Paul McEwen, Group Head of Infrastructure & Security Engineering and Cloud Strategy at UBS, a major Swiss bank, spoke at a public webinar to Julia White, Corporate Vice President Microsoft Azure, about security, governance and compliance in a highly regulated industry.
The key statements of Paul McEwen, Group Head of Infrastructure & Security Engineering and Cloud Strategy, UBS:
“In the legacy environment, we would take six to nine months to provision infrastructure, or six to nine months to put new networks in place. In today’s business world, that is just not acceptable for what we’re trying to achieve.”
“We have to be highly secure. Obviously, we have confidential data that we have to manage. As an example, I look after over 3,500 controls that I have to monitor for regulatory reporting. The good thing for us is that Microsoft has taken a step into that environment. There’s a lot of controls as of now we don’t have to do, we have to report on them, but then the controls are actually taken care of for us.
«If you look at it from an investment standpoint, Microsoft invests over one billion a year in security of the cloud. We could never invest that amount of money. So, we’re taking advantage of your investments, they help us to become more secure.”
“[…] you’ve [Microsoft] done a lot of the groundwork for us. You had your quarterly meetings with the regulators. You’ll come and meet the regulators with us. It just makes the journey so much easier, otherwise we’re starting from scratch.”
The transcript of the interview in original language ( slightly edited for better readability):
Julia White: Now coming up next, I have the pleasure of talking with a customer, UBS. UBS, is the world’s largest wealth management company, a top tier investment banking and securities firm, and a key global asset manager. In Switzerland, UBS is the market leader in retail and commercial banking. I’m really pleased to welcome Group Head of Infrastructure & Security Engineering and Cloud Strategy for UBS, Paul McEwen. Paul, welcome.
Paul McEwen: Thanks for having me.
J.W: Absolutely. Really appreciate your time. Being the world’s largest wealth management company, there’s an inherent complexity in what you’re doing with UBS and adopting the Cloud. I’d love to hear about your journey on this and how you started.
P.M: Yes. If were honest, we started this journey probably five years ago. Five years ago, when I joined UBS, we started what we called the infra modernization program. If you look at the way the business has changed over the last 10 years, everything’s becoming more dynamic. If you are going to become a more dynamic business, you need to have more dynamic infrastructure, more dynamic applications, and a more dynamic way of actually fast fail, or fast test, etc, being in a quite amazing environment. In the legacy environment, we would take six to nine months to provision infrastructure, or six to nine months to put new networks in place. In today’s business world, that is just not acceptable for what we’re trying to achieve.
“In the legacy environment, we would take six to nine months to provision infrastructure, or six to nine months to put new networks in place. In today’s business world, that is just not acceptable for what we’re trying to achieve.”
J.W.: Clearly, innovation was one of the key drivers of the adoption of the cloud, but I assume there were other drivers, I’d love to hear about those.
P.M.: The drivers we look at is clearly that the business is becoming more dynamic. The environments we work in, we have to be able to fast fail any new innovation that we want to do. But also, then take the ability of the cloud to help us in some of that innovation. Then we have to look at it from the security perspective as well. As you can imagine, being a bank, we’re regulated all around the world by various different regulators. We have to be highly secure. Obviously, we have confidential data that we have to manage. As an example, I look after over 3,500 controls that I have to monitor for regulatory reporting. The good thing for us is that Microsoft has taken a step into that environment. There’s a lot of controls as of now we don’t have to do, we have to report on them, but then the controls are actually taken care of for us. If you look at it from an investment standpoint, Microsoft invests over one billion a year in security of the cloud. We could never invest that amount of money. So, we’re taking advantage of your investments, they help us to become more secure. But the first step for us was, we had to talk to the regulator. Talking to FINMA, FMBY, OCC, PRA, you know I could mention 100 regulators. The first step was to work with them to educate them with what we were going to do. Make sure that they were comfortable with what we were choosing to do, and make sure they were fully informed on all of those things. Once we’ve done that, then obviously it comes to the internal business conversation. Whether it’s with our wealth management, whether it’s with asset management or with our investment bank. Talking about the opportunities that will then bring to the bank. Where once it gives us the hybrid and the hyperscale, but also the security perspective, and then the ability to change very fast, which is once again, I mentioned, was very key to us.
