STAKATER STAKATER Financial Services Sales Play
For bank CIOs and financial services IT leaders who need to give business units cloud-like self-service — on sovereign, regulated infrastructure — without sending data to a hyperscaler.
Retail banking, investment banking, risk, compliance, wealth management, innovation labs. Each has developers who want self-service infrastructure. All requests route through the same central IT queue.
PCI-DSS cardholder data cannot share runtime with non-PCI workloads. GDPR data residency requires jurisdiction control. Public cloud is off the table for core banking.
OpenShift clusters running across on-prem data centres. The compute infrastructure is there. The operating model to share it safely across BUs is not.
BUs route around central IT onto AWS and Azure for development and non-sensitive workloads. Shadow cloud spend rises. So does the risk surface.
The investments are there. The missing piece is the layer that lets multiple business units access them with appropriate isolation and self-service.
What you've bought
Production-grade clusters across primary and DR data centres. Managed by a central platform team. Workloads deployed by namespace — no BU-level isolation.
Secrets management and HSM for cryptographic operations. Used by some teams. No integration with Kubernetes workload identity for self-service secret access.
Enterprise-wide identity. BU-level OUs and security groups. No bridge to Kubernetes RBAC for per-BU self-service provisioning.
Centralised security event management. Kubernetes audit logs partially ingested. No per-BU activity audit for compliance evidence.
All infrastructure requests go through ServiceNow. Average time to a new namespace or database: 3–6 weeks including CISO review and change board.
Internal IT chargeback is a regulatory and governance requirement. No mechanism to meter infrastructure per BU and export to finance systems automatically.
To run an internal cloud — a real one, not a glorified ticket queue — you need the operating model layer between the infrastructure and the business units.
Namespace-level separation is not sufficient for PCI-DSS. No hard boundary between cardholder data environments and general workloads.
No catalog of pre-approved, security-hardened services — managed PostgreSQL, Kafka, Redis, S3-compatible storage — that BU developers can self-provision.
No architectural enforcement of PCI CDE boundary. Compliance depends on manual namespace review and network policy audits — not the platform itself.
BU workloads cannot self-service secrets from Vault. Every secret request goes through the platform team. HSM access is manual.
No scoped audit log per business unit. Compliance evidence requires manual Splunk queries across the full cluster audit log.
No per-BU infrastructure cost metering that feeds SAP automatically. Finance chargeback done manually from spreadsheets monthly.
A 3–6 week provisioning cycle isn't a process problem — it's a product problem. When central IT can't deliver, business units find another way.
Innovation labs and digital teams provision AWS accounts directly. Development workloads leave the perimeter. Compliance doesn't know. CISO finds out from the bill.
Each shadow environment is a separate control surface, unmonitored by the SOC.
Every database, namespace, and secret request goes through the same 8-person platform team. Ticket backlog grows faster than headcount. SLA misses trigger escalations.
Platform engineers spend 70% of time on operations, 30% on innovation. Should be the reverse.
PCI-DSS and GDPR audits require access logs, configuration evidence, and change records per environment. Collecting it manually from cluster audit logs takes weeks before every audit.
IT is a cost centre. Without per-BU metering, finance can't allocate infrastructure costs. BUs have no incentive to optimise — they don't see the bill.
Sits on top of your existing OpenShift. Gives each business unit its own isolated cloud environment — self-service, compliant, and metered — without replacing anything you've already built.
KCP-based virtual API servers per business unit. PCI CDE BUs get isolated planes on dedicated node pools. Hard architectural boundary — not policy, not RBAC.
Managed PostgreSQL, Kafka, Redis, object storage, Kubernetes namespaces. Every item security-hardened and CISO-approved before publication. BU devs self-provision in minutes.
Workload identity bridged to Vault. BU workloads fetch their own secrets at runtime — no platform team in the loop. HSM-backed cryptographic operations preserved.
Every API call, access event, and resource change scoped per BU and exported to Splunk automatically. PCI and GDPR compliance evidence generated — not collected.
BU developer logs in with their AD credentials and sees only their BU's resources. Quota-controlled provisioning without a ticket. Approval workflows for sensitive resource types.
Per-BU compute, storage, and network metered. Cost reports exported to SAP or Oracle Financials via API. Finance chargeback automated. BUs finally see the bill.
Security-led. Compliance-first. Business units self-provisioning within 90 days.
PCI scope defined, BU isolation model agreed, security review complete
We
· Security architecture review
· PCI-DSS scope mapping
· BU inventory + classification
You
· CISO sign-off to proceed
· PCI QSA contact
· BU IT leads nominated
Cloud Orchestrator running, PCI zone isolated, AD + Vault integrated
We
· Deploy Cloud Orchestrator
· PCI CDE isolation configured
· Active Directory + HSM bridge
You
· Dedicated node pools per zone
· Vault service account
· Change board approval
3 BUs self-provisioning — PCI, innovation lab, corporate banking
We
· BU workspaces created
· Service catalog published
· Audit trail to Splunk configured
You
· 3 BU IT leads engaged
· Pilot scope sign-off
· CISO pilot review
All BUs onboarded, chargeback to cost centers active
We
· Full BU migration
· SAP/Oracle chargeback export
· Run-book + team training
You
· Finance system integration
· Change management comms
· Platform governance committee
New services launched same day, new BUs in under an hour
We
· Quarterly catalog review
· Compliance posture reports
· New managed services
You
· BU growth pipeline
· Regulatory change feed
· Architecture review board
The technology is the easy part. These are the governance and organisational decisions that determine whether the internal cloud succeeds or stalls.
This is a security platform as much as a cloud platform. If CISO is reviewing at the end, the project stalls. Engage security architecture in week one. They become advocates, not blockers.
Which BUs run PCI workloads? Which node pools are in scope? Which are out-of-scope? Agree the scope boundary before the platform is built. Rework after build is the most expensive outcome.
Choose one PCI BU (retail payments), one innovation lab (low compliance, high velocity), one corporate banking team (medium). Validate the model works across the full risk spectrum before scaling.
Who approves new catalog items? Who sets quota policies? Who handles escalations? Define the governance model in Assess. Without it, every decision becomes an ad-hoc escalation to the CIO.
Cloud Orchestrator turns your existing OpenShift into a PCI-compliant,
self-service, metered internal cloud — without touching a hyperscaler.
stakater.com