Transcript of a discussion on how a major financial transactions provider is exploiting cloud models to extend a distributed real-time payment capability across the globe despite some of the strictest security and performance requirements.
Data Sovereignty, Security, and Performance Panacea: Why Mastercard Sets the Standard for Global Hybrid Cloud Adoption
1. Page 1 of 12
Data Sovereignty, Security, and
Performance Panacea: Why
Mastercard Sets the Standard for
Global Hybrid Cloud Adoption
Transcript of a discussion on how a major financial transactions provider is exploiting cloud
models to extend a distributed real-time payment capability across the globe despite some of the
strictest security and performance requirements.
Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Hewlett
Packard Enterprise.
Dana Gardner: Hello, and welcome to the next edition of the BriefingsDirect Voice of
the Customer podcast series. I’m Dana Gardner, Principal Analyst at Interarbor
Solutions, your host and moderator for this ongoing discussion on the latest insights into
hybrid IT and cloud computing.
Our next cloud adoption best practices discussion focuses on some of the strictest
security and performance requirements for a new global finance services deployment.
We’ll now explore how a major financial transactions provider is exploiting cloud models
to extend a distributed real-time payment capability across the globe.
Due to the needs for localized data storage, privacy regulations compliance, and
lightning-fast transactions speeds, this extreme cloud-use formula pushes the
boundaries -- and possibilities -- for cloud solutions.
Stay with us now as we hear from an executive at Mastercard and a cloud deployment
strategist about a new, cutting-edge use for cloud infrastructure. Please join me now in
welcoming our guests, Paolo Pelizzoli, Executive Vice
President and Chief Operating Officer at Realtime
Payments International for Mastercard. Welcome, Paolo.
Paolo Pelizzoli: Thank you.
Gardner: We’re also here with Robert Christiansen, Vice
President and Cloud Strategist at Cloud Technology
Partners (CTP), a Hewlett Packard Enterprise (HPE)
company. Welcome, Robert.
Robert Christiansen: Thank you for having me. Good to
be here.Pelizzoli
2. Page 2 of 12
Gardner: What is happening with cloud adoption that newly satisfies such major
concerns as strict security, localized data, and top-rate performance? Robert, what’s
allowing for a new leading edge when it comes to the public clouds’ use?
Christiansen: A number of new use cases have been
made public. For the front runners like Capital One
[Financial Corp.], and some other organizations, they
have taken core applications that would otherwise be
considered sacred and are moving them to cloud
platforms. Those have become more-and-more evident
and visible. The Capital One CIO, Robert Alexander, has
been very vocal about that.
So now others have followed suit. And the US federal
government regulators have been much more accepting
around the audit controls. We are seeing a lot more
governance and automation happening as well. A
number of the business control objectives – from security
to the actual technologies to the implementations -- are becoming more accepted
practices today for cloud deployment.
So, by default, folks like Paolo at Mastercard are considering the new solutions that
could give them a competitive edge. We are just seeing a lot more acceptance of cloud
models over the last 18 months.
Gardner: Paolo, is increased adoption a matter of gaining more confidence in cloud, or
are there proof points you look for that opens the gates for more cloud adoption?
Compliance challenges cloud
Pelizzoli: As we see what’s happening in the world around nationalism, the on-the-soil
[data sovereignty] requirements have become much more prevalent. It will continue, so
we need the ability to reach those countries, deploy quickly, and allow data persistence
to occur there.
The adoption side of it is a double-edged sword. I think everybody wants to get there,
and everybody intuitively knows that they can get there. But there are a lot of controls
around privacy, as well as the SOX and SOC 1 reports compliance, and everything else
that needs to be adjusted to take into the cloud into account. And if the cloud is rerouting
traffic because one zone goes down and it flips to another zone, is that still within the
same borders, is it still compliant, and can you prove that?
So while technologically this all can be done, from a compliance perspective there are
still a lot of different boxes left to check before someone can allow payments data to flow
actively across the cloud -- because that’s really the panacea.
