to gain more business value versus the technology, to manage and keep
track of infrastructure, and to future-proof that platform. But at the same
time, they want a technology position where they can use common frameworks,
common languages, things that give interoperability across multiple platforms.
That’s where you are seeing a huge amount of investment.
I don’t know if you recently
saw that HashiCorp got $100 million in
additional
funding, and they have a valuation of almost $2 billion. This is a company
that specializes
in sitting in that space. And we are going to see more of that.
And as folks like Mastercard
drive the requirements, the all-in on one public cloud mentality is going to
quickly evaporate. These platforms absolutely have to learn how to play
together and get along with on-premises, as well as between themselves.
Gardner:
Paolo, any last thoughts about how we get cloud providers to be team players
rather than walking around with sharp elbows?
Tech that plays well with others
Pelizzoli: I
think it’s actually going to end up being a lot more of the technology that’s
being allowed to run on these cloud platforms is going to take care of it.
I mentioned Kubernetes and Docker
earlier, and there are others out there. The fact that they can isolate
themselves from the cloud provider itself is where it will neutralize some of
the sharp elbowing that goes on.
Now, there are going to be features that keep coming up that I think companies like ours will take a look at and start putting workloads where the latest cutting-edge feature gives us a competitive advantage and then wait for other cloud providers to go through and catch up. And when they do, we can then deploy out on those. But those will be very conscious decisions.
I don’t think that there is a
one cloud fits all, but where appropriate we will go through and
be absolutely multi-cloud. Where there is defining difference, we will go through and
select the cloud provider that best suits in that area to cover that specific
capability.
Gardner: It
sounds like these extreme use cases and the very important requirements that
organizations like Mastercard have will compel this marketplace to continue to
flourish rather than become a one-size-fits-all. So an interesting time that we
are seeing the maturation of the applications and use cases actually start to
create more of a democratization of cloud in the marketplace.
Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: Hewlett Packard Enterprise.
You may also be interested
in:
- IT kit sustainability: A business advantage and balm for the planet
- Industrial-strength wearables combine with collaboration cloud to bring anywhere expertise to intelligent-edge work
- How the data science profession is growing in value and impact across the business world
- Why enterprises should approach procurement of hybrid IT in entirely new ways
- Manufacturer gains advantage by expanding IoT footprint from many machines to many insights
- Why enterprises struggle with adopting public cloud as a culture
- Who, if anyone, is in charge of multi-cloud business optimization?
- A discussion with IT analyst Martin Hingley on the culmination of 30 years of IT management maturity
- How global HCM provider ADP mines an ocean of employee data for improved talent management