SlideShare a Scribd company logo

How to apply DevOps in a regulated organisation

Download as PPTX, PDF
C
Colin Domoney

How to apply DevOps in a regulated organisation

Software
1 of 39
© 2017 VERACODE INC. 1© 2017 VERACODE INC. How to Apply DevOps in a Regulated Organisation
© 2017 VERACODE INC. 2 About This Webinar Colin Domoney Consultant Solution Architect @colindomoney Topics: • Benefits of DevOps • The Problem with DevOps • Regulation 101 • Best Practices and Recommendations • DevOps Audit Defence Toolkit • Case Studies
© 2017 VERACODE INC. 3 Further Reading Kim, Gene, Kevin Behr, and George Spafford. 2013. The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win. Kim, Gene, Patrick Debois, and John Willis. 2016. The Devops Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations Bird, Jim. ‘DevOps for Finance - O’Reilly Media’. Accessed 19 April 2017. http://www.oreilly.com/w ebops-perf/free/devops- for-finance.csp. ‘2016 State of DevOps Report’. 2017. Puppet. Accessed January 23. https://puppet.com/resources/white- paper/2016-state-of-devops-report. ‘DevOps Audit Defense Toolkit’. Accessed 19 April 2017. https://plus.google.com/communities/10337 2669680429508474.
© 2017 VERACODE INC. 4© 2017 VERACODE INC. The Benefits of DevOps
© 2017 VERACODE INC. 5 The Benefits of DevOps • High-performing organizations are decisively outperforming their lower-performing peers in terms of throughput. • High performers have better employee loyalty, as measured by employee Net Promoter Score (eNPS). • Improving quality is everyone’s job. • High performers spend 50 percent less time remediating security issues than low performers. • Taking an experimental approach to product development can improve your IT and organizational performance. • Undertaking a technology transformation initiative can produce sizeable cost savings for any organization. Source : ‘2016 State of DevOps Report’. 2017. Puppet. Accessed January 23. https://puppet.com/resources/white-paper/2016-state-of-devops-report.
© 2017 VERACODE INC. 6© 2017 VERACODE INC. The Problem with DevOps
© 2017 VERACODE INC. 7 A Complete Mismatch ? • “celebrate failure” • “blameless post-mortem” • “fail fast, fail often” • “automated release management” • “breaking down siloes”
© 2017 VERACODE INC. 8 Some Basic Problems ‘DevOps Is Great for Startups, but for Enterprises It Won’t Work—Yet’. WSJ, 13 May 2014. https://blogs.wsj.com/cio/2014/05/13/dev ops-is-great-for-startups-but-for- enterprises-it-wont-work-yet/.
© 2017 VERACODE INC. 9 Some Basic Problems • Siloed structures and organisational inertia makes changes required by DevOps difficult and expensive • DevOps tooling and solutions not always suited to legacy systems • Building the financial ROI case for a technology-driven business process transformation across business siloes is problematic • The cultural transformation necessary may be hard to achieve in large-scale enterprises
© 2017 VERACODE INC. 10 And More Problems • Highly siloed environments present great inertia and resistance to change • Highly interdependent systems making changes difficult to test • Legacy systems and technology • Legacy controls (CMMI, ITIL, ISO standards) • Compliance Implications – Separation of Duties – Severe fines • Perception that DevOps will make IT less secure
© 2017 VERACODE INC. 11© 2017 VERACODE INC. Regulation 101
© 2017 VERACODE INC. 12 What Are We Talking About?
© 2017 VERACODE INC. 13 Regulation and Performance “(the report) found that survey respondents in healthcare, banking, transportation and manufacturing reported a disproportionately high percentage of low-performing IT.” ‘But Wait, There’s More: Extra Data from the 2015 DevOps Survey’. Puppet. Accessed 19 April 2017. https://puppet.com/blog/but-wait-there-s-more- extra-data-from-2015-devops-survey.
© 2017 VERACODE INC. 14 The High Cost of Failure • On August 1 2012 new code was deployed to all servers • A single server was missed by an operator • Alerts were missed by operators before market open • Checks were bypassed in code • Rollback made things worse temporarily • Incident lasted only 45 minutes • Lost $440 million • Acquired within four months of incident
© 2017 VERACODE INC. 15 Regulators and the Compliance Department • Many, many regulatory bodies • Not applicable to all business units • Often legacy or outdated controls • Internal compliance organisation creates even more stringent requirements • Original intent is lost