Christiansen
3. Page 3 of 12
Gardner: We have often seen a lag between what technology is capable of and what
regulations, standards, and best practices allow. Are we beginning to see a compression
of that lag? Are regulators, in effect, catching up to what the technology is capable of?
Pelizzoli: The technology is still way out in the front. The regulators have a lot on their
plates. We can start moving as long as we adhere to all the regulations, but the
regulations between countries and within some countries will continue to have a lagging
effect. That being said, you are beginning to see governments understand how
sanctions occur and they want their own networks within their own borders.
Those are the types of things that require a full-fledged payments network that predated
the public Internet to begin to gain certain new features, functions, and capabilities. We
are now basically having to redo that payments-grade network.
Gardner: Robert, the technology is highly capable. We have a major player like
Mastercard interested in solving their new globalization requirements using cloud. What
can help close the adoption gap? Does hybrid cloud help solve the log-jam?
Learn More About Software-Defined and
Hybrid Cloud Solutions
That Reduce Complexity
Christiansen: The regionalization issues are upfront, if not the number-one
requirement, as Paolo has been talking about. I think about South Korea. We just had a
meeting with the largest banking folks there. They are planning now for their adoption of
public cloud, whether it’s Microsoft Azure, Amazon Web Services (AWS), or Google
Cloud. But the laws are just now making it available.
Prior to January 1, 2019, the laws prohibited public cloud use for financial services
companies, so things are changing. There is lot of that kind of thing going on around the
globe. The strategy seems to be very focused on making the compute, network, and
storage localized and regionalized. And that’s going to require technology grounding in
some sort of connectivity across on-premises and public, while still putting the proper
security in-place.
So, you may see more use of things like OpenShift or Cloud Foundry’s Pivotal platform
and some overlay that allows folks to take advantage of that so that you can push down
an appliance, like a piece of equipment, into a specific territory.
I’m not certain as to the cost that you incur
as a result of adding such an additional local
layer. But from a rollout perspective, this is
an upfront conversation. Most financial
organizations that globalize want to be able
to develop and deploy in one way while also
having regional, localized on-premises
Most financial organizations that
globalize want to be able to
develop and deploy in one way
while also having regional,
localized on-premises services.
4. Page 4 of 12
services. And they want it to get done as if in a public cloud. That is happening in a
multiple number of regions.
Gardner: Paolo, please tell us more about International Realtime Payments. Are you set
up specifically to solve this type of regional-global deployment problem, or is there a
larger mandate? What’s the reason for this organization?
Hybrid help from data center to the edge
Pelizzoli: Mastercard made an acquisition a number of years ago of Vocalink. Vocalink
did real-time secure interbank funds transfer, and linkage to the automated clearing
house (ACH) mechanism for the United Kingdom (UK), including the BACS and LINK
extensions to facilitate payments across the banking system. Because it’s nationally
critical infrastructure, and it’s bank-to-bank secure funds transfer with liquidity checks in
place, we have extended the capabilities. We can go through and perform the same
nationally critical functions for other governments in other countries.
Vocalink has now been integrated into Mastercard, and Realtime Payments will extend
the overall reach, to include the debit/credit loyalty gift “rails” that Mastercard has been
traditionally known for.
I absolutely agree that you want to
develop one way and then be able to
deploy to multiple locations. As hybrid
cloud has arrived, with the advent of
Microsoft Azure Stack and more recently
AWS’s Outposts, it gives you the cloud
inside of your data center with the same
capabilities, the same consoles, and the
same scripting and automation, et cetera.
As we see those mechanisms become richer and more robust, we will go through and
be deploying that approach to any and all of our resources -- even being embedded at
the edge within a point of sale (POS) device.
As we examine the different requirements from government regulations, it really comes
down to managing personally identifiable information.
So, if you can secure the transaction information, by abstracting out all the other stuff
and doing some interesting cryptography that only those governments know about, the
[transaction] flow will still go through [the cloud] but the data will still be there, at the
edge, and on the device or appliance.
