BOSTON — Security rules are inescapable for IT service providers within a financial enterprise, and several such companies filled in their peers on how they’ve approached DevOps and security in presentations here at Red Hat Summit 2017.
In several cases, it involved shifting security and data governance responsibilities to developers, a scary prospect for some IT pros, but for some companies like Deutsche Bank, it has worked so far.
“We code to the highest common denominator among regulations,” said William Dettelback, VP of engineering for the German financial services company. Right now, that’s the Monetary Authority of Singapore’s security regulations. “For us, the most stringent regulation is our baseline.”
Barclays has a “bring your own image” system for developers on test and development infrastructures, and those developers are accountable for the security of their images.
“We’ve changed our rules to say, we’ll report on it, we’ll give you every tool, including our own base images you can build from,” said Simon Cashmore, lead engineer and solutions architect for the UK-based bank, “But we’ll tell you, and keep telling you, you’re accountable when audits come.”
— Beth Pariseau (@PariseauTT) May 3, 2017
That doesn’t mean ops is off the hook when it comes to DevOps and security. Behind the scenes, Deustche Bank ops uses Red Hat CloudForms, which ships with OpenShift, to scan container images for security vulnerabilities published in Red Hat’s Common Vulnerabilities and Exposures (CVE) dabase, and send the results to OpenShift. New vulnerabilities trigger OpenShift to build new container images. This has helped the bank react to new security threats quickly without manual patching — apps built using container images pick up new security features as updated images are added to the Docker registry by OpenShift.
At Barclays, the new rules don’t apply yet to pushing container images in production — that’s still handled manually after image introspection by the ops team.
Automated disaster recovery is also part of new DevOps processes at both companies. Barclays’ ops team enforces app resilience by periodically “draining” containers from the infrastructure — devs ship apps without the required resilience at their own peril. Deutsche Bank, meanwhile, has established active-active disaster recovery rather than use an active-passive mode, and is working toward full automation of this process.
“We want failover done once, correctly,” said Dettelback. “If someone has to log in to deploy or fix something, we’ve failed.”