I've heard how Amex can be from a friend who has them as a client. They refuse to let her host their instance of her product on AWS because Amex's security team supposedly hasn't vetted AWS yet. This despite the kinds of customers Amazon already hosts on AWS (the CIA comes to mind). Not to mention that she has several other very large banks as clients that don't have a problem at all being hosted on AWS. Or that exactly zero of the data she deals with is in any way related to sensitive customer data because the product is used by Amex's marketing department.
As an Amex customer I'm glad to know they have strict requirements but the fact is, they're shunning a massive cloud infrastructure service like AWS over a piddly little local co-locted hosting company.
This is the story of many "enterprise" companies sadly. Some I work for, and while they are slowly changing, I would not say their own data centers (yes, read: data centers) are "little co-located hosting" companies. Usually they are entire departments, with entire budgets and multiple facilities, with many peoples jobs within that.
So while for the developer, moving things to AWS is a no-brainer, a time-saver, and a money-saver to the company, the amount of politics, and change, is so large these behemoths of companies are the last to consider it.
Security is a valid piece, but also a political move to keep the money from changing hands too rapidly.
"But where labor efficiency is greater than [400 VMs per engineer], OpenStack becomes more financially attractive. In fact, past this tipping point, all private cloud options are cheaper than both public cloud and managed private cloud options."
This study does ignore the services supplied on top of basic compute, however.
Disregarding cost (haha) is OpenStack actually attractive to use? I was under the impression it was a bit of a bear to deploy and operate (my previous employer gave up, though I strongly suspect the project was never resourced properly in the first place).
Hmm. I've heard that also with AWS you can collect quite hefty bills easily. In fact I've heard stories that some startups have failed or had lots of problems because they've been using AWS too carelessly.
Certainly, although that's bound to happen with anything that offers easy scaling. If you put your build artifacts on S3, it just works... all the way up into petabytes. You skip all the intermediate steps you'd otherwise have (like having to get purchase orders signed for petabytes worth of hard drives).
Also, in AWS' defense, you won't hear stories about startups using them and having expensive developers sitting on their hands waiting for hardware. Probably a lot of startups only start (or get funding) because of the low barrier to entry AWS provides.
I'm pretty sure Amazon built an isolated region specifically for sensitive government workloads. I don't think public cloud security or regulatory compliance is a given even though the workloads you talk about seem fine for it.
As I understand it there are actually two Us government AWS clouds. GovCloud is for ITAR-regulated stuff that can still connect to the public internet (non-classified or confidential). The CIA stuff is hosted in a separate airgapped facility (called C2S) for the US Intelligence Community with connections to various airgapped networks. One can get their software listed in the marketplace for either or both, but to get listed in the latter you have to do a bunch of extra work.
I work in finance and this is frustrating for sure. Unfortunately if Netflix loses account data who cares. But if we lose customer account data it's off to the races to see how much money regulators can drum out of us for not being secure enough. Even if that isn't a real threat, it's a real fear. Now I'm not arguing for or against regulation here, but just you wait until Mint.com or one of these new investment apps get hacked and watch what happens.
I'm going to call BS. At least in the UK banks screw up all the time and never get more than a slap on the wrist. The mobile apps put out are hilariously insecure and get hacked. Payment processors go down. [0]
Often, it seems like the only defence is that skiddies don't have a clue about mainframes that's saving these idiots.
Service failure and data breach are two separate matters. If a UK bank were to suffer a major breach they would be fined heavily by the ICO. Right now limits are at £500k but with the new General Data Protection Regulation potential fine levels will increase steeply...
What, like TalkTalk? Or the police for that matter, who routinely lose sensitive information.
I agree, as long as fines are lower than the CEOs salary + bonuses, these "fines" remain laughable. But based on these other cases, it's unlikely that the ICO would or could do anything to severely impact how a bank operates, which makes them toothless.
As for telling the ICO, well the deputy director of the National Cyber Security Centre (NCSC, part of GCHQ) explicitly said he won't tell ICO if people report breaches to him... so I wouldn't cross my fingers.
I know the lawyer who likely makes those kinds of calls for Amex. Let's just say he's not someone I would hire. It's generally a really bad place in my experience, which is from a number of angles and timeframes. I left them as a customer years ago after getting a glimpse of what's happening inside.
Not just Amex, I work for HSBC in investments. I've been desperately fighting to get even access to AWS as I need to run some machine learning GPU instances and would also love to have a much better server environment for some of my other internal apps here (which are shockingly supported by our outsourced, under-resourced and utterly useless IT function)...
Unfortunately, even though my department are more than happy to budget any money for AWS, IT, Internal Security, Risk etc. are all blocking the path saying they haven't vetted or onboarded Amazon, and that they're working on their own internal cloud so that we can do similar things (I've tried this "internal cloud", it's beyond useless. Slow and locked down more than guantanamo so you can't actually do anything with it).
Payment processing industry is very heavily regulated, moving your infrastructure to a new solution is extremely costly from the audit/compliance perspective and in some cases it's downright impossible to move to "the cloud" because of the physical access restrictions etc. To my knowledge all of the big boys - V, MC, AmEx, Discover host their own infrastructure (or partner with certified data centers).
That "piddly little local co-locted hosting company" (whoever they are) is subject to some pretty intense level of scrutiny and has to pass gazillions of tests outside of your normal hosting SLA stuff just to claim that they are compliant.
> They refuse to let her host their instance of her product on AWS because Amex's security team supposedly hasn't vetted AWS yet. This despite the kinds of customers Amazon already hosts on AWS (the CIA comes to mind).
From my dealings with pharma companies, I will point out one thing.
For things where they have to follow regulations around privacy, they won't let you host your software on AWS for them to use.
They will have their in house team set up your software on AWS for them to use.
Setting it up themselves allows them to guarantee all the regulatory requirements are being met. The CIA isn't using Joe Schmoe's amazon instance, they spin up their own machines and install the software there.
As an Amex customer I'm glad to know they have strict requirements but the fact is, they're shunning a massive cloud infrastructure service like AWS over a piddly little local co-locted hosting company.