We already provide for detection and other value-added services for the assurance of
the banks, all the way down to the consumers, to protect them. As we start going
[Hybrid cloud] gives you the cloud
inside of your data center with the
same capabilities, the same
consoles, and the same scripting
and automation, et cetera.
5. Page 5 of 12
through and seeing globalization -- but also the regionalization due to regulation – it will
be interesting to uncover fraudulent activity. We already have unique insights into that.
No more noisy neighbors
Christiansen: Getting back to the hybrid strategy, AWS Outposts and Azure Stack
have created the opportunity for such globalization at speed. Someone can plug in a
network and power cable and get a public cloud-like experience yet it’s on an on-
premises device. That opens a significant number of doors.
You eliminate multi-tenancy issues, for example, which are a huge obstacle when it
comes to compliance. In addition, you have to address “noisy neighbor” issues,
performance issues, failovers, and stuff like that that are caused by multi-tenancy issues.
If you’re able to simply deploy a cloud appliance that is self-aware, you have a whole
other trajectory toward use of the cloud technology. I am actively encouraged to see
what Microsoft and Amazon can do to press that further. I just wanted to tag that onto
what Paolo was talking about.
Pelizzoli: Right, and these self-contained deployments can use Kubernetes. In that way,
everything that’s required to go through and run autonomously -- even the software-
defined networks (SDNs) – can be deployed via containers. It actually knows where its
point of persistence needs to be, for data sovereignty compliance, regardless of where it
actually ends up being deployed.
This comes back to an earlier comment about the technology being quite far ahead. It is
still maturing. I don’t think it is fully mature to everybody’s liking yet. But there are some
very, very encouraging steps.
As long as we go in with our eyes wide open, there are certain things that will allow us to
go through and use those technologies. We still have some legacy stuff pinned to bare-
metal hardware. But as things start behaving in a hybrid cloud fashion as we’re
describing, and once we get all the security and guidelines set up, we can migrate off of
those legacy systems at an accelerated pace.
Learn More About Software-Defined and
Hybrid Cloud Solutions
That Reduce Complexity
Gardner: It seems to me that Realtime Payments International could be a bellwether
use case for such global hybrid cloud adoption. What then are the checkboxes you need
to sign off on in order to be able to use cloud to solve your problems?
Perpetual personal data protection
6. Page 6 of 12
Pelizzoli: I can’t give you all the criteria, but the persistence layer needs to be highly
encrypted. The transports need to be highly encrypted. Every time anything is persisted,
it has to go through a regulatory set of checks, just to make sure that it’s allowed to do
what it’s being asked to do. We need a lot of cleanliness in the way metrics are captured
so that you can’t use a metric to get back to a person.
If nothing else, we have learned a lot from the recent [data intrusion] announcements by
Facebook, Marriott, and others. The data is quite prevalent out there. And payments
data, just like your hospital data, is the most personal.
As we start figuring out the nuances of regulation around an individual service, it must be
externalized. We have to be able to literally inject solutions to regulatory requirements –
and not by coding it. We can’t be creating any payments that are ambiguous.
That’s why we are starting to see a lot of
effort going into how artificial intelligence
(AI) can help. AI could check services
and configurations to test for every
possibility so that there isn’t a “hole” that
somebody can go through with a certain
amount of credentials.
As we go forward, those are the types of things that -- when we are in a public cloud --
we need to account for. When we were all internal, we had a lot of perimeter defenses.
The new perimeter becomes more nebulous in a public cloud. You can create virtual
private clouds, but you need to be very wary that you are expanding time factors or
latency.
Gardner: If you can check off these security and performance requirements, and you
are able to start exploiting the hybrid cloud continuum across different localities, what do
you get? What are the business outcomes you’re seeking?
Common cloud consistency
Pelizzoli: A couple of things. One is agility, in terms of being able to deploy to two
adjacent countries, if one country has a major outage. That means ease of access to a
payments-grade network -- without having to go through and put in hardware, which will
invariably fail.
