Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

FSV308-Culture Shift How to Move a Global Financial Services Organization to DevOps Op Model

1,022 views

Published on

Many enterprises that follow regulated, process-driven workflows would like to take advantage of the innate features and benefits of AWS to become more agile, achieve operational excellence, and accelerate time-to-market while leveraging a DevOps culture and development methodology. But building a mature DevOps capability doesn’t happen overnight. Creating and implementing testing, compliance, and security automation frameworks requires time and organizational and process changes. Financial institutions are addressing this challenge by using AWS Service Catalog to help bridge the gap between traditional operations and true DevOps.

  • Be the first to comment

FSV308-Culture Shift How to Move a Global Financial Services Organization to DevOps Op Model

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. F SV308 – Cul ture shi ft: How to move a gl obal F i nanci al Servi ces organi zati on to a DevOps operati ng mod el A l a n G a r v e r , D e v O p s P r o f e s s i o n a l S e r v i c e s C o n s u l t a n t - A W S M a h d i S a j j a d p o u r , A W S B u s i n e s s D e v e l o p m e n t M a n a g e r - S e r v i c e C a t a l o g J o n n y S y w u l a k , S r . D e v O p s A u t o m a t i o n E n g i n e e r - S t e l l i g e n t November 27, 2017
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What to expect from this session • How Financial Services enterprises can enable self-service DevOps capabilities on AWS • Strategy for enabling enterprise-wide transformation and ramping up quickly • Three specific strategies to try at home
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The DevOps Transformation Challenge
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Technology challenges • Infrastructure automation • Monolithic applications • Tooling selection noise • Security and resiliency • Failure detection • Automated controls
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Dev Operations LOB1 AppDev Prod Operations LOB1 Arch LOB1 Security LOB1 QA LOB2 Security LOB2 AppDev LOB2 QA Business Continuity Corp Risk InfoSec LOB2 Risk Organizational challenges • Organizational complexity • Skills and cloud experience • Multiple process handoffs • Long lead times • Ownership confusion LOB2 DevOps
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Financial enterprise challenges • Regulatory compliance • Encryption and security • Least privileged access • Audit and reporting • Separation of duties
  7. 7. Monolith development lifecycle—circa 2000 developers releasetestbuild delivery pipelineapp
  8. 8. 2-Pizza team responsibility venn diagram Responsible for THEIR PRODUCT Deployment tools CI/CD tools Monitoring tools Metrics tool Logging tools APM tools Infrastructure provisioning tools Security tools Database management tools Testing tools …. Not responsible for * *Unless their product is in green
  9. 9. Microservice development lifecycle developers delivery pipelinesservices releasetestbuild releasetestbuild releasetestbuild releasetestbuild releasetestbuild releasetestbuild
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DevOps transformation takes time Technological Organizational • Infrastructure as code • Self-service • Single purpose • Microservices • Cultural philosophy • Builders have ownership • “You build it, you run it” • Let builders build
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Organizational transformation • Move from manual handoffs to “as a service” • Automate all the things • Simplify and decompose monoliths • Two Pizza service teams Database As a Service Servers As a Service Encryption As a Service App Deploy As a Service App Function As a Service
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The DevOps Pipeline • Resources morph from source, to executable, to operational • Tests ensure integrity and validity of the resource
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The DevOps Pipeline • Failures stop the line, and prevent breakages to production • Fast feedback provided to the developer • Customized to your software development lifecycle
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Developer The DevOps Pipeline Application Infrastructure
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Infrastructure as code is part of the pipeline • Infrastructure is part of the software • Purpose built infrastructure improves security The DevOps Pipeline Application Infrastructure Developer
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Developer Self-service for developers Developer Developer Developer Developer Developer Developer per eveloper
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Yeah but, this is financial services… • Concerns over self-service access to infrastructure • Sensitive data protection • Regulatory infrastructure compliance • Maintain separation of duties
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Doesn’t this just create problems faster? Developer Developer Developer Developer
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enabling self-service at scale Traditional DevOps  Governance at scale  Cloud governance  Self-service governance
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Centralized governance and control Authorized templates Developer Self-service access to infrastructure Policy enforcement
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enabling self-service at scale Traditional DevOps  Governance at scale  Cloud governance  Self-service governance
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Self-Service Infrastructure AWS Service Catalog & AWS CloudFormation
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Self-service infrastructure • Faster innovation • Repeatable • Scalable • Secure • Least privilege • Testable • Immutable Standardized patterns Purpose built patterns
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ease of use Agility Governance Scale What do we want to gain?
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Standardize Enforce policy Integrate Automate How to get to self-service?
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudFormation Template CloudFormation Stack JSON or YAML formatted file Parameter definition Resource creation Configuration actions Configured AWS services Comprehensive service support Service event aware Customizable Framework Stack creation Stack updates Error detection and rollback
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Service Catalog DevelopersOrganizations Control Standardization Governance Agility Self-service Time to market
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Key benefits Standardize Enforce consistency and compliance Limit access Enforce tagging Developer autonomy Guardrail resources Automate deployments Single-pane for provisioning
