Capital One offers a variety of financial products, such as credit cards, financial accounts, and auto financing. Now, Capital One might appear as a leading financial institution. But it views itself as a technology company that provides financial services — rather than a financial services company that uses technology.
Capital One has differentiated itself as an innovator throughout its 30-year history. InfomationWeek even ranked it #1 among the top 100 US companies using business technology most innovatively.
In this quick post, we look into Capital One’s decision to migrate to the cloud 100%, what cloud services it uses, and what you can take from it — including how to prevent the 2019 Capital One SSRF attack.
Does Capital One Still Run On AWS?
Capital One announced late November 2016 that it would move all its operations to the Amazon Web Services (AWS) cloud in a multi-year migration.
Capital One’s Chief Information Officer, Rob Alexander, said at the time that AWS would be its “predominant cloud infrastructure provider”.
The company expected the AWS Cloud to facilitate real-time and digital-first experiences and anticipate customer needs by enabling fast software development and delivery.
By 2020, Capital One completed its cloud migration journey from eight of its own data centers to AWS servers.
The 2019 Capital One SSRF attack and the AWS connection
However, a year earlier, Capital One had suffered a major data breach in the 2019 SSRF attack. The breach allows an attacker to manipulate the server-side application to issue HTTP requests to whichever domain they choose.
Consequently, a vulnerable server can be tricked into connecting to another it wasn’t supposed to connect to.
An SSRF breach can occur when a web application relies upon external resources, leaving the back-end server vulnerable to attackers who want to send crafted requests from the vulnerable web app.
In Capital One’s data breach, it was a misconfigured web application firewall, hosted on AWS, that enabled the hacker to download customer data.
That data included credit card applications, Social Security numbers, and other details, such as bank account numbers, between March 19 and July 17. The stolen data mainly related to credit card applications submitted between 2005 to early 2019.
Personal information, such as names, addresses, and birth dates, and financial information, such as self-reported income and credit scores, were compromised and collected.
According to court filings, Paige Thompson was arrested and convicted in connection with the SSRF attack. The FBI revealed that she previously worked at AWS, and had the knowhow and evidence linking her to the fraud case.
The aggrieved parties blame Capital One, AWS, and GitHub, and multiple complainants have filed a joint lawsuit in that regard.
Capital One blames AWS for the latters’ misconfigured databases. Others believe it to be a case of mutual responsibility.
But AWS denies fault, perhaps in regard to its shared responsibility policy.
Capital One had to pay $270 million to settle the class action lawsuit, of which $190 million went to customer compensation and $80 to service regulatory fines.
At the time of this publication, Capital One still runs on AWS.
What Cloud Services Does Capital One Use?
According to AWS, Capital One has over 2,000 applications running on the AWS Cloud platform. To run all the apps, Capital One uses four main services:
- Amazon Elastic Compute Cloud (Amazon EC2) for compute
- Amazon Simple Storage Service (Amazon S3) for data storage
- Amazon Relational Database Service (Amazon RDS) for database requirements
- AWS Lambda for fast, event-driven, and serverless applications, and
- Amazon Connect to support Capital One’s omnichannel, cloud-based customer contact center.
Capital One used services such as AWS Lambda, Amazon EC2, and Amazon DynamoDB to create Eno. Capital One’s Eno is an intelligent virtual assistant that uses serverless streaming architecture to perform real-time analyses that detect and surface unusual charges on a customer’s account.
The company also used AWS services like Amazon Simple Notification Service (Amazon SNS), Amazon EC2, and AWS Lambda to build and maintain its mobile app. The app leverages AWS’s multi-region infrastructure, Artificial Intelligence, and Machine Learning capabilities to identify, meet, and anticipate customer needs.
Also, Capital One Shopping relies on Amazon Simple Email Service (Amazon SES), Amazon EC2, and Amazon RDS. The free shopping app automatically applies coupon codes at checkout and sends customers alerts about price drops so they can find the lowest prices around.
Amazon Connect enables Capital One’s office- and home-based contact center agents to provide customer service from anywhere in the world. This was especially critical during the Covid-19 years. Today, the service facilitates digital banking through two channels: the mobile app and the website.
Capital One enhanced its Virtual Desktop Infrastructure (VDI) solution by automating its build and review activities using AWS Service Management Connector. This enabled Capital One to integrate AWS Service Catalog and ServiceNow using the AWS Service, enabling them to quickly and easily set up their WorkSpaces.
How Has Capital One Benefited From Using AWS?
Capital One uses Amazon Serverless Application Model (SAM) to reduce the time it took to create a development environment from three months to minutes, according to an AWS case study. The same case study revealed that Capital One achieved 70% faster disaster recovery time in different tests.
Nitzan Mekel-Bobrov, Ph.D., Managing Vice President of Machine Learning at Capital One, noted that her team uses AI, ML, and data analytics to detect fraudulent activities, customize users’ experiences, and inform key decisions about engaging with customers.
According to Steve Davis, Senior Manager of Enterprise Workflows at Capital One, his team saves up to 20 minutes of administration time per instance. He added that it takes Capital One end users just 30 minutes to get a virtual desktop.
