Big banks are moving to the cloud.
Smaller banks shouldn't wait.

By Dan Ritz
January 3rd 2019

In 2016, JPMorgan Chase announced a major project to make public cloud computing a major part of its IT strategy.  Most US banks have resisted such a move out of concerns about security and data loss. Since that announcement, JPM has has earmarked $10.8 billion on IT spending for 2018, a figure similar to what Amazon Web Services spends in building out its public cloud.  The clear bet by both companies is that computing is becoming ever more commoditized, and the benefits of owning a private data center are yielding to the pay-as-you-go model of the public cloud.

Dan Ritz
Managing Partner Finance & COO

Dan has a broad background in financial operations, compliance, and technology.  Dan’s most recent role at UBS was Global Head of Process Implementation and US Chief Operating Officer for Derivatives Trading.  

What’s the Difference?

The truth is, there aren’t many obvious differences between the public cloud and private data centers.  Both are ways to accomplish more-or-less the same thing, using the same basic design to ensure operational stability with backup power, fire suppression, security badges, and the like.  The fundamental difference is in how “core” running a data center is to the business.

Banks have built very sophisticated centers of excellence to support their technology platform, which is typically requires running highly customized proprietary applications.  Many of these business processes and end user tools were built, at the time, when there were no commercially available alternatives and there was a significant competitive advantage, or an “edge” in industry terms, to building in-house.  Now, twenty or more years later, these services have been duplicated throughout the industry and have become a minimum requirement of doing business. Think about how Schwab revolutionized retail brokerage with electronic trading in the ‘90s during the first dot-com boom.  Now, there isn’t anyone still in business that doesn’t offer the same service. What’s left at the banks now is the overhead involved in supporting not just these legacy applications, but the technology those applications run on. Billions of dollars of capital is tied up in private cloud, yielding zero “edge”.  

Running data centers has always been a secondary focus to their primary business of processing transactions and assisting customers with their financial needs.  A bank’s entire business model isn’t predicated on running a private data center. Meanwhile, cloud providers’ futures depend entirely on the cloud services they provide and have massive financial incentives to invest for the long term.  The incredible advances in cloud computing available to financial services simply would never have occurred had it not been for the public cloud. Banks have the opportunity to benefit from the incredible investments and technological advances that have been made in the public cloud, while simultaneously improving their balance sheets.  

Private Offers a Better Cost Structure

The private cloud offers a dramatically different approach and cost structure, in a variety of ways.  First, and most importantly is the concept of “pay-as-you-go”. The public cloud replaces CapEx with OpEx, immediately freeing up capital to generate more edge.  Small proof-of-concept projects can be launched for free in the cloud, and scaled up to global scale with no up-front investment, no long-term contracts, no vendor lock-in, and without the lead times of acquiring property and building out a data-center.  

The often-overlooked benefit is the flexibility that the public cloud offers.  Trading firms like Charles Schwab would need to plan to support a theoretical peak capacity over the life of their data center.  Adding capacity, at one point, required a helicopter to lower in equipment through the roof. In the public cloud, resources can be added or scaled back automatically, on demand.  Adding a petabytes of storage or deploying 1,000 identical geographically load-balanced servers is accomplished in seconds.

In the next generation “serverless” public cloud, the entire concepts of hardware, servers, and operating systems is abstracted away, and the only thing to support is the code itself.  The benefits of serverless pricing are even more dramatic, and the cost is based on CPU cycles.

The second major cost advantage that is often overlooked is availability and redundancy.  In the private cloud, one data center is never really enough, and a geographically distant hot backup site is often required.  Ideally, the backup site can handle the same workloads as primary, so the costs of supporting the technology are doubled. Managing backup sites involves complex networking rules to fail-over elegantly (or not).  The private cloud offers multiple regions and “availability zones” within each region that maintain nearly seamless fail-over capabilities in the event of a localized outage.

How does public beat private security?

The major challenge and first priority for banks has always been security.  The question of whether the public cloud can as secure as a private data center is critical.  The answer is yes, the public cloud can be even more secure while offering dramatic other benefits around availability, scalability, and redundancy.  

Private clouds aren’t more secure that the public cloud by default.  Human error and managing complexity make it difficult to secure any environment.  Gartner predicts that by 2020, 95% of cloud security failures will be the customer’s fault (1).  Public cloud providers have a business model to protect and led the way in securing their environments and avoiding the bad press and FUD (fear, uncertainty, and doubt).  Their response to this has been to raise awareness and build tools to simplify the task of securing customer’s configurations on the public cloud. These tools simplify the task of building secure infrastructure, offer automated monitoring and alerts of open security vulnerabilities, use heuristics and machine learning to actively detect anomalous behaviors, and proactively resolve security exceptions.  OC4 offers an toolkit that implements all the best practices of cloud security that meets the stringent requirements of ISO, NIST, and HIPAA.  

Where does it all lead?

JP Morgan’s real strategic advantage is in the next level of benefits of going cloud-native: applications and micro-services built to operate in serverless environments where all the heavy lifting of managing capacity and maintaining servers is eliminated, reducing costs even further by eliminating unused capacity.