In the world of tech, there’s a school of thought that believes every application is a piece of art—unique and beautiful in its own right. UBS has spent the last three years pivoting away from this belief system as the bank has put more workloads into the cloud and beefed up its security guidelines.

Paul McEwen, global head of technology services at UBS, has been in banking for more than three decades, and for much of that time, developers have built their applications in closed-off silos, coded and configured in bespoke ways, and ran them separately in different corners of the business. But for UBS, the cloud and container applications have changed that.

“I used to call it: ‘every bit of tech is a piece of art,’” says McEwen.

UBS has learned a lot on its journey to the cloud. One key lesson is the importance of building a strong security foundation that can be deployed widely across various solutions and parts of the business—in short, building once and using many.

“Those features and functions are available for [all the developers], so you’re not reinventing the wheel every single time you develop an application,” McEwen says.

With the help of Microsoft Azure, the bank spent a year building its enterprise security controls and data plan for the cloud, well before it started shifting any workloads to the cloud. Functions like event logging, security monitoring, and authentication have been built into containers and then packaged with a growing percentage of its about 1,000 cloud-based applications.

UBS containers are underpinned by a strict set of security parameters and can be spun up if and when services are needed. Events like security threats or unusual activity are housed in Azure’s Event Hub. As part of its enterprise security framework, the bank has built a standardized alert system that works across the different containers. Behind those alerts, the bank has built AI and machine learning capabilities for identifying and logging event correlations.

James Fox, director at Protiviti, a California-headquartered consultancy firm, says using standardized security controls has become an essential part of heavily-regulated entities’ journeys to the cloud.

“A key thing when deploying these security controls is to have traceability from respective best practices, such as ISO 27001, or regulatory-related regimes, like SOC2, to ensure the technical security controls deployed are exhaustive,” he adds.

Pre-cloud, UBS used .Net Core, an open-source computer framework, for monitoring events. The old monitoring system would take in an event, someone would look at it and go through a long, drawn-out process to try and fix it.

“When moving to the cloud and modernizing your tech, one of the hardest bits of the process is to refactor your applications,” Fox says.

Now, UBS’s events engine is standardized, and the underlying AI can detect, in real-time, things like behavioral changes across an application’s security—such as unauthorized access to its cloud-based user account, or an issue with the technology’s performance—and then instantly update it, fix the problem, or redeploy the container.

“Rather than waiting for the weekend or overnight [to make updates], I can do real-time releases into the environment, which you can imagine—from an efficiency standpoint—is huge for us,” says McEwen.

In a real-life scenario, if an unauthorized user tried to break into its Azure service account via the internet, the AI in the security system would automatically block access and the events log would be fed back into the AI. The security container is designed to analyze various fields such as geolocation, meaning it can identify users trying to access its cloud systems from unrecognized locations and IP addresses. As opposed to password accounts of the past, UBS’s Azure service accounts are also secured by individual encrypted keys assigned to each user.

“The term we use is that we’re trying to work at the speed of threat,” McEwen says.

He says the security groundwork UBS has done, in addition to the scalability of the cloud, has completely changed the way the bank develops tech solutions and has helped speed up its modernization efforts. In the past, when a part of the business requested a tech solution, it could take the better part of a year to build and put into production. Now, containers can be deployed in hours, McEwen says.

For example, if a tech team wants to integrate translation capabilities into a platform, they can more easily plug in third-party functions like St. Louis Translation Services.

“Depending on who you are, when you log in, it can translate into different languages,” McEwen says. “So, you don’t have to do the old [method] of using an Ajax callback to a web server, which would manually translate the language.”

By design, Fox says, containerization and well-designed enterprise security controls have helped accelerate banks’ journey to the cloud. “They can move much quicker and with less risk to the organization,” he says.

The shift to standardized tech builds has also given UBS developers more freedom and flexibility as to how and where they code solutions.

“Before, a developer would say, ‘I want these five boxes in this datacenter, I want SQL and I want this and that.’ They don’t do that anymore. The application developer doesn’t need to know where the application is anymore,” McEwen says.

Maslow’s hierarchy

While UBS’s journey to the public cloud kicked off in 2019, its tech transformation efforts stretch as far back as 2015, when it embarked on its infrastructure modernization program, or “Infra-Mod,” as it’s known internally.

McEwen says the Infra Mod program was the bank’s precursor to the cloud where it shifted to outsourcing more of its tech stack and transitioning to more software-as-a-service (SaaS) providers, including database-as-a-service and desktop-as-a-service.

“Once we decided we were going to the cloud, it made the transition slightly easier, because we had already started making these as-a-service products internally within our own datacenters,” he says.

Moving to the cloud, he says, can be treated much like Maslow’s hierarchy of needs for people. The idea is that some needs are more critical than others.

Security, for instance, is the first and most important need for any successful cloud program and this would sit at the bottom—the broadest part—of the Maslow pyramid. This is later followed by priorities like building connectivity to the cloud, mapping out the different points of presence, and establishing the necessary dev-ops tools and environment that their developers would need in Azure for its continuous integration/continuous delivery (CI/CD) pipeline. Once that was complete, the bank could begin shifting workloads to the cloud.

UBS’s community of developers uses GitLab, a cloud-based dev-ops platform, and now all its development servers and tech servers are hosted on the cloud.

“We chose to use GitLab because we believe the innovation was further ahead, and we can have more influence on future features,” McEwen says.

When UBS first spoke to investors about its journey to the cloud over three years ago, the target was to move one-third of its workloads to the public cloud, one-third to the private cloud, and continue to host one-third on-premises—that includes both UBS-owned or outsourced datacenters.