Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A Blueprint for Cloud-Native Financial Institutions

214 views

Published on

In this presentation we show how one of the largest bank in the nordics succeeded in adopting evolutionary architecture at scale.

Published in: Technology
  • Be the first to comment

A Blueprint for Cloud-Native Financial Institutions

  1. 1. A BLUEPRINT FOR CLOUD-NATIVE FINANCIAL INSTITUTIONS
  2. 2. ANGELO AGATINO NICOLOSI 2 https://dk.linkedin.com/in/anicolosi
  3. 3. AGENDA The Dream A New Beginning The Cloud-Native Financial Institution Fast-Track to Evolutionary Architecture 3
  4. 4. START-UP LIFE
  5. 5. ENTERPRISE LIFE 5
  6. 6. AN ENTERPRISE APPLICATION 6 Network Compute Databases API Management Monitoring Application Security Message Broker Application Logs Audit Logs Resource Management Deployment Collaboration Integration PKI
  7. 7. AN ENTERPRISE APPLICATION 7 Network Compute Databases API Management Monitoring Application Security Message Broker Application Logs Audit Logs Resource Management Deployment Collaboration Integration PKI Audit Risk and Security Assessment …
  8. 8. AN ENTERPRISE APPLICATION 8 Network Compute Databases API Management Monitoring Application Security Message Broker Application Logs Audit Logs Resource Management Deployment Collaboration Integration PKI Audit Risk and Security Assessment …
  9. 9. OUR DREAM: AGILE ENTERPRISE 9
  10. 10. ADOPT EVOLUTIONARY ARCHITECTURE 10 Refocus resources and efforts in building a future-proof architecture. …and stop trying to predict what the business and technology will look like in the future.
  11. 11. AGENDA The Dream A New Beginning The Cloud-Native Financial Institution Fast-Track to Evolutionary Architecture 11
  12. 12. DEN NY MOBILBANK Agility Quality High Availability
  13. 13. - Current status - Tight coupling - High complexity - Large Regression tests - Operational Issues - Local and Enterprise Change Advisory Boards - Release is a pain - Serious business losses Image from: https://disrupt-and-innovate.org 2015
  14. 14. • 05.2013: Release • 12.2013: ≈ 1M users Data from Wikipedia
  15. 15. 15 • 05.2013: Release • 12.2013: ≈ 1M users • 05.2015: Release • 11.2015: 1M users Data from Wikipedia
  16. 16. 2015
  17. 17. 2015
  18. 18. - Is the mainframe really the issue? 2015
  19. 19. - Is the mainframe really the issue? - Thousands of modules, programs, copybooks, etc. in PL1 and Cobol. - External interfaces have been estimated to be > 50K. - No documentation. - Multiple versions with no way to know which one to use. - Same functionality implemented multiple times. 2015
  20. 20. - Is the mainframe really the issue? - Thousands of modules, programs, copybooks, etc. in PL1 and Cobol. - External interfaces have been estimated to be > 50K. - No documentation. - Multiple versions with no way to know which one to use. - Same functionality implemented multiple times. 2015
  21. 21. THE OUT OF MAINFRAME PROJECTS! A.K.A. THE ”RECODE THE BANK” PROJECTS 2015
  22. 22. - The system was complex to develop in. However: - All transactions hit one single DBMS. - Very skilled DBA central unit with dedicated specialists in any development team. - Constant monitoring and optimization. - RCAs on incidents seldom located root causes on this platform. DB2 2015
  23. 23. - Is the mainframe really the issue? - It was true that the system was complex. But just to develop in. - All transactions hit one single DBMS. - Very skilled DBA central unit with dedicated specialists in any development team. - Constant monitoring and optimization. - RCAs on incidents seldom located root causes on this platform. DB2 2015
  24. 24. … Middleware 2015
  25. 25. … 2015 Middleware
  26. 26. Illustration: Jim Nelson for his book ”On the shoulder of a giant”” #1 STAND ON THE SHOULDERS OF GIANTS And remove technical debt
  27. 27. Q4 2015 Identify Technical Debt Q1 2016 Public Cloud!
  28. 28. Q4 2015 Identify Technical Debt Q1 2016 Public Cloud! Q2 2016 Private Cloud
  29. 29. Q4 2015 Identify Technical Debt Q1 2016 Public Cloud! Q2 2016 Private Cloud Q3 2016 Production
  30. 30. #2 BE SMART 30 - Define an Exit Strategy - Use containers - Segregate business logic from ”infrastructure wiring” - Adopt an evolutionary architecture
  31. 31. AGENDA The Dream A New Beginning The Cloud-Native Financial Institution Fast-Track to Evolutionary Architecture 31
  32. 32. … Middleware TECHNICAL DEBT
  33. 33. APIGateway APIGateway STEP 1: ENSURE SEGREGATION Old middleware
  34. 34. APIGateway APIGateway STEP 2: MIGRATE BUSINESS LOGIC
  35. 35. STEP 3: PERFORM DATA MIGRATION APIGateway APIGateway
  36. 36. ENCLAVE - DEFINITION MICROSERVICES FOR THE ENTERPRISE 36 An enclave is a self-sufficient, secured and isolated platform composed of a set of services supporting any number of external or internal applications that resides within the same enterprise business domain.
