DevOps Survival in the Highly Regulated Financial Industry
At the first DevOps Enterprise Summit Europe in London, Robert Scherrer, head of application engineering at SIX, explained how the company leveraged DevOps principles and benefits in the highly regulated Swiss financial industry. Engaging with compliance auditors to collaboratively agree on solutions early (before it's too costly to change) and avoiding legacy internal directives (not actually required by external regulations) were the main takeaways from the talk.
Sharing (and negotiating) strategic technical plans with auditors allows ironing out potencial compliance issues before investing in implementation. Scherrer offered as example the move to an Openshift private cloud where the auditor raised concerns regarding multi-tenancy of financial services on the same cloud instance. The solution consisted of an infrastructure pool with a dedicated cloud for each customer, adding some configuration complexity but resolving the auditor's security concerns, thus ensuring a smoother path to production later on.
Scherrer explained that blindly following internal directives is a costly mistake that hinders the benefits of DevOps. On one hand, external regulations are often less restrictive than the internal directives they led to. On the other hand, not all services, or even components, are born equally critical. Thus demanding the same level of compliance from all, leads to considerable waste. Crucially backed by management support, Scherrer was able to track down several internal directives to their external source and amend the former to be less restrictive.
Particularly noteworthy was an internal rule that developers could not access production systems. It turned out there was no external regulation with such requirement; instead this was a literal interpretation of the segregation of duties requirement. According to Scherrer, 65% of SIX's developers can now wear pagers and have temporary role-based access (during on-call rotation) to production environments. Furthermore, by shipping and centralizing logs outside the production environment, development teams effectively have read access to production logs. At the same time, by moving to immutable infrastructure, manual intervention in production is reduced to a minimum, further increasing auditors trust.
Some benefitial consequences of DevOps in a highly regulated environment pointed out by Scherrer include a fine-grained level of traceability (and consequently auditability) via release automation, improved security (for example with automated vulnerability scanning at build time) and quality of the systems (for example via a pull request mechanism). Interestingly, simply making sure all critical code (such as a payment component) gets reviewed (and the review itself is traceable) allowed meeting some critical requirements (from PCI DSS) while increasing shared knowledge and code quality.