Speaker: Jonathan Allen, Enterprise Strategist, AWS Hear why customers adopt, how you can follow and the positive impact of Financial Services customers choosing to use AWS Cloud. This session will be presented by Jonathan Allen – AWS Enterprise Strategist and Evangelist. Sharing some of his experience and lessons learned when he was the CTO of Capital One UK, across the paradigms of People, Process and Technology and leveraging first-hand knowledge of the AWS Cloud Adoption Framework and Mass Migration best practices.

1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lessons Learned Banking in Cloud
Jonathan Allen
Enterprise Strategist
Amazon Web Services

2. enterprise
strategy
Personal career timeline
System
Integrator
Energy
Sector
1996 1998 2000 2017

3. enterprise
strategy
Financial institutions across market segments are transforming on AWS

4. enterprise
strategy
Why are so many banks moving to cloud?

5. enterprise
strategy
Why are so many banks moving to cloud?

6. enterprise
strategy
Why are so many banks moving to cloud?
Regulation

7. enterprise
strategy
AWS is the first choice for highly regulated organizations
We can be far more secure in the
cloud and achieve a higher level of
assurance at a much lower cost, in
terms of effort and dollars invested.
We determined that security in
AWS is superior to our on-premises
data center across several
dimensions, including patching,
encryption, auditing and logging,
entitlements, and compliance.
—John Brady
CISO, FINRA
Cloud computing has reached the
tipping point as the capabilities,
resiliency and security of services
provided by cloud vendors now
exceed those of many on-
premises data centers.
—DTCC, Moving Financial
Market Infrastructure
to the Cloud

8. enterprise
strategy
Customers rely on AWS’ compliance with global standards
Certifications & Attestations Laws, Regulations and Privacy Alignments & Frameworks
Cloud Computing Compliance Controls
Catalogue (C5)
! CISPE " CIS (Center for Internet Security) #
Cyber Essentials Plus $ EU Model Clauses " CJIS (US FBI) %
DoD SRG % FERPA % CSA (Cloud Security Alliance) #
FedRAMP % GLBA % Esquema Nacional de Seguridad &
FIPS % HIPAA % EU-US Privacy Shield "
IRAP ' HITECH # FISC (
ISO 9001 # IRS 1075 % FISMA %
ISO 27001 # ITAR % G-Cloud $
ISO 27017 # My Number Act ( GxP (US FDA CFR 21 Part 11) %
ISO 27018 # Data Protection Act – 1988 $ ICREA #
MLPS Level 3 ) VPAT / Section 508 % IT Grundschutz !
MTCS * Data Protection Directive " MITA 3.0 (US Medicaid) %
PCI DSS Level 1 + Privacy Act [Australia] ' MPAA %
SEC Rule 17-a-4(f) % Privacy Act [New Zealand] , NIST %
SOC 1, SOC 2, SOC 3 # PDPA - 2010 [Malaysia] - Uptime Institute Tiers #
PDPA - 2012 [Singapore] * Cloud Security Principles $
PIPEDA [Canada] .
# = industry or global standard Agencia Española de Protección de Datos &

9. enterprise
strategy
The AWS Compliance Center features country-specific resources
The AWS Compliance Center
is a central location to research
cloud regulations in specific
countries and learn about
AWS Compliance programs.

10. enterprise
strategy
Why are so many banks moving to cloud?
Regulation
Availability

11. enterprise
strategy
Availability Downtime per year Categories
95% (1-nine) 18 days 6 hours
Batch processing, data extraction,
load jobs
99% (2-nines) 3 days 15 hours Internal tools, project tracking
99.9% (3-nines) 8 hours 45 minutes Online commerce
99.99% (4-nines) 52 minutes Video delivery, broadcast systems
99.999% (5-nines) 5 minutes Telecom industry (ATM Transactions)
Availability

12. enterprise
strategy
Availability
Part X Part Y
A = AX AY

13. enterprise
strategy
Component Availability Downtime
X 99% (2-nines) 3 days 15 hours
Y 99.99% (4-nines) 52 minutes
X and Y Combined 98.99% 3 days 16 hours 33 minutes
…availability in series
Part X Part Y
A = AX AY
Availability

14. enterprise
strategy
Availability
A = 1 – (1 – AX)2
Part X
Part X

15. enterprise
strategy
Availability
Component Availability Downtime
X 99% (2-nines) 3 days 15 hours
Two X in parallel 99.99% (4-nines) 52 minutes
Three X in parallel 99.9999% (6-nines) 31 seconds
A = 1 – (1 – AX)2
Part X
Part X

16. enterprise
strategy
Availability Zone A Availability Zone B Availability Zone C
Availability

17. enterprise
strategy
Availability Zone A Availability Zone B Availability Zone C
AWS Region

18. enterprise
strategy
Multi-AZ—well-architected
Availability Zone A Availability Zone B Availability Zone C
APPLICATION

19. enterprise
strategy
Why are so many banks moving to cloud?
Regulation
Reliability & DR
Security threats

