NAB has hit a major milestone in its cloud migration journey, with the big four’s enterprise technology chief Steve Day revealing 40 per cent of its apps have now been moved to the cloud. However, the biggest hurdles lay ahead for the bank, with more “material apps”, including customer-facing transaction and some core banking operations, still to make the shift to cloud.
FST’s Future of Financial Services, Melbourne headline speaker, Day said the bank had so far migrated around 40 per cent of its 2,200 apps to its dual-hosted, multi-cloud system, reaching the halfway point of its M1K cloud migration program, which promises to deliver “80 per cent of apps to the cloud by 2023”.
Announced in July this year, M1K, NAB’s cloud partnership deal with Microsoft, promises to deliver “1,000 apps in 1,000 days” to the bank’s multi-cloud, no doubt softening the landing for its more operation-critical applications still to make their way across.
An initial “30 apps in 50 days” goal set and hit in late 2018 was the prelude to M1K, according to Day, setting NAB’s migration train well and truly in motion.
While comparatively less ambitious (and, admittedly, with only “nonmaterial” apps at stake), for Day, the ‘30 in 50’ proved a catalyst for change within the organisation, helping to break the cultural “inertia” that had stymied the wholesale embrace of cloud.
“It’s a daunting task when you start with 2,200 applications in the data centre and you’re planning to move the cloud,” he said.
By proving the bank could do migration at pace, NAB’s cloud team were able to pursue a more aggressive migration play, laying the “building blocks” for larger scale and more ambitious cloud ventures.
Through this time, Day said, the bank was able to build “18 reusable patterns”, as well as a “lot of necessary security standards and the compliance standards”.
Compliance as code
For Day, this initiation period laid the groundwork for the bank’s rapid compliance capability, allowing the bank to effectively automate regulatory obligations for its tech stack through cloud.
“We’ve become far more agile. We can start to codify a lot of the processes, ones that used to be done manually, with ‘infrastructure as code’, which is what cloud is really about.”
“You can start to bring so much more automation into the future of what you’re building.”
This ‘infrastructure as code’ (IaC) model has allowed the bank to codify governance, effectively removing humans from the tedious compliance process.
IaC, a DevOps-backed process, shifts the management and provision of hardware and software changes from a manual approvals process (through human-generated ‘tickets’) to an automated process, supporting rapid changes in the technology stack.
“So many of the checks that used to be done by people with clipboards – the auditing and making sure we were following the right processes in terms of deploying IT – have now been automated.”
Day said the bank is not only “far less prone to human errors” through this IaC process but is also able to pursue governance checks around the clock.
“You can make sure that every time we think of and create a new governance check, it can be codified and built into our systems and basically stay there and evolve like any other software element.”
This ‘continuous compliance’ model has shaped NAB’s own automated, cloud-specific governance framework process, known as CAST: cloud adoption standards and techniques – a framework that has allowed NAB to deliver regulatory approvals for tech changes at breakneck pace.
Working in partnership with APRA, Day said, NAB’s CAST framework serves as a “comprehensive governance structure, specifically targeting our cloud environments”.
“It takes into account that all of our services will back into cloud; it then takes all of our security and compliance and fully automates it.”
“We’ve got it in a way that we can now show regulators exactly what controls we have, and what standards and techniques we use to implement those controls. [It also shows] how we can provide data on exactly what we’re seeing as a result of running those checks on a regular basis”.
“It’s given us a lot more confidence that things are running well and a lot more confidence that we’re not exposed to the typical errors that humans can introduce now.”
According to Day, the framework has allowed NAB “to continually build on new versions of security and compliance, and continually and incrementally build more and more capability around that to make our system safe.”
Rapid compliance approval
One of the critical hurdles many organisations face in deploying new features rapidly and en masse is not so much organisational inertia, but external regulation.
The CAST system has already delivered tangible benefits at NAB’s front-end, allowing the bank to roll out 1,200 APIs, both internally and externally, during its cloud transition, Day said.
“Many of those APIs link to our customers to enable great integrations into their environments and really help them digitise their environments in a way that integrates with within banking services.”
For NAB, “12 weeks of consultation with APRA for every material workload [being] put into the into the cloud” was clearly untenable.
Under the CAST framework, NAB was able to establish a ‘continuous compliance’ process with the regulator, giving it the power to expedite compliance “at scale”.
“We spent a lot of time with APRA explaining what we were doing, what the benefits were and how this would help,” Day said. “Eventually we reached an agreement [with APRA] that we would no longer need to consult on a per application basis.”
Day said the regulator appeared confident enough with NAB’s self-regulatory CAST framework that it moved from “a model of consultation to a model of notification”, with the stipulation that the bank must give notice within 30 days of an app migration event.
Multi-cloud = multi-vendor
While NAB’s joint venture with Microsoft, confirmed by the pair earlier this year, appeared a deliberate and decisive shift away from AWS – previously the bank’s sole cloud provider – Day confirmed NAB will continue to host its apps across both Amazon and Azure.
“All of [our] apps… will have multi-cloud capability,” Day confirmed.
“Being a bank, we’re not allowed to, nor do we want to pin the success of our business on any other business.”
“We have to make sure that all of our apps can run successfully in at least two cloud providers”.
This multi-vendor, multi-cloud framework has provided a critical failsafe for NAB, providing multiple software and data redundancies.
Based on NAB’s CAST ranking system, processes and operations are effectively classified based on their level of service criticality – from a multi-cloud treatments (MCT) level of 1 (least critical) through to 7 (most critical).
High priority apps (such as those supporting ledgers – an ‘MCT7’) would be required to run across both clouds “simultaneously”. In this case, recovery time would be instant.
“Should one cloud go away”, Day said, “there would, in fact, be no latency at all.”
Redundancy for critical applications (MCT 3-6) is maintained through ‘Pilot Light’, a cross-cloud failover system, allowing the system to effectively reboot services from secondary clouds.
According to Day, Pilot Light essentially “builds” apps across two clouds simultaneously, with data from the primary cloud “continually rehydrating the database in the second cloud”.
“If there is a failure in the first cloud, you’re not [having to] re-build, but simply switching on the second cloud… using a DNS and other mechanisms to move traffic across.”
Back-up or log-shipping schedules (hourly, daily or weekly) are, Day said, also based on the treatment level of the app.
Lessons for other Azure partners
While NAB’s cloud migration journey still has a considerable way to go, its partnership with Microsoft appears to have yielded some early wins for the bank. However, Day believes other Azure-linked banks could reap material benefit from NAB’s pioneering innovations.
Both Microsoft and NAB’s engineering teams have collaborated “well together”, he said, spinning out an array of financial services products “specifically for Azure that can be leveraged to create some real IP [intellectual property]”.
“This enables [Microsoft] to take what we’ve learned out of this and put it on the market to help other financial services customers move cloud products enabled by strict governance and strict security, and those that are really targeted at meeting the strict compliance and regulatory areas that we need to work in.”