Also, the ability to scale quickly. There is an expected peak season for payments, such
as around the Christmas holidays. But there could be an unexpected peak season
based on bad news -- not a peak season, but a peak day. How do you go through and
AI could check services and
configurations to test for every
possibility so that there isn’t a “hole”
that somebody can go through with
a certain amount of credentials.
7. Page 7 of 12
have your systems scale within one country that wasn’t normally producing a lot of
transactions? All of a sudden, now it’s producing 18 times the amount of transactions.
Those types of things give us a different development paradigm. We have a lot of
developers. A [common cloud approach] would give us consistency, and the ability to be
clean in how we automate deployment; the testing side of it, the security checks, etc.
Before, there were a lot of different ways of doing development, depending on the
language and the target. Bringing that together would allow increased velocity and
reduced cost, in most cases. And what I mean by “most cases” is I can use only what I
need and scale as I require. I don’t have to build for the worst possible day and then
potentially never hit it. So, I could use my capacity more efficiently.
Learn More About Software-Defined and
Hybrid Cloud Solutions
That Reduce Complexity
Gardner: Robert, it sounds like major financial applications, like a global real-time
payment solution, are getting from the cloud what startups and cloud-native
organizations have taken for granted. We’re now able to take the benefits of cloud to
some of the most extreme and complex use cases.
Cloud-driven global agility
Christiansen: That’s a really good observation, Dana. A healthcare organization could
use the same technologies to leverage an industrial-strength transaction platform that
allows them to deliver healthcare solutions globally. And they could deem it as a future-
proof infrastructure solution.
One of the big advantages of the public cloud
has been the isolation of all those things that
many central IT teams have had to do day-in
and day-out. That is to patch releases,
upgrade processes, constantly looking at the
refresh. They call it painting the Golden Gate
Bridge – where once you finish painting the
bridge, you have to go back and do it all over again. And a lot of that effort and money
goes into that refresh process.
And so they are asking themselves, “Hey, how can we take our $3 or $4 billion IT spend,
and take x amount of that and begin applying it toward innovation?”
And if someone can take a piece out of that equation, all things are eligible. Everyone is
asking the same question, “How do I compete globally in a way that allows me to build
the agility transformation into my organization?” Right now there is so much rigidity, but
One of the big advantages of the
public cloud has been the
isolation of all those things that
many central IT teams have had
to do day-in and day-out.
8. Page 8 of 12
the balance against what Paolo was talking about -- the industrial-grade network and
transaction framework -- to get this stuff done cannot be relinquished.
So people are asking a lot of the same questions. They come in and ask us at CTP,
“Hey, what use-cases are actually in place today where I can start leveraging portions of
the public cloud so I can start knocking off pieces?”
Paolo, how do you use your existing infrastructure, and what portion of cloud
enablement can you bring to the table? Is it cloud-first, where you say, “Hey, everything
is up for grabs?” Or are you more isolated into using cloud only in a certain segment?
Follow a paved path of patterns
Pelizzoli: Obviously, the endgame is to be in
the cloud 100 percent. That’s utopian. How do
we get there? There is analysis being done. It
depends if we are talking about real-time
payments, which is actually more prepared to
go into the cloud than some of the core processing that handles most of North America
and Europe from an individual credit card or debit card swipe. Some of those core
pieces need more rewiring to take advantage of the cloud.
When we look at it, we are decomposing all of the legacy systems and seeing how well
they fit in to what we call a paved path of patterns. If there is a paved path for a specific
type of pattern, we put it on the list of things to transition to, as being built as a cloud-
native service. And then we run it alongside its parent for a while, to test it, through
stressful periods and through forced chaos. If the segment goes down, where does it flip
over to? And what is the recovery time?
The one thing we cannot do is in any way increase latency. In fact, we have some very
aggressive targets to reduce latency wherever we can. We also want to improve the
recovery and security of the individual components, which we end up calling value-
added services.
There are some basic services we have to provide, and then value-added services,
which people can opt in or opt out of. We do have a plan and strategy to go through and
prioritize that list.
