Howard Boville's swapped a CTO role at BOA to run IBM Cloud. We sat down to talk.

We're not building a general purpose cloud

Howard Boville's swapped a CTO role at BOA to run IBM Cloud. We sat down to talk.

Updated 17:26, Feb 1, 2021, with light edits throughout for brevity, clarity.

Let's get the obvious stuff out of the way first. Between cloud pundits, analysts and developers, IBM Cloud does not exactly have a golden reputation. The 2020 Gartner Magic Quadrant for Cloud Infrastructure and Platform Services, for example, has it down in the bottom left corner as a "niche player", nestled next to Tencent Cloud  and behind even -- whisper it -- Oracle. IBM has bet the horse and cart on hybrid cloud, yet Forrester analysts have rated it a mere 'contender' for hybrid management. As first impressions go, there's room to improve.

It doesn't seem generous to start an interview by pointing this out quite so bluntly, but Howard Boville -- a former Bank of America CTO headhunted in 2020 to shake things up at IBM Cloud -- doesn't seem like a shrinking violet, so we cut straight to the chase, in an interview conducted January 26. (Boville, an Englishman based in New York, is strictly speaking "SVP, IBM Hybrid Cloud", but IBM itself has not been shy about calling him "IBM Cloud Chief". His responsibilities span design, build and operation of Big Blue's $25.1b revenue cloud business.)

Follow The Stack on LinkedIn here.

"Within Gartner's Magic Quadrant, if you go to category king, they take the category king -- which is AWS -- they list all the features they've got and they compare you against that category king," notes Boville. "[But] we're not a general purpose cloud, we're focused on hybrid cloud. That's what I believed in, in my entire time at Bank of America; as do my friends and peers in other institutions. Gartner don't even recognise the term hybrid.

"When you're being compared against the Toyota Camry and you're a specialist vehicle [that] is the wrong mechanism. However, it's a document that people read. So there's work that we're doing to show that there's parity on the features that matter, and to demonstrate how we're different. The message is starting to land."

"We're not building a general purpose cloud where we're looking to meet every gig economy and every line of business. We're focusing on where our customers are: gov't, financial services, telco, healthcare".

So how is IBM Cloud a "specialist vehicle", exactly? Boville -- who has focussed the company's efforts around four key verticals (government, financial services, healthcare, and telcos) -- is adamant that IBM Cloud's offering is clearly differentiated: by the controls it has built in to ensure compliance and interoperability in heavily regulated markets; as a result of a potent marriage of Red Hat's open, hybrid cloud capabilities and containerisation nous with IBM's mainframes/core IT infrastructure heritage, and through what it dubs "Confidential Compute" -- which includes homomorphic encryption and secure silicon options.

IBM has arguably belaboured the hybrid cloud point to death, but Boville's keen to spell it out: "We will be a multi cloud provider. And we will provide abstraction above our cloud and above the other clouds so that you can address concentration risk. And you can also have portability; so you could actually move your applications as opposed to being tied into a proprietary stack of the other cloud service providers.

"With the other cloud service providers; the shape of your application needs to meet the actual cookie cutters that they have, otherwise, they can't scale their economies. [Ed: Google Anthos and others may disagree, but we'll leave that to readers to judge]. What that means is they're interested in your applications. In my old role as a CIO, I was interested in business processes that I was serving with applications and data.  That's how you do digital transformation. You look at the components of a business process, and you decalcify it... [With IBM Cloud] we can demonstrate parity of controls across your internal environment and your external environment; standards that the regulators set. That's how we can massively accelerate the digital transformation of financial institutions and their digital supply chain."

See also: Apache Pulsar is getting hot. DataStax’s latest acquisition is a fresh vote of confidence.

Concentration risk may still be a live issue, but by-and-large regulators are increasingly relaxed about public cloud and there's no shortage of hyperscaler customers touting "all-in" moves and indeed, cloud-native banks; The Stack suggests. We recently spoke with Standard Chartered Bank's CIO for example, who's moving core banking and payments to AWS across 23 countries. He's quick to fire back: "But around 95% of people moving to the cloud have only put a tiny portion of their workloads on the cloud. You've got this 5% that are making bold statements, [but] they are often creating these Frankenstein monsters, badly architecturally put together. What IBM brings is a deep understanding of running mission-critical workloads at the highest level of accountability."

He adds: "I was at BoA for eight years and my annual IT budget was $5 billion so I dealt with every small to huge technology company you can imagine. That’s why I had a perspective on this unmet need that IBM could play into. Cloud service providers need to understand what it means to operate in a regulated context: you can’t just give developers all of the choice they want; as that results in issues like data breaches that have been well publicised... At BoA [for example] I gave what was known as the Financial Services Control Framework to all the cloud service providers, and IBM was the only one that actually picked up the baton."