20. enterprise
strategy
Customer
AWS
AWS is responsible for security of the cloud
Customer is responsible for
security in the cloud
Customer data
Platform, applications, identity, & access management
Operating system, network, & firewall configuration
Client-side data encryption &
data integrity authentication
Server-side encryption
(file system &/or data)
Network traffic protection
(encryption/integrity/identity)
Compute Storage Database Networking
Edge
locations
Regions
Availability Zones
AWS Global
Infrastructure
Shared responsibility model for security

21. enterprise
strategy
AWS Security Hub
Centrally view and manage security alerts
and automate compliance checks
AWS Control Tower
Automates the set up and governance of a secure,
compliant multi-account AWS environment
New services, now
available in preview:
AWS Identity & Access
Management (IAM)
AWS Single Sign-On
AWS Directory Service
Amazon Cognito
AWS Organizations
AWS Secrets Manager
AWS Resource Access
Manager
AWS Security Hub
Amazon GuardDuty
AWS Config
AWS CloudTrail
Amazon
CloudWatch
VPC Flow Logs
AWS Systems Manager
AWS Shield
AWS WAF—Web
application firewall
AWS Firewall Manager
Amazon Inspector
Amazon Virtual Private
Cloud (VPC)
AWS Key Management
Service (KMS)
AWS CloudHSM
AWS Certificate Manager
Amazon Macie
Server-Side Encryption
AWS Config Rules
AWS Lambda
Incident
response
Infrastructure
securityIdentity
Detective
control
Data
protection
Our tools and services automate tasks and enhance security

22. enterprise
strategy
Why are so many banks moving to cloud?
Regulation
Reliability & DR
Security threats
FinTechs

23. enterprise
strategy
FinTechs aren’t disrupting banks… customer expectations are!

24. enterprise
strategy
Why are so many banks moving to cloud?

25. enterprise
strategy
We’re taking a cloud-first
approach to development with
AWS as our predominant cloud
infrastructure provider.
—Rob Alexander, CIO
1. Keep it simple

26. enterprise
strategy
Biz Case & Reqs
Business
Creative & Functional
Design
Finance & PMO
Prioritization
Software Development
Engineering
Integration & Perf.
QA & Testing
Deploy & Manage
Infra & Ops
Policy & Compliance
Security
Idea
Value
Defects
Defects
Defects
Defects
Defects
Wait
Wait
Wait
Wait
Wait
Wait
Wait
Wait
Defects
2. Not moving to agile fully

27. enterprise
strategy
Product-basedteams
Full Stack. Two Pizzas.
Product-basedteams
Full Stack. Two Pizzas.
Product-basedteams
Full Stack. Two Pizzas.
Product-basedteams
Full Stack. Two Pizzas.
“You build, you run it”
2. Not moving to agile fully

28. enterprise
strategy
23 TIMES*
Teams that adopt essential cloud
characteristics are 23 times more
likely to be elite performers.
*Accelerate: State of DevOps 2018: Strategies for a New Economy
“It’s worth noting that four deploys
per day is a conservative estimate
when comparing against companies
such as CapitalOne.”
3. Treating cloud as ‘just a project’

29. enterprise
strategy
Elite vs.
low performers*
46 TIMES MORE
frequent code deployments
2,555 TIMES FASTER
lead time from commit to deploy
7 TIMES LOWER
change failure rate
2,604 TIMES FASTER
time to recover from incidents
3. Treating cloud as ‘just a project’
*Accelerate: State of DevOps 2018: Strategies for a New Economy

30. enterprise
strategy
1

31. enterprise
strategy
“Declare a bold cloud objective”
1
Single-threaded leader

32. enterprise
strategy
1
Procurement CISO CFO Head of
Infrastructure
Head of
Delivery
Engineering Risk Leader
Audit Leader
HRLegal
Single-threaded leader
i !
2-pizza cloud leadership team

33. enterprise
strategy
1
i
!

34. enterprise
strategy
1
Questions parking lot
Create your questions parking lot

35. enterprise
strategy
Amazon.com
Big Data & Analytics
Business Apps
Migration Acceleration Program
Compute Options
Contracts & Legal
Database Options
Container Options
Desktop & App Streaming
DevOps
Management Apps
Digital Transformation
Edge Services
Enterprise Strategy
General AWS Topics
Industry Specific Solutions
Internet of Things
Machine Learning
Mobile Options
AWS Executive Briefing Sessions
AWS Cloud Adoption Framework
AWS Well Architected Framework
AWS Migration Acceleration Program

36. enterprise
strategy
1
Be clear on your
business goal
Choose a predominant
public cloud partner
Agree on your
security objectives
The team you have is
the team you need
You build it,
you support it
Trust,
but verify
…unless you have better ones
Establish your principles

37. enterprise
strategy
We have a strategic imperative for a pretty
dramatic transformation of our technology
capabilities as a company.
The hardest part of that transition is really
a talent transformation.
—Rob Alexander, CIO, Capital One
4. There is no compression algorithm for experience

