Pandemic seals Amex’s commitment to the cloud
Asked about his stress level during the COVID-19 pandemic, American Express’s Evan Kotsovinos says he was a 9 on a scale of 10 in March, and in April he came down to a 7.
One thing that helped settle the nerves of the card network’s global head of infrastructure? Amex’s adoption of cloud computing, which started a couple of years ago and has accelerated through the pandemic as it shifted a large part of its workforce into virtual mode.
“We have a whole company working from home now, including our front-line workers in the call centers, which was not historically a function that has worked from home at a significant level,” said Kotsovinos, who oversees a 4,500-member team that looks after Amex’s mainframes, data centers, cloud deployments and all IT processes.
Several applications had to be fine-tuned to work in people’s home networks, for instance. Kotsovinos’ team also quickly built some cloud-based monitoring tools.
“We had to invent and execute a lot of different things. … We believe in the power of the cloud,” he said.
American Express is not alone. A recent survey conducted by Refinitiv found that Wall Street banks’ investments in the public cloud will account for 48% of tech budgets in 2020. These banks and others are aiming to save money, pay only for the computing resources they consume and let a cloud vendor handle their spikes in volume.
During the quarantine, cloud-based online videoconferencing and collaboration tools have been effective, Kotsovinos said.
“If it weren’t for everyone at home using cloud-based services, the stress would be more extreme than this,” he said. “And the clouds have proven themselves to be effective and scalable.”
Productivity has been comparable to or higher than normal, he said. At American Express, workers may not go back to offices for several months.
“If a colleague is able to work effectively from home, we're not going to require anybody to come back to the office this year, and we're not going to be leaders in coming back to the office this year,” Kotsovinos said.
Why the commitment to cloud
When Kotsovinos talks about cloud computing, he’s talking about a form of hybrid cloud, where applications are built in secure containers — frameworks for developing and moving applications that have their own file systems, central processing units,and memory — and then deployed either within Amex’s private cloud or in one or more public clouds.
American Express's first reason for going to the cloud is for productivity and speed.
“In artificial intelligence, machine learning or data analytics, you get capabilities out of the box in the cloud that even just a couple of years ago, it would have taken teams of engineers months or years of work to build,” Kotsovinos said. “That's a super-powerful accelerator.”
It’s also looking for resilience.
“Being able to run the same application on multiple clouds gives you a level of resilience that is really hard to achieve without the cloud,” Kotsovinos.
The third benefit American Express seeks in the cloud is economics.
“We believe that the economies of scale of the cloud will drive significant advantage for us over time,” Kotsovinos said. “We're not interested in saying we're going to move 500 applications to the cloud next year. That's not how we look at it. We look at it in terms of business outcomes and how we maximize the outcomes from those three categories.”
Dedicated to Kubernetes
Kotsovinos declined to say which cloud vendors American Express works with. He did say the company has settled on Kubernetes's open-source software for managing containers.
“We use a number of different technologies that you would imagine we use, but our centerpiece is Kubernetes,” he said. “We're very opinionated. We really believe in open standards.”
Vendors like IBM/Red Hat have developed their own versions of Kubernetes, and Kotsovinos would like to see more compatibility among them.
“An interesting question for the industry is as you see more and more vendors developing their own flavors, if we end up with an ecosystem where everybody's Kubernetes is different, then how can you have portability between them?” he said. “Of course we'd like to see differentiation. We believe in partners and vendors offering value-added services for Kubernetes.”
But he would also like to see standardization, which would let users like American Express move workloads between clouds and applications in multiple clouds.
“We don't think it's mutually exclusive,” Kotsovinos said. “We don't think Kubernetes distributions need to diverge for differentiation to happen.”
Taking responsibility for security
There have been a few cloud computing breaches recently, the most notable ones being the Capital One/Amazon Web Services breach last summer and the ransomware attack on Finastra in March.
Kotsovinos is of the view that companies have to take full responsibility for security, regardless of which clouds they use.
“If you look forward several years from now, when you think about how an infrastructure organization needs to evolve to be able to succeed in a world of multiple clouds, a key mindset change needs to happen,” he said. “If you're an old-school infrastructure organization and you're thinking of the cloud as someone else's problem and if something breaks and it's on the cloud, it's not me, there’s a better way to think about it."
Infrastructure leaders need to think of their role as managing different clouds in an integrated seamless way, with the right automation, the right monitoring and a seamles experience no matter how applications and clouds are used.
“You are the curator of that experience," Kotsovinos said. "You're responsible for the experience in that model.”
The Federal Financial Institutions Examination Council recently made this same point to the banks it oversees — responsibility for cloud security can’t be offloaded to a vendor. Gartner recently predicted that through 2020, 95% of cloud security failures will be the customer's fault.
Vetting cloud vendors
Before he signs a contract with a cloud vendor, Kotsovinos does a few things.
First, his team goes through the standard vendor onboarding process, vetting the company according to third-party vendor management rules. Then there’s the analysis of the technical offering and making sure it aligns with what American Express is trying to accomplish.
There’s the Kubernetes consideration.
“If they don't use Kubernetes, that's probably not someone we would go with,” Kotsovinos said.
The final analysis would typically be economic, focusing on the total cost of ownership.
“We're not interested in how much the server costs in the cloud versus the data center,” Kotsovinos said. “We're interested in how much technology costs in the cloud or on the data center. We'll take a 360 view of this and make a very careful decision.”