Cloud initiatives clearly do not come in “one size fits all” packages. They vary widely in focus and complexity, from basic migration projects to extreme cases involving the strictest security and performance requirements of a global financial services giant.
Mastercard completed a complicated project that illustrates the challenges cloud implementations can pose and the benefits they can offer. The company leveraged a hybrid cloud approach to launch a groundbreaking global real-time payment system with lightning-fast transaction speeds.
How did Mastercard pull it off? Is what Mastercard is doing considered a bellwether for where global 2000 industries are going when it comes to cloud use? And what is happening in the adoption of cloud that puts a new focus on such concerns as security, data sovereignty and performance issues?
Dana Gardner sat down with Mastercard’s Paolo Pelizzoli and CTP’s Robert Christiansen to learn about their hybrid cloud adoption.
Dana Gardner: What is happening with cloud adoption that newly satisfies such major concerns as strict security, localized data and top-rate performance? Robert, what’s allowing for a new leading edge when it comes to the public cloud’s use?
Robert Christiansen: A number of new use cases have been made public. For the front runners, like Capital One and some other organizations, they have taken core applications that would otherwise be considered sacred and are moving them to cloud platforms. Those have become more and more evident and visible. The Capital One CIO, Robert Alexander, has been very vocal about that.
So now, others have followed suit. And the U.S. federal government regulators have been much more accepting around the audit controls. We are seeing a lot more governance and automation happening as well. A number of the business control objectives – from security, to the actual technologies, to the implementations — are becoming more accepted practices today for cloud deployment.
So by default, folks like Paolo at Mastercard are considering the new solutions that could give them a competitive edge. We are just seeing a lot more acceptance of cloud models over the last 18 months.
Gardner: Paolo, is increased adoption a matter of gaining more confidence in cloud, or are there proof points you look for that open the gates for more cloud adoption?
Paolo Pelizzoli: As we see what’s happening in the world around nationalism, the on-the-soil [data sovereignty] requirements have become much more prevalent. It will continue, so we need the ability to reach those countries, deploy quickly and allow data persistence to occur there.
The adoption side of it is a double-edged sword. I think everybody wants to get there, and everybody intuitively knows that they can get there. But there are a lot of controls around privacy, as well as the SOX compliance, and everything else that needs to be adjusted to take cloud into account. And if the cloud is rerouting traffic because one zone goes down and it flips to another zone, is that still within the same borders, is it still compliant, and can you prove that?
So while technologically this all can be done, from a compliance perspective there are still a lot of different boxes left to check before someone can allow payments data to flow actively across the cloud — because that’s really the panacea.
Gardner: We have often seen a lag between what technology is capable of and what regulations, standards and best practices allow. Are we beginning to see a compression of that lag? Are regulators, in effect, catching up to what the technology is capable of?
Pelizzoli: The technology is still way out in the front. The regulators have a lot on their plates. We can start moving, as long as we adhere to all the regulations, but the regulations between countries and within some countries will continue to have a lagging effect. That being said, you are beginning to see governments understand how sanctions occur, and they want their own networks within their own borders.
Those are the types of things that require a full-fledged payments network that predated the public Internet, to begin to gain certain new features, functions and capabilities. We are now basically having to redo that payments-grade network.
Gardner: Robert, the technology is highly capable. We have a major player like Mastercard interested in solving their new globalization requirements using cloud. What can help close the adoption gap? Does hybrid cloud help solve the logjam?
Christiansen: The regionalization issues are upfront, if not the number one requirement, as Paolo has been talking about. I think about South Korea. We just had a meeting with the largest banking folks there. They are planning now for their adoption of public cloud, whether it’s Microsoft Azure, Amazon Web Services (AWS) or Google Cloud. Prior to January 1, 2019, the laws prohibited public cloud use for financial services companies, so things are changing.
There is lot of that kind of thing going on around the globe. The strategy seems to be very focused on making the compute, network and storage localized and regionalized. And that’s going to require technology grounding in some sort of connectivity across on-premises and public, while still putting the proper security in place.
So you may see more use of things like OpenShift or Cloud Foundry’s Pivotal platform, and some overlay that allows folks to take advantage of that so that you can push down an appliance, like a piece of equipment, into a specific territory.