Gardner: Paolo, as you master hybrid cloud, you must have visibility and monitoring
across these different models. It’s a new kind of monitoring, a new kind of management.
What do you look to from CTP and HPE to help attain new levels of insight so you can
measure what’s going on, and therefore optimize and automate?
Pelizzoli: CTP has been a very good and integral part of our first steps into the cloud.
Obviously, the endgame is to
be in the cloud 100 percent.
That’s utopian.
9. Page 9 of 12
Now, I will give you one disclaimer. We have some companies that are Mastercard
companies that are already in the cloud, and were born in the cloud. So we have
experience with AWS, we have experience with Azure, and we have some experience
with Google Cloud Platform.
It’s not that Mastercard isn’t in the cloud already, it is. But when you start taking the
entire plant and moving it, we want to make sure that the security controls, which CTP
has been helping ratify, get extended into the cloud -- and where appropriate, actually
removed, because there are better ones in the cloud today.
Extend the cloud management office
Now, the next phase is to start building out a cloud management office. Our cloud
management office was created early last year. It is now getting the appropriate checks
and audits from finance, the application teams, the architecture team, security teams,
and so on.
As that list of prioritized applications comes through, they have the appropriate paved
path, checks, and balance. If there are any exceptions, it gets fiercely debated and will
either get a pass or it will not. But even if it does not, it can still sit within our on-premises
version of the cloud, it’s just more protected.
As we route all the traffic, that is where there is going to be a lot of checks within the
different network hops that it has to take to prevent certain information from getting
outside when it’s not appropriate.
Gardner: And is there something of a wish list that you might have for how to better fulfill
the mandate of that cloud management office?
Learn More About Software-Defined and
Hybrid Cloud Solutions
That Reduce Complexity
Pelizzoli: We have CTP, which HPE purchased along with RedPixie. They cover,
between those two acquisitions, all of the public cloud providers.
Now, the cloud providers themselves are selling you the next feature-function to move
themselves ahead of their competitor. What CTP and RedPixie doing is they take the
common denominator across all of them to make sure that you are not overstepping
promises from one cloud provider into another cloud provider. You are not thinking that
everybody is moving at the same pace.
They also provide implementation capabilities, migration capabilities, and testing
capabilities through the larger HPE organization. The fact is we have strong
relationships with Microsoft and with Amazon, and so does HPE. If we can bring the
10. Page 10 of 12
collective muscle of Mastercard, HPE, and the cloud providers together, we can move
mountains.
Gardner: We hear folks like Paolo describe their vision of what’s possible when you can
use the cloud providers in an orchestrated, concerted, and value-added approach.
Other people in the market may not understand what is going on across multi-cloud
management requirements. What would you want them to know, Robert?
O brave new hybrid world
Christiansen: A hybrid world is the true reality. Just the complexity of the enterprise,
no matter what industry you are in, has caused these application centers of gravity. The
latency issues between applications that could be moved to cloud or not, or impacted by
where the data resides, these have created huge gravity issues, so they are unable to
take advantage of the frameworks that the public clouds provide.
So, the reality is that the public
cloud is going to have to come down
into the four walls of the enterprise.
As a result of that, we are seeing an
explosion of the common
abstraction -- there is going to be
some open sourced framework for
all clouds to communicate and to
talk and behave alike.
Over the past decade, the on-premises and OpenStack world has been
decommissioning the whole legacy technology stack, moving it off to the side as a
priority, as they seek to adopt cloud. The reality now is that we have regional,
government, and data privacy issues, we have got all sorts of things that are pulling it all
back internally again.
Out of all this chaos is going to rise the phoenix of some sort of common framework.
There has to be. There is no other way out of this. We are already seeing organizations
such as Paolo’s at Mastercard develop a mandate to take the agile step forward.
They want somebody to provide the ability to gain more business value versus the
technology, to manage and keep track of infrastructure, and to future-proof that platform.
But at the same time, they want a technology position where they can use common
frameworks, common languages, things that give interoperability across multiple
platforms. That’s where you are seeing a huge amount of investment.