“We have to be highly secure. Obviously, we have confidential data that we have to manage. As an example, I look after over 3,500 controls that I have to monitor for regulatory reporting. The good thing for us is that Microsoft has taken a step into that environment. There’s a lot of controls as of now we don’t have to do, we have to report on them, but then the controls are actually taken care of for us. If you look at it from an investment standpoint, Microsoft invests over one billion a year in security of the cloud. We could never invest that amount of money. So, we’re taking advantage of your investments, they help us to become more secure.”
J.W.: I want to go back for just a second. You mentioned earlier about this internal culture change, and that’s something I hear a lot about technology. The cloud is important but also making sure your organization and takes advantage of it in the right way and feels comfortable with that. I’d love to hear, obviously, you done some great work in this area. What did that look like for you?
P.M.: The first thing is obviously working with my colleagues in the businesses from the technology side. What we’ve also done is that traditionally, what will happen is the infrastructure engineering group would engineer everything and say, right now you can use it. So, we built a nice ivory tower, then we say you can come and use our products now. What we did was, we said okay, then for MVP3, there’s say eight services that are required. I called my colleagues in the businesses, each to develop one of the services. They felt part of the solution and helping us actually reach the goal of getting to the cloud, rather than feeling like I’m being forced to go somewhere I don’t want to go. They’re part of the journey, they’re part of the solution. For me, the collaboration, and the working collectively together is one of the most important things you can actually do. Otherwise it’s just seen as another infrastructure program, which it’s not. This is the future of the bank.
“The first thing is obviously working with my colleagues in the businesses from the technology side. […] They’re part of the journey, they’re part of the solution. For me, the collaboration, and the working collectively together is one of the most important things you can actually do.”
J.W.: Absolutely. Now you talked about the compliance requirements, and auditing and needing to adjust that front. Obviously, you must have an enormous compliance requirement, being UBS. How do you manage that ongoing, not just kind of getting the regulators comfortable with the cloud, but now as you move forward, what’s that look like?
P.M.: I think the good thing for us is that, first of all, we have some of the tools that are available from Microsoft in the cloud that are actually very important to allow us to do that. If I look at log analytics, or Azure Event Monitor and how we can use Event Grid, Event Hub, etc. what it’s allowed me to do, first of all is to take away some of the monolithic solutions I had in the first place which actually were very expensive. Then I’m just taking the events I need. If I use SoC as an example, so the SKUing operation center, we will take alerts from Azure. We will feed those through into our user cases we use. We have about 237 user cases. We will feed those through into our SoC. What we’ve done is cut out the middleman. Before we had a huge monolithic middleman system which we no longer need. It’s made us a lot more efficient in the way we’re doing it, but also, it’s an ongoing process. And that’s the key about when you do this, you can’t take existing processes and say I’m just going to do them again. What we’ve done is taken every single control, we have looked at is are they native within Azure, if they are, do they meet our compliance requirements, If yes, tick the box, we move on, if they don’t meet them right now, the great thing for us is working with Microsoft we’ve been out to get some features made available. So that helped us then say right now we can move these and then we’re in ongoing conversations where today we may still have to use some of the on-prem stuff, but we’re working with Microsoft again we say right we’re doing this on-prem today, but what the challenge is now, we can actually work on this within the Azure Stack as well, because if I require as a FSI, lots of other people require exactly the same things.
“What we’ve done is cut out the middleman. Before we had a huge monolithic middleman system which we no longer need. It’s made us a lot more efficient in the way we’re doing it, but also, it’s an ongoing process.”
J.W.: You mentioned Azure Stack which brings me to Hybrid Cloud. I think you’ve been very intentional about your hybrid cloud and how you think about it and use it at UBS. I love to hear about your strategy in that area specifically.