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Standardized patterns • Common infrastructure patterns • Traditional policy enforcement • Doesn’t depend on policy automation • New user friendly Purpose-built patterns • Purpose built • Increased security and least privilege • Requires policy enforcement automation • Experimentation and innovation Types of self-service infrastructure AWS CloudFormation AWS Service Catalog
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Developer AWS Service Catalog CloudFormation Template Standardized patterns Purpose built patterns - Preapproved, Verified, Secure - Common Application Pattern - Security/Governance Enforced - Immediately Available - Requires security checks - Specific to application needs - Longer provisioning time - New application pattern
  31. 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Developer Standardized patterns ITSM AWS Service Catalog Deployed Stack
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GIT Purpose built patterns Developer CloudFormation Template Security Controls ITSM
  33. 33. NumberofApplicationsonAWS Cloud Maturity 80% - Standardized 20% - Purpose Built Provisioning Mechanism 100% Manual 20% - Standardized 80% - Purpose Built Template Factory Security/Governance Automation 5-6 Common Application Patterns Agile Governance DevOps Policy Engineering Shift to DevOps operating model
  34. 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enabling self-service at scale Traditional DevOps  Governance at scale  Cloud governance  Self-service governance
  35. 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Centralized governance and control Authorized template catalog Developer Select from a catalog of pre-built compliant templates Policy enforcement ? ?
  36. 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Centralized governance and control Authorized templates Policy enforcement Effort intensive
  37. 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Developer Governance bottleneck Developer Developer Developer Developer Developer Developer per eveloper Policy enforcement
  38. 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Authorized template catalog Scale through automation Policy enforcement Policy automation engine
  39. 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enabling self-service at scale Traditional DevOps  Governance at scale  Cloud governance  Self-service governance
  40. 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Policy Automation with cfn_nag
  41. 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Policy in the pipeline How do you test policy?
  42. 42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Analysis of CloudFormation templates
  43. 43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Static code analysis of AWS CloudFormation Block undesirable resource specifications Proactive preventative control, stop before creating resources Enforceable in a pipeline What is cfn_nag?
  44. 44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EC2 Instance Security Groups with ingress of 0.0.0.0/0 IAM Permissions given to all (*) resources or all (*) actions EBS volumes for full disk encryption Custom rules cfn_nag will check for things like…
  45. 45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo
  46. 46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Would you like to learn more? Using AWS to Achieve Both Autonomy and Governance at 3M DEV332—Tuesday, Nov 28 1:45-2:45 Security Validation Through Continuous Delivery at Verizon DEV403—Friday, Dec 1, 10:45 AM - 11:45 AM https://stelligent.com/fsv308
  47. 47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enabling self-service at scale Traditional DevOps  Governance at scale  Cloud governance  Self-service governance
  48. 48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Developer Self-service policy automation? Developer Developer Developer Developer Developer Developer per eveloper Policy enforcement X
  49. 49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enabling self-service at scale Traditional DevOps  Governance at scale  Cloud governance  Self-service governance
  50. 50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enforcing Policy at Scale Simple Orchestrator
  51. 51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Simple consistent experience • Standardized pattern vs. Custom infrastructure • What about ? : • Configuration Management • Logging • Monitoring • Artifact Management • ITSM
  52. 52. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Simplify repetitive tasks Consistent interface Best practices and guardrails Orchestrate all the things Portable functions
  53. 53. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Orchestration • Enable direct access to a native capability • Common interface for multiple tools • Automate reparative tasks • Stand up automated guardrails • Goal is speed and ease of best practice use Abstraction • Create common provider schema • Aimed at multi-cloud portability • Limits use of capabilities to least common • Longer customization development cycles • Goal is preventing vendor lock-in Orchestration, not abstraction
  54. 54. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Orchestrating confidence in the pipeline Developer Customer Unit Development Environment Production Environment Iterate & Test Commit Deploy No Access Needed Consistency
  55. 55. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Python-based CLI example • Easy to build and maintain • Single interface for all the tools • Modular and opinionated • Built to purpose • Enforceable in the Pipeline
  56. 56. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Python CLI Example with Click
  57. 57. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  58. 58. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Modular
  59. 59. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  60. 60. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Self-service policy automation Developers are customers Consistent interface for all the things Enforcement at scale
  61. 61. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enabling self-service at scale Traditional DevOps  Governance at scale  Cloud governance  Self-service governance
  62. 62. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enabling DevOps transformation • Ramp quickly with infrastructure as code governance • https://aws.amazon.com/servicecatalog/ • Automate and codify all our policy • https://stelligent.com/fsv308 • Enforce at scale through consistent low friction developer experience • https://github.com/pallets/click
  63. 63. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you! F S V 3 0 8 – C u l t u r e s h i f t : H o w t o m o v e a g l o b a l F i n a n c i a l S e r v i c e s o r g a n i z a t i o n t o a D e v O p s o p e r a t i n g m o d e l A l a n G a r v e r , D e v O p s P r o f e s s i o n a l S e r v i c e s C o n s u l t a n t - A W S M a h d i S a j j a d p o u r , A W S B u s i n e s s D e v e l o p m e n t M a n a g e r - S e r v i c e C a t a l o g J o n n y S y w u l a k , S r . D e v O p s A u t o m a t i o n E n g i n e e r - S t e l l i g e n t

×