I don’t know if you recently saw that HashiCorp got $100 million in additional funding,
and they have a valuation of almost $2 billion. This is a company that specializes in
sitting in that space. And we are going to see more of that.
The reality is that the public cloud is
going to have to come down into the four
walls of the enterprise. … there is going
to be some open sourced framework for
all clouds to communicate and to talk and
behave alike.
11. Page 11 of 12
And as folks like Mastercard drive the requirements, the all-in on one public cloud
mentality is going to quickly evaporate. These platforms absolutely have to learn how to
play together and get along with on-premises, as well as between themselves.
Gardner: Paolo, any last thoughts about how we get cloud providers to be team players
rather than walking around with sharp elbows?
Tech that plays well with others
Pelizzoli: I think it’s actually going to end up being a lot more of the technology that’s
being allowed to run on these cloud platforms is going to take care of it.
I mentioned Kubernetes and Docker earlier, and there are others out there. The fact that
they can isolate themselves from the cloud provider itself is where it will neutralize some
of the sharp elbowing that goes on.
Now, there are going to be features that keep coming up that I think companies like ours
will take a look at and start putting workloads where the latest cutting-edge feature gives
us a competitive advantage and then wait for other cloud providers to go through and
catch up. And when they do, we can then deploy out on those. But those will be very
conscious decisions.
I don’t think that there is a one cloud fits all, but
where appropriate we will go through and be
absolutely multi-cloud. Where there is defining
difference, we will go through and select the cloud
provider that best suits in that area to cover that
specific capability.
Gardner: It sounds like these extreme use cases and the very important requirements
that organizations like Mastercard have will compel this marketplace to continue to
flourish rather than become a one-size-fits-all. So an interesting time that we are seeing
the maturation of the applications and use cases actually start to create more of a
democratization of cloud in the marketplace.
I’m afraid we will have to leave it there. We’ve been exploring how a major financial
transactions provider is exploiting cloud models to extend and distribute real-time
payments capacity across the globe. And we have learned how the need for localized
data storage and privacy regulations, compliance, and lightning-fast transaction speeds
are pushing the boundaries of what cloud solutions can do.
So please join me in thanking our guests, Paolo Pelizzoli, Executive Vice President and
Chief Operating Officer at Realtime Payments International for Mastercard. Thank you
so much, Paolo.
I don’t think that there is a
one cloud fits all, but where
appropriate we will go through
and be absolutely multi-cloud.
12. Page 12 of 12
Pelizzoli: Thank you very much. I really appreciate it.
Gardner: And we have also been joined by Robert Christiansen, Vice President and
Cloud Strategist at Cloud Technology Partners, a Hewlett Packard Enterprise Company.
Thank you, Robert.
Christiansen: Thank you so much. I appreciate it.
Gardner: And a big thank you as well to our audience for joining this BriefingsDirect
Voice of the Customer hybrid IT and cloud computing strategies interview.
I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this ongoing
series of Hewlett Packard Enterprise-sponsored discussions. Thanks again for listening.
Please pass this along to your IT community, and do come back next time.
Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Hewlett
Packard Enterprise.
Transcript of a discussion on how a major financial transactions provider is exploiting cloud
models to extend a distributed real-time payment capability across the globe despite some of the
strictest security and performance requirements. Copyright Interarbor Solutions, LLC, 2005-2019.
All rights reserved.
You may also be interested in:
• IT kit sustainability: A business advantage and balm for the planet
• Industrial-strength wearables combine with collaboration cloud to bring anywhere
expertise to intelligent-edge work
• How the data science profession is growing in value and impact across the business
world
• Why enterprises should approach procurement of hybrid IT in entirely new ways
• Manufacturer gains advantage by expanding IoT footprint from many machines to many
insights
• Why enterprises struggle with adopting public cloud as a culture
• Who, if anyone, is in charge of multi-cloud business optimization?
• A discussion with IT analyst Martin Hingley on the culmination of 30 years of IT
management maturity
• How global HCM provider ADP mines an ocean of employee data for improved talent
management