P.M.: Yes, say for us one of our principles is that whenever we design and build in the Cloud, we must do exactly the same on-prem. If I’m running Azure, then I run Azure Stack on-prem. Whatever tools I run on top of that must be able to run on or off prem. Whether the development is on-prem or off-prem is exactly the same. That’s really important as well because if you’re making the cultural change, but you say well hang on a second, half of you can do it this way and half of you can do it that way, just doesn’t work for us. Then it also gives a lot more agility because once again I can use some of the services or I can spin up like I would in the Cloud on-prem as well. That’s a huge benefit for us. The next thing we’re working on which is currently under design is we want all developers to develop in the Cloud itself. So rather than having desktops sitting inside the offices or spinning up IaaS so they can develop there, we want them to actually build, develop in the Cloud, because once again it gets them used to developing in that way.
“The next thing we’re working on which is currently under design is we want all developers to develop in the Cloud itself. So rather than having desktops sitting inside the offices or spinning up IaaS so they can develop there, we want them to actually build, develop in the Cloud, because once again it gets them used to developing in that way.”
J.W.: Got it. I love that you’ve moved the development to Cloud first and then Cloud only. What about from a security management perspective, using things like Azure Security Center or Azure Monitor to have that single control plan. What does that look like? Is it able to achieve consistency on that at this point?
P.M.: Yeah. I mean, that’s one of the great things is where you can use Azure Center on or off prem. Now clearly when you use it on-prem, you have to manually install reagents, etc. But it means it gives me a single view, a single pane of glass across our estate. I can use the same processes and techniques to do it. It’s one of the things that we’ve worked on as well was part of the Hybrid Cloud and the move to Azure is that we’ve created a different operating query. So rather than the typical operations that we call sysadmins, we’re now using developers and engineers. Their job is to highly automate everything, their job is to look at code. This is where some of the analytics we’re now getting from Azure really help. Because one, it gives you recommendations using the ML tool in the Azure Event Monitor, but also as well, we can look at some of the alerts or some of the things we’re seeing and make them highly automated. That’s a great thing about using Azure Security Center. It’s a great thing about doing on and off prem exactly the same.
“So rather than the typical operations that we call sysadmins, we’re now using developers and engineers. Their job is to highly automate everything, their job is to look at code. This is where some of the analytics we’re now getting from Azure really help. Because one, it gives you recommendations using the ML tool in the Azure Event Monitor, but also as well, we can look at some of the alerts or some of the things we’re seeing and make them highly automated.”
J.W.: Now as UBS, your requirements are incredibly high, maybe higher than most organizations on the planet. I was interested in those requirements you looked at and why you chose Azure for your Hybrid Cloud solution.
P.M.: As you can imagine it was a long conversation because there’s more than one Cloud provider. But the way we looked at it is first of all, we had to have hybrid. If Hybrid didn’t exist, that Cloud provider couldn’t be used. So that obviously takes one of the big providers out of play. We then said, over 40 percent of our estate is actually Microsoft. If you look at it from that perspective as well, that’s a large chunk of our estate is a Microsoft Office estate. The other thing that was key for me is that Microsoft is an enterprise company. Dealing with enterprises, I’ve worked with Microsoft now for 25 years. That was one of the big key things for us. The other thing we looked at is the work you’ve done with the regulators prior to people like UBS coming on board, you’ve done a lot of the groundwork for us. You had your quarterly meetings with the regulators. You’ll come and meet the regulators with us. It just makes the journey so much easier, otherwise we’re starting from scratch. Starting from scratch means the journey is another three, four years. You had done a lot of that pre-work which was so important to us.
“The other thing we looked at is the work you’ve done with the regulators prior to people like UBS coming on board, you’ve done a lot of the groundwork for us. You had your quarterly meetings with the regulators. You’ll come and meet the regulators with us. It just makes the journey so much easier, otherwise we’re starting from scratch.”
J.W.: I’m so glad to hear that was effective for you. Certainly, the intent on that front. Now, Paul, thank you so much for sharing your experiences, your wisdom, your perspective, and taking time to be with us today. I very much appreciate it.
P.M.: Thanks very much for your time. I appreciate it