38. enterprise
strategy
Comprehensively trained
organizations are*
3.7 TIMES MORE LIKELY
to overcome IT governance concerns
3.8 TIMES MORE LIKELY
more likely to meet ROI requirements
1.8 TIMES MORE LIKELY
to resolve security concerns
4.4 TIMES MORE LIKELY
to overcome performance concerns
14 TIMES MORE LIKELY
to overcome operational control concerns
*IDC training report 2018
4. There is no compression algorithm for experience

39. enterprise
strategy
TRAINING
M O T I V A T I O N
Autonomy
Mastery
Purpose
4. There is no compression algorithm for experience

40. enterprise
strategy
4. There is no compression algorithm for experience
10%
Critical mass: reach 10% certified
A c h i e v e t h e
h a l o e f f e c t

41. enterprise
strategy
Controls Risks
5. Get the risks and controls balance right

42. enterprise
strategy
Trust
Trust, but verify

43. enterprise
strategy
Trust
Cloud Custodian*
Security
objectives
Availability
objectives
Cost
objectives
Feature & TTM
objectives
Compliance
objectives
* An OSS Project Sponsored by Capital One
5. Get the risks and controls balance right

44. enterprise
strategy
YANGNI
You aren’t going to need it
6. Thinking on-premises

45. enterprise
strategy
AWS CloudTrail
Track user activity and API usage
7. Thinking regulation is a barrier
Regulation is an enabler

46. enterprise
strategy
8. Trying to build the perfect
Perfect is the enemy of good.
—Voltaire

47. enterprise
strategyRetire
Retain
Refactor
Repurchase
Replatform
Rehost
Buy
COTS/SaaS
Determine
Platform
Redesign
Automate
Manual
Install/Setup
Modify Infrastructure
App Code
Development
Use Migration Tools
Install Config Deploy
ALM/SDLC Integration
Transition
Production
Determine
Discover
VALIDATION
9. Overthinking migration

48. enterprise
strategy
Application
Operations
OperationsEngineering
PlatformApplications
Cloud Platform
Engineering
OperationsEngineering
PlatformApplications
Application
Engineering
ITSM
Cloud Platform Engineering
OperationsEngineering
PlatformApplications
Application
Engineering
Transitional Strategic Strategic
Cloud
Platform
Engineering
Cloud
Platform
Operations
ITSM
Application
Engineering
ITSM
10. Not optimizing your operating model
Sustain
“Traditional Operations”
Grow
“Decentralized DevOps”
Optimize
“Distributed DevOps”

49. enterprise
strategy
Sustain
“Traditional Operations”
Grow
“Decentralized DevOps”
Optimize
“Distributed DevOps”
Applications
Cloud Platform
Engineering
Application
Engineering
ITSM
10. Not optimizing your operating model
Application
Operations
OperationsEngineering
PlatformApplications
Application
Engineering
AWS Managed
Services
Cloud Platform Engineering
ITSM
Transitional
OperationsEngineering
Platform
Strategic
OperationsEngineering
PlatformApplications
Application
Engineering
Cloud Platform Engineering
Strategic
ITSM

50. enterprise
strategy
Application
Operations
AWS Managed
Services
Sustain
“Traditional
Operations”
OperationsEngineering
PlatformApplications
Application
Engineering
Cloud Platform Engineering
ITSM
AWS Managed Services provides ongoing management of the AWS infrastructure supporting your
“Sustain” workloads, so you can focus your energy on more differentiated Optimize and Grow workloads.
Change
Management
Incident
Management
Provisioning
Management
Patch
Management
Access
Management
Security
Management
Continuity
Management
ITSM
Integration
Reporting
AWSManaged
Services
10. Not optimizing your operating model

51. enterprise
strategyRetire
Retain
Refactor
Repurchase
Replatform
Rehost
Determine
Discover
RearchitectLift & Shift Lift & Reshape Drop & Shop
Sustain
Grow
Optimize
Traditional
Operations
Distributed
DevOps
Decentralized
DevOps
OperationsEngineering
PlatformApplications
Application
Engineering
Cloud Platform
Engineering
ITSM
OperationsEngineering
PlatformApplications
Application
Engineering
ITSM
Cloud Platform Engineering
Migration paths
should be chosen
to support desired
business outcomes,
not to speed up
migration.
OperationsEngineering
PlatformApplications
Application
Operations
Application
Engineering
AWS Managed
Services
Cloud Platform Engineering
ITSM
10. Not optimizing your operating model

52. enterprise
strategy
1. Keep it simple
2. Not moving fully to agile
3. Treating cloud as just a project
4. There is no compressional algorithm for experience
5. Get the risks and controls balance right

53. enterprise
strategy
6. Thinking on premises
7. Thinking regulation is a blocker
8. Trying to build the perfect
9. Overthinking migration
10. Not optimizing your operating model

54. enterprise
strategy
Thank you!
Jonathan Allen
AWS Enterprise Strategist & Evangelist
Jnatall@amazon.com
@jonatallen
aws.amazon.com/blogs/enterprise-strategy/

55. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.