How to Be in the Cloud and Stay in Control

In the UK’s highly competitive financial services sector there is a growing desire for tech solutions that are cloud-first, cloud-native, and able to deliver everything-on-demand. But the industry’s experience over the past five years has shown that this route is far from straightforward and is often littered with obstacles.

For multiple regulatory and commercial reasons, many financial services players now have a two-track IT architecture—one to run the bank and the other to transform it. That’s a complex and resource-intensive approach.

Nevertheless, more and more CIOs are learning valuable lessons that can help avoid the two-track IT quagmire. A secure cloud architecture (SCA) can ameliorate this problem, reconciling the urgent need to innovate with the industry's rigid regulatory, security, and financial constraints.

In the past, financial services organizations typically sought to run an entire IT stack in a single public cloud. This is changing, and a more realistic and pragmatic approach is emerging. Established UK banks and insurance companies now tend to run their IT in multiple landing zones, encompassing at least two public clouds, a private cloud, and long-standing legacy infrastructure. Within the public cloud they might turn to Google for artificial intelligence, Microsoft for business apps, and Amazon for e-commerce/innovation.

Working across landing zones is key

To traverse a diverse tech landscape, a business needs an all-terrain vehicle—a common platform, involving a consolidated set of technologies, that encompasses all of the landing zones. This is where an SCA comes in.

An SCA puts you back in control. For example, a bank can use it to evaluate workloads in different landing zones to determine the best fit. They will also be able to A/B test a workload in different zones to optimize its deployment, in terms of both performance and cost.

For both regulatory and commercial reasons, UK financial services players need to have full visibility into—and control over—their entire stack. In particular, regulators require a robust and workable plan for how they would exit a given landing zone (if they had to). As most banks run thousands and thousands of applications, it would be impractical to rewrite everything to switch from one public cloud to another.

With an SCA, you aren't tied into the underlying native services of a given landing zone, making it straightforward to shift workloads. You are effectively running a technology layer that insulates from all the cloud providers’ underlying systems, which can often be opaque. And, crucially, you now have much more visibility and control.

Ultimately, there is less complexity with a unifying set of technologies. For instance, you don’t need legions of people learning a myriad of different technologies across all the different public cloud platforms—a scenario that frequently leads to costly manual errors. Both the business and its suppliers can employ a single set of skills across the entire IT stack. Furthermore, the business isn’t locked into any specific public cloud, dramatically improving its negotiating position when it comes to renewing a contract or procuring new capabilities. If you can easily migrate from one landing zone to another, you have more negotiatory clout and the flexibility to use it.

Learning the lessons of the past

For UK banks and insurance companies, an SCA provides a great mechanism to build on the learnings of the past five years. In some cases, organizations spent tens of millions of pounds trying to move their IT stack into a public cloud only to find that the new approach introduces new challenges in terms of security and compliance for each line of business.

Unlike a start-up, an established bank doesn’t have a blank slate from which to innovate freely. In most cases, the legacy technology residing in thier data centers runs on outmoded operating systems that are incompatible with the public cloud. These core systems are effectively trapped where they are. As the business depends on them, they can’t be decommissioned. In the insurance sector, for example, there are legal precedents associated with application code running on mainframes. If an insurer touches that code, they could lose the legal precedent. The only way forward is to build interfaces over the top of these legacy systems that can integrate them into modern applications.

Other challenges of note include the cost of moving vast amounts of data into the cloud, as well as concerns that sensitive customer data shouldn’t reside there.

Moving to microservices

Having realized that it’s tough transform the IT architecture of their legacy business, some financial institutions are starting to use DevOps to build a digital business in the cloud in parallel with their legacy offerings. By using serverless, cloud-native technologies, digital businesses can move with much greater velocity and efficiency. Such technologies are ideal for delivering tactical workloads, as they minimize the technical resources required and enable a focus on business functionality.

However, this approach also results in a tight coupling with the underlying service provider, making it sub-optimal for the delivery of large strategic/business-critical services. For these services, you need container platforms based on the Kubernetes framework. It can be hard to find technical staff with the necessary skillsets to orchestrate this. Moreover, for strategic workloads, portability is a must. These systems underpin your business and regulators know that. 

Constraints of this nature mean that almost every major financial services player in the UK employs multiple public cloud platforms, combined with on-premises private clouds alongside their legacy platforms.

What an SCA might look like

An SCA can simplify a diverse technology estate and all the associated operating models. If implemented it might, for example, employ VoltMesh to stitch all the landing zones together, providing connectivity, traffic management, and perimeter security. The same common technology is then usable across the different landing zones to provide application infrastructure and security, whereas your workloads are hosted inside containers.

In summary, an SCA enables banking and financial services organizations to deploy workloads in different landing zones based on best fit—all while making it easier to exit a given landing zone. It also increases visibility and control of each landing zone, while reducing complexity and unifying technologies, mitigating the skills challenge. Finally, an SCA improves the negotiating position of the business vis-à-vis the landing zone vendors, thereby reducing costs and boosting flexibility.