I’m not certain as to the cost that you incur as a result of adding such an additional local layer. But from a rollout perspective, this is an upfront conversation. Most financial organizations that globalize want to be able to develop and deploy in one way while also having regional, localized on-premises services. And they want it to get done as if in a public cloud. That is happening in a multiple number of regions.
Gardner: Paolo, please tell us more about International Real-Time Payments. Are you set up specifically to solve this type of regional-global deployment problem, or is there a larger mandate? What’s the reason for this organization?
Pelizzoli: Mastercard made an acquisition a number of years ago of Vocalink. Vocalink did real-time automated clearing house (ACH) payments for the United Kingdom (UK). Because it’s nationally critical infrastructure, and it’s bank-to-bank ACH, we have extended the capabilities. We can go through and perform the same nationally critical functions for other governments in other countries.
Vocalink has now been integrated into Mastercard, and Real-Time Payments will extend the ACH, or the instant check function, alongside the debit/credit loyalty gift kind of mechanisms that Mastercard has been traditionally known for.
I absolutely agree that you want to develop one way and then be able to deploy to multiple locations. As hybrid cloud has arrived, with the advent of Microsoft Azure Stack and, more recently, AWS’s Outposts, it gives you the cloud inside of your data center with the same capabilities, the same consoles and the same scripting and automation, et cetera.
As we see those mechanisms become richer and more robust, we will go through and be deploying that approach to any and all of our resources — even being embedded at the edge within a point of sale (POS) device.
As we examine the different requirements from government regulations, it really comes down to managing personally identifiable information.
So if you can secure the transaction information, by abstracting out all the other stuff and doing some interesting cryptography that only those governments know about, the [transaction] flow will still go through [the cloud] but the data will still be there, at the edge, and on the device or appliance.
We already provide for detection and other value-added services for the assurance of the banks, all the way down to the consumers, to protect them. As we start going through and seeing globalization — but also the regionalization due to regulation – it will be interesting to uncover fraudulent activity. We already have unique insights into that.
Gardner: It seems to me that International Real-Time Payments could be a bellwether use case for such global hybrid cloud adoption. What then are the checkboxes you need to sign off on in order to be able to use cloud to solve your problems?
Pelizzoli: I can’t give you all the criteria, but the persistence layer needs to be highly encrypted. The transports need to be highly encrypted. Every time anything is persisted, it has to go through a regulatory set of checks, just to make sure that it’s allowed to do what it’s being asked to do. We need a lot of cleanliness in the way metrics are captured so that you can’t use a metric to get back to a person.
If nothing else, we have learned a lot from the recent [data intrusion] announcements by Facebook, Marriott and Equifax. The data is quite prevalent out there. And payments data, just like your hospital data, is the most personal.
As we start figuring out the nuances of regulation around an individual service, it must be externalized. We have to be able to literally inject solutions to regulatory requirements – and not by coding it. We can’t be creating any payments that are ambiguous.
That’s why we are starting to see a lot of effort going into how artificial intelligence (AI) can help. AI could check services and configurations to test for every possibility, so that there isn’t a “hole” that somebody can go through with a certain amount of credentials.
As we go forward, those are the types of things that — when we are in a public cloud — we need to account for. When we were all internal, we had a lot of perimeter defenses. The new perimeter becomes more nebulous in a public cloud. You can create virtual private clouds, but you need to be very wary that you are expanding time factors or latency.
Gardner: Robert, it sounds like major financial applications, like a global real-time payment solution, are getting from the cloud what startups and cloud-native organizations have taken for granted. We’re now able to take the benefits of cloud to some of the most extreme and complex use cases.
Christiansen: That’s a really good observation, Dana. A healthcare organization could use the same technologies to leverage an industrial-strength transaction platform that allows them to deliver healthcare solutions globally. And they could deem it as a future proof infrastructure solution.
One of the big advantages of the public cloud has been the isolation of all those things that many central IT teams have had to do day in and day out. That is to patch releases, upgrade processes, constantly looking at the refresh. They call it painting the Golden Gate Bridge – where once you finish painting the bridge, you have to go back and do it all over again. And a lot of that effort and money goes into that refresh process.
And so they are asking themselves, “Hey, how can we take our three or four billion dollar IT spend, and take x amount of that and begin applying it toward innovation?”
And if someone can take a piece out of that equation, all things are eligible. Everyone is asking the same question, “How do I compete globally in a way that allows me to build the agility transformation into my organization?” Right now there is so much rigidity, but the balance against what Paolo was talking about — the industrial-grade network and transaction framework — to get this stuff done cannot be relinquished.