  37. 37. - It has a single inbound (API Gateway) and a single outbound (Integration) network microsegment. - Microservices in the API Gateway and Integration Context are completely stateless (regarding the transactions). - It segregates business domains in different microsegments of network - Synchronous communication is discouraged (besides for data queries). - Mutual TLS everywhere microsegments are crossed. - Authorization through JWTs SOME DETAILS Security Business DomainsBusiness DomainsBusiness Domains API Gateway Integration
  38. 38. - It has a single inbound (API Gateway) and a single outbound (Integration) network microsegment. - Microservices in the API Gateway and Integration Context are completely stateless (regarding the transactions). - It segregates business domains in different microsegments of network - Synchronous communication is discouraged (besides for data queries). - Mutual TLS everywhere microsegments are crossed. - Authorization through JWTs SOME DETAILS Security Business DomainsBusiness DomainsBusiness Domains API Gateway Integration
  39. 39. ENCLAVES IN THE ENTERPRISE 39 L O C A L E N T E R P R I S E
  40. 40. PRACTICAL EXAMPLE: PAYMENTS 40 Private Banking Mobile Pay Payment Systems • A payment is requested by a user in MobilePay [Status: Pending]
  41. 41. PRACTICAL EXAMPLE: PAYMENTS 41 Private Banking Mobile Pay Payment Systems • A payment is requested by a user in MobilePay [Status: Pending] • The request is committed in the MobilePay enclave and a Local Event is fired. [Status: Pending]
  42. 42. PRACTICAL EXAMPLE: PAYMENTS 42 Private Banking Mobile Pay Payment Systems • A payment is requested by a user in MobilePay [Status: Pending] • The request is committed in the MobilePay enclave and a Local Event is fired. [Status: Pending] • Payment systems perform the required checks and operations and fires an Enterprise Event [Status: Pending]
  43. 43. PRACTICAL EXAMPLE: PAYMENTS 43 Private Banking Mobile Pay Payment Systems • A payment is requested by a user in MobilePay [Status: Pending] • The request is committed in the MobilePay enclave and a Local Event is fired. [Status: Pending] • Payment systems perform the required checks and operations and fires an Enterprise Event [Status: Pending] • Both Private Banking and MobilePay enclaves receives the Enterprise Event and update their state [Status: Approved]
  44. 44. PRACTICAL EXAMPLE: PAYMENTS 44 Private Banking Mobile Pay Payment Systems • Why do we use Local Events instead of simple queues? Audit
  45. 45. #3 FUTURE PROOF YOUR APPLICATIONS EASY TO CHANGE, EXTEND AND EXPERIMENT
  46. 46. WHAT ABOUT SECURITY? 46 Security Business DomainsBusiness DomainsBusiness Domains API Gateway Integration • The Enclave setup helps minimizing the blast radius in case of attacks. • Moreover, with the concept of EUP Ticket, cross platform communication is much more complicated to misuse
  47. 47. NEW TECH SOMETIMES MEANS INSTALL NEW STUFF… ENDPOINT SECURITY 47 • Great idea with having Device Management as security cornerstone. • However, that Access Proxy can be very complex to implement. Image from https://www.praetorian.com
  48. 48. ENCLAVES TO THE RESCUE 4848 • Great idea with having Device Management as security cornerstone. • Specific enclaves for internal applications will only be available to authorised devices. • For any other specialised use evaluate on a per needed basis avoiding the construction of complex systems (SSH tunnelling, Citrix, Jump Hosts, etc.)
  49. 49. AGENDA The Dream A New Beginning The Cloud-Native Financial Institution Fast-Track to Evolutionary Architecture 49
  50. 50. OPEN SERVICE BROKER API 50 A simple set of API endpoints which can be used to provision, gain access to and managing service offerings.
  51. 51. ENCLAVES AT SCALE: OPEN SERVICE BROKER API 51 Business Unit API Cloud2 Delivery Non-Production Production API Create Enclave API Create Business Domain API Create Microservice Cloud2 Engine Cloud2 Engine Cloud2 Engine
  52. 52. ENCLAVES ARE JUST ONE OF THE POSSIBLE BLUEPRINTS 52 Cloud Development Guild (R&D) Automation Application Blueprints
  53. 53. AN ENTERPRISE APPLICATION 53 Network Compute Databases API Management Monitoring Application Security Message Broker Application Logs Audit Logs Resource Management Deployment Collaboration Integration PKI Audit Risk and Security Assessment …
  54. 54. AN ENTERPRISE APPLICATION 54 Network Compute Databases API Management Monitoring Application Security Message Broker Application Logs Audit Logs Resource Management Deployment Collaboration Integration PKI Audit Risk and Security Assessment …
  55. 55. #4 AUTOMATE AND USE STANDARDS 55
  56. 56. HOWEVER 56
  57. 57. HOWEVER 57 - Building a cloud is hard (surprise!) - Customer Expectations - DevOps culture cannot be there in a project oriented organization.
  58. 58. #5 ORGANIZATION FIRST INVEST ON YOUR PEOPLE 58
  59. 59. AT BESTSELLER WE STARTED FROM THE ORGANIZATION 59 Customer Consumer Products Operations Finance & BI Workforce - Products instead of Projects - PO & SM as leaders - DevOps culture
  60. 60. AND NOW WE TACKLE THE TECH: A NEW ERP SYSTEM 60 PL/SQL
  61. 61. WRAP UP 1.Stand on the shoulders of giants (your legacy) 2.Be Smart (avoid vendor lock-ins and expect migrations) 3.Future proof your applications 4.Automate and use Standards 5.Start from the organization and invest on your people 61
  62. 62. THANKS! ANY QUESTIONS? 62

×