IBM Cloud IaaS

Another criticism of IBM Cloud is that it is simply not scaling out its hardware footprint fast enough. However much the focus is on hybrid cloud, presumably IBM wants some of the "cloud" part of that, as well as the "hybrid" bit: i.e. for customers to choose to run compute, storage, et al in IBM data centres. Yet the company shut down a range of legacy data centres in 2020, mothballing capacity in Dallas, Melbourne, Houston and and Seattle. IBM says that was in order to "roll out newer data centers and multizone regions (MZRs) designed to deliver a more resilient architecture with higher levels of network throughput and redundancy."

Boville says IBM is investing heavily ("we're spending multiple billions of dollars per annum in terms of building out that capacity, and then layering on the differentiated capability to differentiate software for the markets that we're in") but emphasises that matching an Azure or AWS footprint isn't the point. As he puts it: "We're opening up three MZRs -- what you might know as availability zones -- this year: Toronto, Osaka, and another build out in Europe. So we continue to build that capacity.

We spoke to New York Federal Reserve CIO Pamela Dyson about her life, career, and digital transformation challenges. Read more here.

"But we're not building out a general purpose cloud where we're looking to meet every gig economy, developer and every line of business around the world. We're focusing on where our customers are. So government, financial services, healthcare, and telecommunications. We're building out the capacity that will be sufficient for the markets that we're looking to address. There's no issue in terms of the capacity, in terms of capabilities. Can we deliver a scale out, low cost, IaaS? Yes, we can.

As a smaller cloud, IBM Cloud's hardly rolling out the myriad new SaaS products of an AWS weekly. But Boville says IBM Cloud is doing something different: highly focused products for target markets built on a deep understanding of the regulatory environment.

"There's a lot of software that we're building on that's relevant for this financial service industry: we have 280 compliance controls that look at identity and access management, configuration management. Most breaches don't because the platform that the developer was developing on was inherently insecure, they happen because the controls are not baked in from the word go, and developers risk developing on the platform in a way that ends up causing a massive data breach.

See also: BIAN’s “bank on a page” approach looks prescient.

Default security and controls are more robust by design, he suggests in short. That's in large part because the underlying theme of what IBM Cloud is trying to achieve is robustly architectured "parity of controls" for its target industries. As Boville puts it: "Currently, if you're a bank, and you go to a cloud service provider, you'd have to put your resource against it and build the controls in and then you have to sustain it.

"So you've created your railway track, with gauge 9mm, and the bank next to you that you work with, has done the same, but the gauge of their track is 10mm. Then the central counterparty -- which may be the Stock Exchange you're working with -- is 11mm. None of it works together."

(The issue of poor interoperability across the FS sector including widely differing semantic definitions of basic services is not an unfamiliar lament; BIAN for example -- of which IBM is an active member -- has long been working to tackle that issue. And as IBM notes in a BIAN paper, "traditionally, banks have used an application-centric approach to develop IT solutions to business problems. This has resulted in a large number of IT applications, each supporting some subset of business functions, sometimes overlapping... In reality, business processes of the bank cut across these applications, necessitating highly complex integration requirements. "[As a result] a 'rip and replace' approach is a non-starter. The only feasible approach is to adopt an incremental, progressive approach to transformation. This implies that the bank needs to manage a hybrid environment of new SOA components co-existing with legacy applications, which poses many integration challenges.")

"It's a completely different philosophy, a completely different approach to addressing this marketplace."

IBM's Howard Boville adds: "The thesis that I saw needed to be addressed when I was in banking, working with all my peer banks was, why wouldn't you work with a cloud service provider to put the actual controls into the platform at the beginning, so you don't have to build them? That means when you work with them, you got parity of controls, which is a regulatory requirement. Because all the banks, without exception, have got a cloud-first strategy. Without exception they've been looking at the old, traditional chapter one cloud providers and without exception, it's a three or four or five-year story, where they've moved next to nothing.

"I've actually just left a steering committee: an advisory board with 10 banks and their Chief Information Security Officers, which we hold every two months. We do the same for CIOs, for Chief Risk Officers, and for regulators.  Then we have Promontory which is a boutique consulting firm that we have within IBM, that was set up by Gene Ludwig who's the former head of the Office of the Comptroller of Currency; a former regulator, who has former regulators and financial risk officers in there.

Q&A: Deryck Mitchelson, Director of National Digital & Information Security, NHS National Services Scotland.

"They provide us a catalogue on a monthly basis of all of the laws, rules and regs that change with all the regulators around the world, which we then also put into our product roadmap. It's a completely different philosophy, a completely different approach to addressing this marketplace and to what cloud service providers do."

He adds: "Banks, obviously, are very concerned about risks that's introduced into their critical business processes. By landing on the IBM Cloud, as a FinTech, you inherit all of the controls that we built for the whole industry, which then gives parity of control to the whole industry; and the banks love this: we've got eight banks currently telling their digital supply chain, to move to our platform, because they inherit the controls."

Apply NOW for The Stack's #techforgood awards.