Send in the Clouds – ABA Banking Journal
April 27, 2018
By Monica C. Meinert
In 2015, Capital One announced plans to reduce its number of physical data centers from eight locations down to three by the end of 2018 by leveraging the cloud computing technology provided by Amazon Web Services. Having gone through an experimentation phase with AWS throughout 2013 and 2014, the public announcement marked another significant step in the bank’s ongoing quest to remain on the cutting edge of financial technology.
A year later, the bank officially selected AWS as its predominant cloud infrastructure provider, with the goal of migrating many of its core businesses and customer applications to Amazon’s cloud environment over the next five years. By moving to the cloud, the bank gained the ability to scale products and services even more quickly, realize cost efficiencies, ensure a higher level of cybersecurity and even attract new talent by opening up new tech-oriented positions within the company. Perhaps most importantly, the cloud allowed Capital One to free up resources that would allow it to drive innovation and respond nimbly to customers’ increasing demand for a better digital experience.
Capital One’s journey with Amazon echoes a broader mindset shift that’s occurring across the industry from the nation’s largest institutions to local community banks: in a world of constant technological change, innovation is imperative, and cloud services are becoming increasingly central to banks’ innovation strategies.
Choosing the cloud
It was 2013 when Ben Wallace—a former IT executive at JP Morgan Chase—arrived at Orrstown Bank in Shippensburg, Pa., charged to help engineer an operational and IT revitalization. The $1.5 billion asset institution was, at the time, working to strengthen many aspects of its business—including the foundation upon which it would grow and expand into new markets. Having never worked at a community bank before, Wallace immediately began to assess what it would take to help the bank operate more efficiently and grow.
One possible solution: thinking differently about its infrastructure and in-house systems—including which could be migrated to the cloud.
“Historically, we operated all of our applications and systems within local data centers—carrying all the related overhead and expense,” he explains. “So we said: ‘We’re going to engineer a bank for the future—thinking how we reduce the reliance on our local data centers over time and improve our risk and control environment while also improving our efficiency. From there, it became a question of “which public cloud partners offer the appropriate control and risk environment—Amazon, [Microsoft] Azure and others.”
Wallace and his team began by migrating the bank’s backup framework over to Amazon Glacier—an archival storage solution that helped the bank retire the physical magnetic tapes it had used for years. They also explored additional solutions through other cloud providers, such as Microsoft Office 365, email archival solutions and numerous in-house applications.
Depending on the solution, he notes that the bank has seen cost reductions resulting from using cloud services rather than those hosted on-site. And Orrstown’s move to the cloud has also allowed employees to spend less time focusing on system maintenance and upgrades and more time on customer-facing initiatives. “We’ve been able to realign functions and roles [to spend] more time on applications and with the business users than we do on the infrastructure side,” Wallace says. “That’s a dramatic shift from where we were five years ago.”
Balancing strategy and risk
Cloud-hosted environments—whether public clouds like AWS or Azure, private clouds created for individual institutions or hybrid clouds combining elements of the two—are slowly but surely becoming the standard across many industries for the efficiencies they provide. Even within the heavily regulated financial services industry, which has been slower to adopt new technologies, many bankers are finding that cloud-hosted solutions are beginning to overtake on-premises options.
“As we have evaluated new solutions over the last five to seven years, we’re seeing more and more of [them] delivered as software as a service—or SaaS—solutions, to the point that in some evaluations, we would be lucky to have one or two in-house implementation options,” notes Albert Kendrick, chief information officer at FirstBank in Lakewood, Colo.
That observation, along with the bank’s longstanding customer-focused strategy, prompted Kendrick and other FirstBank executives to begin serious conversations about moving certain systems and platforms to the cloud. Stakeholders from across the organization were pulled in to assist: from IT to security, vendor management to audit; Kendrick emphasizes that it was important to the bank to have a wide range of perspectives looking at the issue from the outset. The bank also engaged a third-party auditing firm to assist with additional reviews.
Now a year and a half into the process, Kendrick says that the bank has identified the various cloud providers that it plans to use for the bulk of its solutions and is beginning to transition solutions one by one to a cloud environment. “Our ultimate goal is to eliminate our in-house data centers and run them as much in the cloud as possible,” he says. “The next six to nine months as we assess different applications and what their cost model is in the cloud versus on-prem, that’s really going to be the decider as far as how far we go down this path.”
Critical to any successful cloud strategy is a strong risk management framework, and banks pursing such a strategy should be carefully evaluating what data is being uploaded to a cloud environment, how it is being used and who can access it.
“You really have to look at: what risk does that data pose should it be compromised?” notes David Kelly, FirstBank’s chief risk officer. “And not just today—you have to determine those potential risks that could exist down the road as well . . . and find the right partner that allows you to configure things appropriately and provide the actual protection that you’re looking for.”
In evaluating a potential third-party cloud service provider, Kelly says the bank’s risk management team examines the extent to which data is shared, the physical and environmental security of the vendor, whether data can be encrypted, how personnel with data access are authenticated and how the company approaches breach management.
“We do make sure we have access to what their third-party audits are, we look at their SOC reviews, do they conduct penetration testing themselves?” Kelly says. “A lot of the large, well-established providers will automatically give that to you. If they’re reluctant, that may be a flag.”
Kelly also tries to include requirements in the vendor service contract for the third-party to have a known trusted incident response provider on retainer that could step in and assist in the event of a breach. “We’ve even talked about: should we have the right to audit built into the contracts?” he adds. “If we find there’s a deterioration in performance, can we negotiate the right to send our own auditors in to assess the situation?”
Cloud on the horizon
The bankers all agree that the key to successful cloud migrations lies in the partnerships banks forge with their providers. “Always think about it as a journey that’s not going to be an overnight, and do it in phases,” Wallace advises. “Involve your regulatory partners, educate your internal staff and methodically evaluate which systems go first, second, third.”
Kelly emphasizes that bankers should feel comfortable with the level of security and controls their cloud provider has in place, noting that while banks may be outsourcing various functions, they still own the risk. “Our customers don’t care that we outsourced it to a poorly run vendor,” he says. “Ultimately, we take responsibility for our customers’ data.”
The advantages of cloud computing are numerous, and with strong third-party risk management controls in place, bankers can reap the rewards of reduced costs and more efficient operations. But beyond the financial statement implications, the cloud model is beginning to fundamentally reshape companies at the organization level as well. “Recognize that it’s not going to be a static environment,” Wallace says. “[Banks] need to be more dynamic, they need to recognize that it’s going to be a fluid world—it’s going to be a new reality.”