Security. Privacy. Control.
For years, these were serious concerns that held back large banks from running critical applications in the public cloud. Those worries are now being addressed as more financial institutions move computing work to the cloud.
These banks and many others seek lower and more predictable costs, the ability to quickly establish new computing environments for developers and the flexibility to scale up and handle spikes in traffic.
Wells Fargo will use Microsoft Azure as its primary public cloud provider; Google will provide additional business-critical public cloud services.
Saul Van Beurden, head of technology at the $1.9 trillion-asset Wells, shared why he chose these two providers and his overall thinking and strategy around cloud computing.
How did you choose these two cloud providers?
SAUL VAN BEURDEN: Our digital infrastructure strategy has been to lay the foundation for Wells Fargo to become a digital-first bank. Over the last six to 12 months, we have been looking at our own capabilities and came up with a North Star vision. The North Star orients you when it's dark at night — that's the star that guides your decisions.
Our North Star vision is that, for us at least, all workloads will one day be on a public cloud. That could be 10 years from now, it could be 14 years, it could be eight years. We don't know. But if the idea is that everything goes public one day, that will guide your decisions when you look at your own data, when you look at the way you build new applications today, and the way you're going to migrate the current applications. We did a thorough review of the marketplace and chose Microsoft and Google for the reasons of being industry-leading, having a strong foothold in the financial industry and having complementary offerings across the industry.
We’ve taken a multicloud approach for two reasons. One is management: Why would you put all your eggs in one basket? And then secondly, [there is] the fact that we can select different horses for different courses, as the English say. So for certain applications, Google’s full package might be better than Microsoft. And the other way around: Microsoft might have an offering for certain workloads that might be better than Google.
To go back to your first point, the idea that all workloads will one day be in the public cloud, what would be the conditions necessary to have all workloads in the public cloud in your view?
The tenacity, the endurance, the precision to do a migration of all the workloads of a bank. So we know this is not a quick win or something you do quickly or follow hype. This is a long-term commitment that comes with tenacity to the commitment and the endurance to do it. The second thing is that if you look at a bank today and a bank tomorrow, there's also the question, what will happen if you don't do this? That's often the question that is not asked.
How are you going to decide what to put in each cloud?
That is dependent upon two things. One is the different workloads that we have. At one end of the spectrum we have workloads that are every day the same, completely routine. When the branches open up, they start to spin up those applications. And when the last branch is closed that day, that application will go to sleep as well. That is a very predictable pattern. The other type of workload has a pattern of high-burst capacity that’s highly unpredictable and comes with an enormous demand for compute power. An example on the trading side is certain risk and pricing calculations.
Is one of those clouds much better at handling those kinds of high-burst applications than the other?
Every vendor in this industry can offer the things that you need. It's the full package of that offering that defines whose products will fit best. And that could be a subset of attributes like the availability of that service and the guarantees in terms of uptime, price, innovation, security and the controls. Our strategic, business critical artificial intelligence, machine learning and large data-driven workloads will be with Google. And the primary partner is Microsoft.
What will go into managing this? Will you have a Google team and a Microsoft team, or one cloud team that becomes knowledgeable on both?
We’ve assembled a cloud-enablement team. That team is responsible for enabling the cloud, meaning the connection from us to the cloud service providers, the managed services that come along with that, the hardening and the security of those services. But that's only one part of it. We also need to migrate and make sure that all the app teams are getting upskilled. That is a separate type of effort that is happening.
Some of the big banks, like Bank of America, talk about building their own layers of security and privacy for the clouds they use. Would you want to add your own security layers or do you feel that just adds complexity?
What you do when you do these types of migrations is look at the full ecosystem and the vulnerabilities of that ecosystem, and you start to look at what are all the things that can happen. And then you start to harden those things. It's not about adding layers, adding complexity. It's about making sure that this happens in a safe, sound and secure way. We’re not going to compromise on any of the requirements that we need to have in place. It has to be secure from the start.
Do you have any sense of what percent of your applications you might put in these clouds over the next year or two?
In the next three to five years, a large part of the workloads.
What are some of the overall benefits? Are you going to get a lot of cost savings out of doing this?
We're executing this for several reasons. The first reason is to innovate faster for our clients and communities. The second reason is to provide our developers with an even better experience than today with cloud-based development and all cloud-native servers at the tip of their fingers. They can spin up and spin down environments way faster than we can today. Thirdly, [we want] to take full advantage of the innovation power of Microsoft and Google. We are a bank; we are not a public cloud service provider. We'd rather take advantage of a cloud service provider and the innovation they are providing. And then last but not least, we are changing the cost structure, not so much the cost level, where we’ll go from fixed cost to variable pay-as-you-go cost.
What applications will you move to these clouds first?
What you do normally with these types of large migrations is crawl, walk, run. So you start with a couple of first applications where you learn to crawl, how does it work? And start with more easy and less complicated, or you start with out-of-the-box, cloud-native services that Google or Microsoft can already provide and start to consume those — artificial intelligence and machine learning for instance. And then you start to walk with more complicated workloads, different needs in terms of that pattern. And then you start to run because then you have to muscle build and you pick up the more and more difficult stuff over time as well.
Banks used to worry about putting their data and especially their customer data in the cloud. Some used to say they would never put their customers’ data in the clouds where they can’t have total control over it. What do you think is the answer today to that kind of thinking?
There are different ways to answer that. And I think the first way is that much of our customer data is de-identified. The second thing is, if you look at cloud or any type of data exchange that is happening with other parties, that’s all encrypted and the key is also encrypted. So it's like an "Ocean’s Eleven" act to be able to decrypt any of the traffic or what is stored. We do maximum masking and encryption and de-identification of customers, and there are beautiful technologies for that nowadays, by which you lower the exposure and the risk.
