Capital One, Monzo Bank, and the National Australia Bank are examples of financial services customers running mission critical workloads on AWS. AWS provides security, reliability, performance, experience, and scale needed for these workloads. Mission critical workloads require high availability, security, and resilience. On AWS, customers can build fault-tolerant and secure architectures across multiple availability zones for their critical applications and data.
4. What You Will Learn
Walkthrough the best practice for deploying business critical
applications
Dive deep into fault tolerant and high performance
architectures
Learn about securing sensitive data and workloads in the
AWS cloud
5. Agenda
Why are customers running mission critical applications on AWS?
What type of mission critical workloads are our customers running on
AWS?
Building a mission critical workload
Networking
Security
Audit
Resilience
6. Example of 3 FSI customers
running mission critical
workloads on AWS?
7. Customer Success Story
Capital One is using AWS as a central part of its technology strategy. As a result,
the bank plans to reduce its data center footprint from eight to three by 2018.
Capital One is one of the nation’s largest banks and offers credit cards, checking
and savings accounts, auto loans, rewards, and online banking services for
consumers and businesses. It is using or experimenting with nearly every AWS
service to develop, test, build, and run its most critical workloads, including its
new flagship mobile-banking application.
The financial service industry attracts some of the worst cyber criminals. We work closely with
AWS to develop a security model, which we believe enables us to operate more securely in the
public cloud than we can in our own data centers.
– Rob Alexander, CIO Capital One”
“
8. Customer Success Story
Alexa, ask Capital One, when is my auto loan due?
”
“ Alexa, ask Fidelity to get me a market
update.
”
“
9. “At Monzo, we’re building a banking
system from scratch.”
Mobile-first bank
New cloud based core banking
systems
Bank License (UK)
Monzo is a mobile-first bank in the
UK, launched in summer 2016.
Authorized and regulated by the
Financial Conduct Authority and
Prudential Regulation Authority
I use Google maps. I use Uber. I use Amazon. I use WhatsApp. I use Slack. All of these things live on my
home screen and make my life better, and it feels like I’m living in the future, and that feeling is amazing.
… I can’t even remember the last time I opened my bank app…. and my bank can’t tell me what my balance
is…
– Tom Blomfield, CEO Monzo”
“
Customer Success Story
10. Customer Success Story
– David Broeren, head of the digital and online channels, NAB
With NAB.com.au on Amazon we know that with increased demand the system will scale itself and for every
change that we put through the platform we’ve tested it – we’ve safely removed those thresholds. So no
calls, no SMSes. …
There are tens of billions of dollars that go through the bank every day, it is a very stressful job, so if there is
anything I can do to make that job easier I will
”
“
National Australia Bank, NAB, is
one of the four largest financial
institutions in Australia in terms of
market capitalization and
customers.
NAB
12. Security
A few of our many certifications:
Secured premises
Secured access
Built-in firewalls
Unique users
Multi-factor authentication
Private subnets
Encrypted data storage
Dedicated connection
13. AWS looks
after the
security OF the
platform
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge
Locations
Encryption Key
Management
Client and Server
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer ContentCustomers
Security is shared between AWS and Customers
Customers are
responsible for
their security IN
the Cloud
14. AWS Global Infrastructure
Over 1 million active customers across 190 countries
2,000+ government agencies
5,000+ educational institutions
14 regions (+4)
38 availability zones (+9)
63 edge locations
18. Why run critical workloads on AWS
Building and managing cloud since 2006
14 regions, 38 availability zones, 63 edge locations
Thousands of partners; 2,500+ Marketplace products
Security & Reliability
Performance
Experience
Scale
Ecosystem
Extensive VM and network performance options
Security in layers approach and 99.95% application SLA
20. Anatomy of a critical workload
Holds sensitive data, liability if breached or deleted
>100 Users, > $10K per minute, Contractual Liability
Loss of data, destruction of IP, productivity penalty
Large scale customer impact if not available
Material Impact
Resilient
Available
Secure
22. What are Financial Institutions Doing & Key Areas Where can AWS Help
Retail & Commercial
Banking
Wealth Management
Private Banking
Capital Market &
Investment Banking
Insurance
Online Banking Mobile Banking
Robo Advisor
Online Insurance
Mobile Insurance
Robo Advisor
Digital Marketing
Online Trading
Mobile Trading
Web Sites
Chat bot
Customer Analytics Sentiment Analytics
Digital Marketing Digital Marketing
Device Farm
Customer Analytics
Biometrics
DigitalAnalytics
AML
Dev & Test DR CyberSecurity Storage VDI Data Warehouse
Risk Calculation Stress Test Fraud DetectionPricing Calculation Core Systems
Infra
HPC
Core
IoT
Representative sample of uses cases
23. Example: CyberSecurity
Growing concern requiring more and more computing
resources
Big data discussions – huge amounts of logs
Machine learning – behavior analysis
24. Example: Core Systems
• First bank in the UK to use the cloud for its
core systems
• … most of the large banks spend 85 per cent
of their time and resources on “making do
and mending” when it comes to IT and just
15 per cent on taking their systems
forward and upgrading them
• “This development is proof of the regulator’s
willingness to do that and will open up the
opportunity for other financial institutions
to follow suit.”