So people are asking a lot of the same questions. They come in and ask us at CTP, “Hey, what use-cases are actually in place today where I can start leveraging portions of the public cloud, so I can start knocking off pieces?”
Gardner: Paolo, as Mastercard hybrid cloud, you must have visibility and monitoring across these different models. It’s a new kind of monitoring, a new kind of management. What do you look to from CTP and HPE to help attain new levels of insight so you can measure what’s going on, and therefore optimize and automate?
Pelizzoli: CTP has been a very good and integral part of our first steps into the cloud. Now, I will give you one disclaimer. We have some companies that are Mastercard companies that are already in the cloud, and were born in the cloud. So we have experience with AWS, we have experience with Azure and we have some experience with Google Cloud Platform.
It’s not that Mastercard isn’t in the cloud already, it is. But when you start taking the entire plant and move it, we want to make sure that the security controls, which CTP has been helping ratify, get extended into the cloud — and where appropriate, actually removed, because there are better ones in the cloud today.
Now, the next phase is to start building out a cloud management office. Our cloud management office was created early last year. It is now getting the appropriate checks and audits from finance, the application teams, the architecture team, security teams and so on.
As that list of prioritized applications comes through, they have the appropriate paved path, checks and balances. If there are any exceptions, each gets fiercely debated and will either get a pass or it will not. But even if it does not, it can still sit within our on-premises version of the cloud, it’s just more protected.
As we route all the traffic, that is where there is going to be a lot of checks within the different network hops that it has to take to prevent certain information from getting outside when it’s not appropriate.
Gardner: We hear folks like Paolo describe their vision of what’s possible when you can use the cloud providers in an orchestrated, concerted and value-added approach. Other people in the market may not understand what is going on across multi-cloud management requirements. What would you want them to know, Robert?
Christiansen: A hybrid world is the true reality. Just the complexity of the enterprise, no matter what industry you are in, has caused these application centers of gravity. The latency issues between applications that could be moved to cloud or not, or impacted by where the data resides, these have created huge gravity issues, so they are unable to take advantage of the frameworks that the public clouds provide.
So the reality is that the public cloud is going to have to come down into the four walls of the enterprise. As a result of that, we are seeing an explosion of the common abstraction — there is going to be some open source framework for all clouds to communicate and to talk and behave alike.
Over the past decade, the on-premises and OpenStack world has been decommissioning the whole legacy technology stack, moving it off to the side as a priority, as they seek to adopt cloud. The reality now is that we have regional, government and data privacy issues; we have got all sorts of things that are pulling it all back internally again.
Out of all this chaos is going to rise the phoenix of some sort of common framework. There has to be. There is no other way out of this. We are already seeing organizations such as Paolo’s at Mastercard develop a mandate to take the agile step forward.
They want somebody to provide the ability to gain more business value versus the technology, to manage and keep track of infrastructure, and to future-proof that platform. But at the same time, they want a technology position where they can use common frameworks, common languages, things that give interoperability across multiple platforms. That’s where you are seeing a huge amount of investment.
I don’t know if you recently saw that HashiCorp got $100 million in additional funding, and they have a valuation of almost $2 billion. This is a company that specializes in sitting in that space. And we are going to see more of that.
And as folks like Mastercard drive the requirements, the “all in on one public cloud” mentality is going to quickly evaporate. These platforms absolutely have to learn how to play together and get along with on-premises, as well as between themselves.
Gardner: Paolo, any last thoughts about how we get cloud providers to be team players rather than walking around with sharp elbows?
Pelizzoli: I think it’s actually going to end up being a lot more of the technology that’s being allowed to run on these cloud platforms is going to take care of it.
I mentioned Kubernetes and Docker earlier, and there are others out there. The fact that they can isolate themselves from the cloud provider itself is where it will neutralize some of the sharp elbowing that goes on.
Now, there are going to be features that keep coming up that I think companies like ours will take a look at and start putting workloads where the latest cutting-edge feature gives us a competitive advantage, and then wait for other cloud providers to go through and catch up. And when they do, we can then deploy out on those. But those will be very conscious decisions.
I don’t think that there is a “one cloud fits all,” but where appropriate, we will go through and be absolutely multi-cloud. Where there is defining difference, we will go through and select the cloud provider that best suits in that area to cover that specific capability.