DAVID LEDGERWOOD: Roland Cooper is a 10-year technical operations and infrastructure expert with a broad experience in fintech, e-commerce, and B2C.
In this interview, Roland talks to us about the tensions between on-prem and cloud deployment.
On the bleeding edge of software development, we often forget that the vast majority of technical infrastructure still resides on-prem and in private data centers. Roland walks us through the current thinking around PCI compliance regulations, guidelines, and interpretations ─ a critical importance to any company collecting and processing payment card transactions.
Hey, Roland! Welcome to the podcast. Why don't you give a quick introduction of yourself?
Love to have you on here!
ROLAND COOPER: Sure, Ledge! Thanks for having me. A little bit about me ─ I have been working in startups for about ten years, mostly in fintech, a little bit of e-commerce, and a little bit of just pure B2C startups mostly focusing on operations and infrastructure.
We use Chef; we use VMWare; we use CFEngine. I've had a lot of time in all those areas.
DAVID: What's your opinion on the direction of DevOps now and the key stacks and the technologies and the evolution of different frameworks? What do you see in the field that other tech leaders should be aware of and thinking of?
ROLAND: What I'm seeing right now is a lot of split between people who believe hard core and on-prem solutions, the safety net that that gives them, but also people who have very strong beliefs in the cloud and the flexibility that that provides.
We have groups of folks and all they've known is on-prem. There are a lot of solutions that cater to that. There are some good technology there ─ VMWare, in particular, or Zen provide some good virtualization technologies.
And with the advent of Docker and Kubernetes, you get people who are able to spin up a much more flexible cluster and utilize resources differently since they have access to the bare metal without necessarily.
On the other side, we have the cloud stuff, all of which is much more flexible; it's much more on demand and much more scalable. You also aren’t paying for data centers. You're not paying for rack usage and size.
One of the problems that we have faced at other locations is running out of space. You have only so much rack space in a traditional data center. So, now, you're looking at another data center; then, you're asking, “Is this going to be for DR or is this going to be for hosting stuff? Do I have production in two locations? Does that mean two network providers? How am I going to manage active versus standbys, and things like that?”
The cloud takes away a lot of those decisions but, then, it also adds work in other areas such as security and configuration for your employees, things like that, particularly if you're migrating from one to the other.
DAVID: And there's a ton of debate on which one is more secure particularly for your fintechs and your healthcares and things of that nature where you're dealing with highly secure or volatile data sets.
I think the general premise now is that cloud is going to be it.
Can you think of use cases where that's just not the case?
Where does on-prem maybe camp as a small solution that is always going to be on-prem versus the very many benefits to cloud and then, of course, you can deal with the security issues?
ROLAND: For companies that are facing a lot of regulations around PCD, in particular, they're going to want an on-prem solution or they're going to start with an on-prem solution; and getting them out of that would be very difficult mostly because the regulations aren’t really up to date with how on-prem versus cloud works. It's very much easier to be compliant with an on-prem solution because you have full control over everything.
In the cloud, you are relying on certifications from third parties. You are relying on configurations that just don't necessarily align with how the regulations are written.
DAVID: But you probably wouldn't recommend coming out of the gate for any fintech startup to not go in the cloud, right?
ROLAND: I wouldn't recommend that. It's a little bit more work from an initial set up and planning perspective particularly if you know you're going to be in a PCI-regulated space. But if you do it correctly and you set expectations for both your employees and customers, then, I think you can be successful in that area.
DAVID: Most of the cloud providers would tell you that they are highly compliant. Is that a little bit of a red herring?
ROLAND: It's compliant at a certain level. If you look at AWS, for example, they have their shared security model where they provide compliance around the physical infrastructure but you also have to provide compliance around your use of it. So your applications have to be compliant. Your configurations have to be compliant. The way your network machines talk to each other has to be compliant.
That's all on you to do and that's also on you to prove that to the PCI auditors who come knocking at your door that “Hey, this solution that I've come with is compliant.”
And they also have to be a little bit flexible in understanding what this means from a cloud perspective versus an on-prem perspective.
I would say that it depends a little bit on what kind of auditor you end up with. They can either be very savvy or they can be completely by the book and you might have a lot of remediation to do.
DAVID: Just as a technology professional familiar with this space, do you think that PCI compliance itself is defined by the on-prem model? Has the requirement caught up with the idea that everything is going to be in the cloud?
ROLAND: I think that the interpretations are what really needs to catch up. The requirements themselves are not that hard to meet but it is a matter of proving to both your internal audit, perhaps, and external auditors that this thing that I'm doing adheres to the spirit ─ if not, the letter ─ of the regulation.
DAVID: And there's a ton of stuff that’s interesting right now in fintech. When you're looking at the space, what are the key areas that entrepreneurs or technologists should pay attention to in fintech?
It's a highly funded space. It's under the microscope. So much is changing ─ high disruptions. Where are the areas that you would recommend paying attention to and getting involved in?
ROLAND: Like most people would say, I think blockchain is super hot right now. For fintech, I think it is a resource that can be tapped particularly for the ledger portion of it. I'm not sure who is doing stuff in that space but that would be, I think, a very useful use of the blockchain technology.
The other thing would be like banking APIs. If you’ve interfaced with the banking sector, they still move money around through space delimited text files that are uploaded via SFTP every night.
It doesn't really scale. It's not really on demand. There are some formats that are more like real time particularly in the EU. But for big banks in North America, having some kind of an API that could interface with that would take over from the ECH format would be very successful.
DAVID: Thanks for those insights. Roland, thank you so much. I appreciate your time.