26. • The bank envisages extending its usage of
AWS over time and may shift up to 50% of its
compute workload to cloud within a two-
year period.
• AWS gives DBS the flexibility to rapidly scale
the capacity of its computing grid up or
down, without having to make provisions for
permanent overcapacity
• DBS has worked to ensure the
implementation meets the requirements of
the Monetary Authority of Singapore’s
Technology Risk Management guidelines
Customer Success Story
27. Enterprise Agreement
Commercial and Legal
Data Sovereignty
Regulation
Liability and IP
Ownership
Direct Connect
Private Link to
AWS
Non-Public Applications
Cost Reduction
Public Endpoint Access
Enterprise Support
Proactive Engagement
Infrastructure Event Management (IEM)
15 Minute Response
Proactive Support
Key Enablers
28. Consolidated Billing
payer account ownerNon - Production AWS
Account
Master Consolidated Billing
AWS Account
Production AWS
Account
Consolidated Billing
linked account owner
Consolidated Billing
linked account owner
Cross
Account
Role
IAM
User
IAM
User
(billing)
Payer and Linked Accounts
29. Build a mission critical
workloads and see what it
looks like in AWS
30. Availability Zone 1 Availability Zone 2
Internet
10.0.0.510.0.0.6
10.0.3.5
VPC Subnet VPC Subnet VPC Subnet
Virtual Private Gateway
Customer
Gateway
VPN Connection
Customer Data Center
10.0.0.0/16CIDR Block:
S3
VPC Subnet
10.0.0.810.0.0.7
10.1.0.510.1.0.6
Elastic Load
Balancing
31. Did we hit our objectives?
Encrypted EBS, IPSEC VPN, Security Groups
No Data Loss, Encryption, Auto-Healing
Replicated DB, Dual AZ, 99.999999999% S3, Auto-
Recovery
Two AZ, Auto scale, Elastic Load Balancing
Material Impact
Resilient
Available
Secure
32. AWS CloudTrail
You are making
API calls...
On a growing set of
services around the
world…
AWS CloudTrail
is continuously
recording API
calls…
And delivering
log files to you
33. HTTP and HTTPs requests logged with ELB Logging
API and Console calls logged with CloudTrail Logs
Network traffic logged with VPC Flow Logs
VPC change history logged with AWS Config
IAM policy and user changed logged with AWS Config
Application level metrics logged with CloudWatch Logs
Out of the box….
35. Environment Setup
virtual private cloud
virtual private cloudvirtual private cloudvirtual private cloudvirtual private cloud
Shared
DevelopmentTestPre-ProdProduction
virtual private cloud
Audit
AWS Directory
Service
corporate data center
customer
gateway
VPN
connection
VPN gateway
AD
flow logs
AWS
CloudTrail
36. Feature Cost
Amazon VPC $0
VPC Security Groups $0
AWS Identity & Access Management (IAM) $0
AWS Security Token Service (STS) $0
AWS CloudTrail (service) $0
VPC Flow Logs $0
TLS-enabled AWS API access $0
How much does security cost..
37. Summary
Tools to secure your
workload
Protect your data
through encryption
Operate the way
you want
A mission critical workload is more resilient, available and secure when using
the AWS cloud. By leveraging our platform you can connect your critical
applications seamlessly to systems running in AWS.