BT

New Early adopter or innovator? InfoQ has been working on some new features for you. Learn more

DevOps Survival in the Highly Regulated Financial Industry

| by Manuel Pais on Jul 31, 2016. Estimated reading time: 2 minutes |

At the first DevOps Enterprise Summit Europe in London, Robert Scherrer, head of application engineering at SIX, explained how the company leveraged DevOps principles and benefits in the highly regulated Swiss financial industry. Engaging with compliance auditors to collaboratively agree on solutions early (before it's too costly to change) and avoiding legacy internal directives (not actually required by external regulations) were the main takeaways from the talk.

Sharing (and negotiating) strategic technical plans with auditors allows ironing out potencial compliance issues before investing in implementation. Scherrer offered as example the move to an Openshift private cloud where the auditor raised concerns regarding multi-tenancy of financial services on the same cloud instance. The solution consisted of an infrastructure pool with a dedicated cloud for each customer, adding some configuration complexity but resolving the auditor's security concerns, thus ensuring a smoother path to production later on.

Scherrer explained that blindly following internal directives is a costly mistake that hinders the benefits of DevOps. On one hand, external regulations are often less restrictive than the internal directives they led to. On the other hand, not all services, or even components, are born equally critical. Thus demanding the same level of compliance from all, leads to considerable waste. Crucially backed by management support, Scherrer was able to track down several internal directives to their external source and amend the former to be less restrictive.

Particularly noteworthy was an internal rule that developers could not access production systems. It turned out there was no external regulation with such requirement; instead this was a literal interpretation of the segregation of duties requirement. According to Scherrer, 65% of SIX's developers can now wear pagers and have temporary role-based access (during on-call rotation) to production environments. Furthermore, by shipping and centralizing logs outside the production environment, development teams effectively have read access to production logs. At the same time, by moving to immutable infrastructure, manual intervention in production is reduced to a minimum, further increasing auditors trust.

Some benefitial consequences of DevOps in a highly regulated environment pointed out by Scherrer include a fine-grained level of traceability (and consequently auditability) via release automation, improved security (for example with automated vulnerability scanning at build time) and quality of the systems (for example via a pull request mechanism). Interestingly, simply making sure all critical code (such as a payment component) gets reviewed (and the review itself is traceable) allowed meeting some critical requirements (from PCI DSS) while increasing shared knowledge and code quality.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and dont miss out on content that matters to you

BT