top | item 5587658

Ask HN: Would you use AWS for a primary infrastructure if you're a bank?

5 points| mattquiros | 13 years ago | reply

I'm exploring the idea of starting up a bank and am still in the process of learning how and how they really work (so I'm not sure this is the right question to ask, but I'll try anyway). I could imagine online/mobile banking as one of the priority features because that'll be my USP (our local banks suck at those, really. I want to make software that'll eliminate the need for people to personally go to banks for transactions other than depositing money). That said, I'm thinking of using AWS for the back-end and storage of pretty much all of the data the bank will be processing--customer info, transactions, balances, etc. Is that safe? Or should I just go with in-house servers which require a huge upfront investment?

ADD: My country's near the equator, almost 100 Fahrenheit everyday. Not so sure having our own data center here is a good idea.

12 comments

[+] dsl|13 years ago|reply

The FDIC is where most of your IT security requirements will come from. Below I have listed a few items which make the cloud a non-starter. In summary, it costs $20+ million dollars to start a bank. The reason every small bank has the same crappy online banking and digital services is because everyone except large institutional banks has to outsource everything to a handful of third party providers who can maintain these requirements.

As far as your business idea, you should check out simple.com. They have been working on the problem for years and have just barely managed to cut enough red tape to provide a not terrible user experience for a handful of tasks.

Have a full accounting and audit of every VoIP device, VPN device, wireless device, switch, router, modem, firewall, and proxy server connected to the network.

Demonstrate physical access controls for employees, vendors, and anyone else who may have access your equipment.

Every single person with physical access to customer information devices must have a 10-year criminal background check performed (this is actually a federal law that applies to the Finance, public education, public transportation, etc industries).

Formal configuration and patch management procedures for all devices (including upstream routers and switches).

Diagrams of physical and logical network topologies.

The Fair and Accurate Credit Transactions Act of 2003 requires physical destruction of devices storing customer data.

Reporting of all physical security incidents to FDIC IT examination.

[+] mattquiros|13 years ago|reply

This is really valuable info, thanks!

[+] mikiem|13 years ago|reply

Are you opening a US bank under a US charter and US law and with US insurance? Each type of institution (eg: national bank or credit union) has its own rules and covered or rfulated by a different governmental institution

[+] t0|13 years ago|reply

Almost all major datacenters have pretty high security. Your main concern should probably be securing the software, not the physical servers.

[+] brudgers|13 years ago|reply

Problem = banks offer poor online service

Solution option A = Start a bank and create infrastructure to offer better online service

Solution option B = Create infrastructure to offer better online service and sell it to banks

Which one scales?

[+] dear|13 years ago|reply

Maybe start a bitcoin bank? No regulation. A bitcoin loan shark.

[+] mattquiros|13 years ago|reply

Interesting idea to add on later, thanks. Bitcoin's not popular yet in my country.

[+] lifeisstillgood|13 years ago|reply

I believe it is not even legal. Whilst I am sure some could correct me, PIC regulations for credit card storeage expects you to have your own boxen. There must be others.

On top of that, it is highly highly unlikely that the range of software a bank uses will install cleanly on say Ubuntu 12.04.

And the reason mobile sucks for almost all banks is

A) their back end software is twenty years old and was written before the Internet was even considered - the APIs are mostly screenscrapers

B) mobile security is hard

[+] mattquiros|13 years ago|reply

Thanks for the tip on legalities. I know bank laws differ in every country but now I'll look into that.

Totally agree with A. What do you mean by B though? As in secure wireless transactions and maybe the crackability of Android phones?

*update, just started reading on mobile security now

[+] unknown|13 years ago|reply

[deleted]

[+] stray|13 years ago|reply

I wouldn't use it for anything that can't break.

[+] mattquiros|13 years ago|reply

I've actually thought of this too but I have a (weird?) issue with maintenance--our country's near the equator, and on really bad summers (which is almost half a year long), it's almost 100 degrees Fahrenheit everyday. I'm not so sure it's a great idea to have our own data center here. Also I'm asking this because I know Facebook got their own near the North Pole to keep maintenance costs low.