It’s also changed its operating model over the years, going from a financial services company to a technology company that delivers financial services.
In that regard, Capital One has more than 13,000 technology associates, 85% of whom are engineers. Over 80% of its apps are now cloud-native thanks to this team.
Capital One is also using RESTful APIs and microservices to leverage modern cloud architectures.
The company certainly went all in on the cloud, which is no mean feat for a player in the highly regulated financial services sector. So, what’s been Capital One’s investment in AWS?
How Much Does Capital One Spend On AWS?
Capital One’s marketing and operating expenses cost $19.2 billion in 2022. Operating expenses, in particular, increased 11% year-over-year.
Marketing and operating expenses totaled $4.8 billion for Q2, 2023. The company also noted that operating costs, in particular, reduced by 3% (but had been up 2% in Q1) while marketing expenses fell 1% (but had reduced by 20% in Q1).
However, exactly what share of the operating expenses make up how much Capital One spends on AWS seems like a closely held secret.
Is Capital One Profitable Now?
Capital One is profitable. The company made $34.3 billion in net revenue for the full year 2022. That was a 12.5% increase over 2021.
At that rate, Capital One’s organic revenue growth rate reached a 20-year high, about a year after it exited its last physical data center.
As Capital One’s revenue growth exceeded operating expense growth, its operating efficiency ratio improved 79 basis points to 44.2%.
More recently, Capital One’s revenue for Q2, 2023 was $9 billion versus $8.9 in Q1, 2023, with a net income of $1.4 billion versus $960 million in Q1, 2023.
How Does Capital One Optimize Cloud Costs?
Capital One has made several moves to optimize its cloud costs. These moves include switching from Teradata to the Snowflake data cloud and using Amazon SAM to build applications rapidly.
The company started with federating data infrastructure management to beat the bottleneck it encountered when a central team managed it.
The company moved to Snowflake, where it now hosts more than 50 petabytes of data, supports more than 6,000 analysts, runs up to 4 million queries daily, and has onboarded over 450 new use cases.
It then sought to identify areas it needed to improve, and found three in particular:
- Their queries were poorly written
- They had warehouses that were not rightsized for their workload
- Although their workloads were not running, their warehouses remained on
Capital One then involved its line of business teams to figure out what trade-offs they could make, such as performance or cost.
It followed that up by dynamically tuning its data warehouses to support the teams’ priorities.
Credit: An illustration of the differences in costs for different simulation sizes on AWS.
A combination of these moves helped Capital One reduce its projected Snowflake costs by 27% – while reducing its query time by 43%.
Last but not least, Capital One’s cloud cost optimization team monitors its cloud costs regularly and makes changes as new data becomes available. Here’s how.
How Does Capital One Monitor Cloud Spend?
It built cost insight dashboards that help them slice and dice cloud costs by business dimensions such as month, warehouse, business organization, account, environment, and more.
The dashboards help Capital One teams view their spend against budgets, enabling them to detect cost spikes, forecast costs, and see where their cloud spend is going.
By monitoring AWS and other cloud costs, Capital One can tell how it uses the cloud and the associated costs. It can then adjust its cloud usage to optimize related costs.
Do you have the same level of cost intelligence to work with? Are you aware of what your cost per customer, per product feature, or per environment is?
If not, you are not alone. Capital One built its own cost management dashboards. You may not have the time, money, and, let’s face it, the luxury, to build a robust cloud cost optimization platform yourself.
But if you want to accurately capture, understand, and control your cloud costs the easier way, CloudZero can help (we just saved our own company over $1.7 million in annualized spend – about $1.5 million of it from engineering alone).
How To Understand, Control, And Optimize Your AWS, Azure, GCP, Snowflake, And Kubernetes Spend With CloudZero
CloudZero provides a single source of truth for all cloud costs, including Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Oracle Cloud — along with Snowflake, Kubernetes, Datadog, Databricks, New Relic, and MongoDB.
Instead of having separate views for each cloud cost, CloudZero presents them all in one dashboard to ease analyses.
By mapping cost data to the Business Dimensions you care about, CloudZero lets you understand costs by customer, project, team, feature, product or service, environment, and more. No tags are required either.
You can then understand the costs down to hourly granularity, per customer per feature, and more:
In addition, you can view your per-unit costs and Cost of Goods Sold (COGS) and determine where to make adjustments in usage to reduce your costs. Alternatively, you can tell where you can invest more to maximize your returns.
Furthermore, CloudZero uses real-time cost allocation, and allocates 100% of your spend in minutes or hours, not weeks or months.
CloudZero detects cost anomalies in real-time, and by sending you timely and context-rich alerts, you’ll know when to jump in and prevent budget overruns.
With these and other CloudZero strengths, Drift has saved over $4 million in AWS costs.
Recently, Demandbase justified $175 million in funding after reducing its AWS costs by 36% using CloudZero. MalwareBytes, Beamable, and SmartBear improve their pricing strategy and margins by analyzing cost per customer metrics. You can, too.