NAB has revealed for the first time how it secured the Australian Prudential Regulation Authority’s blessing to operate in the cloud at scale.
Head of monitoring, analytics and diagnostics Oliver Murphy told a Splunk conference in the United States last week that the bank’s Cloud Adoption Standards and Techniques (CAST) - previously framed as a way for the bank itself to keep cloud workloads in check - was also central to getting APRA onside.
APRA’s stance on cloud has long been risk-averse and a dampener on the plans of banks and other finance industry participants wanting to shift onto cloud infrastructure.
When NAB shifted its first workload into AWS - which Murphy revealed was the bank’s Splunk enterprise monitoring environment - it had to prove to APRA that it could be migrated safely.
“The pain point we faced in 2017, being the first service into AWS, is we had to prove to APRA …[and] literally write documents that would have been stacked halfway up [the height of a] table,” Murphy told Splunk’s .conf19 conference in Las Vegas.
“[This comprised] architecture diagrams and lots of evidence of how we were going to migrate, how we were going to hold this data and keep [everything] secure.
“I had three or four people working on it for about six months.
“We obviously got [APRA’s] endorsement, but it just showed that in those days, that was the amount of effort and resources required to just put one workload into AWS in Australia in the banking sector.
“It was really painful.”
With the bank hoping to move 35 percent of its 2500-odd enterprise applications into the cloud, it needed to find a better way to work with APRA.
“We needed to change the way we went about attesting to APRA of how we will look after and manage this service in AWS,” Murphy said.
“We had to think differently and we came up - not me personally, but collectively there were some good smart people in the bank - with a framework that basically replaced the need to evidence 15,000 pages worth of documentation.”
That framework is CAST.
The nature of CAST was only revealed publicly at an AWS executive forum in Sydney earlier this year - and even then, it was not presented as the way that NAB established comfort with APRA to run cloud-based workloads at scale.
At that point, CAST was positioned as a way for the bank itself to “programmatically define how we run our workloads in the cloud” - a series of automated checks run against any cloud-bound code to ensure it complied with security controls and internal standards.
Murphy confimed that “the idea of CAST was to enable high velocity frictionless migrations of apps from an on-premises solution to the cloud.”
But, he said, “it [also] stopped us having to go to APRA for every work case.”
“It basically enabled us to bulk load and bulk submit to APRA,” he said.
“What APRA were happy about [with] CAST is that we were basically becoming self-governing, self-auditing on the level of requirements that they would expect of us ourselves.
“From a six month process, we're getting it down to effectively roughly about a week's worth of work, and a lot of what we're trying to do now is to automate [that].”
CAST ensures cloud-bound code meets certain principles and standards, using specified techniques.
The six overarching principles that CAST addresses are security, architecture, DevOps and delivery, business continuity, service management and data management.
“To give you an example, security would be a principle, event logging or security logging would be a standard, and the technique is how you evidence that by basically showing a screenshot or pointing out how you have your logs in your index in Splunk,” Murphy said.