© 2017 VERACODE INC. 16 Multiple Regulators IT Revolution. DOES16 London - Robert Scherrer - DevOps in a Highly Regulated Financial Infrastructure Company. Accessed 18 April 2017. https://www.youtube.com/watch?v=SczLjDOd F1E&t=40s.
© 2017 VERACODE INC. 17© 2017 VERACODE INC. Best Practices and Recommendations
© 2017 VERACODE INC. 18 Understanding Your Environment 1. Find a tame auditor 2. Read the regulations 3. Understand the intent 4. Read the internal regulations 5. Challenge … and simplify Puppet. Puppet and DevOps in Regulated Environments. Accessed 18 April 2017. https://www.youtube.com/watch?v=yj9PbsNO2uE&t=1503s.
© 2017 VERACODE INC. 19 Step by Step 1. Meet the compliance team 2. Categorise risk by severity/prevalence 3. Describe the risk and proposed mitigation 4. Automate the process (if possible) 5. Test and verify the control 6. Communicate the control to stakeholders DevSecCon. DevOps, Security, and Compliance: Working in Unison. Accessed 18 April 2017. https://www.youtube.com/watch?v=2Rq 3q4C1WaU.
© 2017 VERACODE INC. 20 ITIL in a DevOps World • Nothing in ITIL is in contradiction with DevOps principles • Issues arise in typical ITIL implementations: – Slow change management process – Enforces siloes and departments “DevOps is basically more about how-to-do, ITIL more about what-to-do”
© 2017 VERACODE INC. 21 Change Management Process • ITIL change management process defines three types of change: – Standard (low-risk, follow standard process, can be automated) – Normal (require approval by CAB, manual process) – Emergency (high priority CAB) • Too many changes are classified as ‘normal’ • DevOps best practice suggests: – Try and make as much as possible ‘standard’ and auto-approve – Optimise the CAB process for requests that remain as ‘normal’
© 2017 VERACODE INC. 22 Two-speed IT Architecture Two types of IT systems: 1. Slower-changing legacy backend ‘systems of record’ (where money is kept and counted) 2. More agile frontend ‘systems of engagement’ where money is made or lost DevOps makes most sense in the latter case
© 2017 VERACODE INC. 23 Control Your Source Code Repositories • Continuous Deployment means any code checked in can potentially reach production within minutes • Best practices include: – Splitting repositories – Using Perforce for fine grained control – Performing peer reviews on ‘pull requests’ to critical code
© 2017 VERACODE INC. 24 Protect Your Deployment Pipeline • Continuous Deployment means that your pipeline is a critical piece of infrastructure • Best practices include: – Hardening CI/CD systems to prevent compromise – Review changes to prevent execution of unwanted code – Test for suspicious API calls in unit tests or scripts – Ensure CI/CD runs in isolated containers – Ensure VCS credentials are ‘read only’
© 2017 VERACODE INC. 25 Continuous Deployment … or Delivery ? • High risk of automated changes to a live, business-critical system • Live deployments work well for stateless web applications, where users are unlikely to notice a switch in environment • Not well suited to high volume, low latency platforms • Use best practices of Continuous Delivery to ensure changes are always ready to be deployed • Schedule deployment using traditional method (out of hours, etc)
© 2017 VERACODE INC. 26 How to Change Without Failing • Minimise the risk of change (automate everything) • Reduce the batch size of changes • Identify problems early (measure your MTTD) • Make sure you can recover (minimise your MTTR) • Be ready to roll back • Incident response – always be prepared
© 2017 VERACODE INC. 27 Prove It ! DevOps Enterprise Summit. DOES15 - Bill Shinn - Prove It! The Last Mile for DevOps in Regulated Organizations. Accessed 18 April 2017. https://www.youtube.com/watch?v=g g8gGisl4zM.
© 2017 VERACODE INC. 28 Netflix Conformity Monkey Izrailevsky, Yury. ‘The Netflix Simian Army’. Accessed 19 April 2017. http://techblog.netflix.com/2011/07/netflix-simian-army.html.
© 2017 VERACODE INC. 29 Chef Inspec ‘InSpec | IT Security and Compliance as Code’. Chef. Accessed 19 April 2017. https://www.chef.io/inspec/. “InSpec is an open-source testing framework for infrastructure with a human- readable language for specifying compliance, security and other policy requirements. When compliance is code, you can integrate automated tests that check for adherence to policy into any stage of your deployment pipeline.”
© 2017 VERACODE INC. 30 AWS Inspector https://aws.amazon.com/inspector/
© 2017 VERACODE INC. 31© 2017 VERACODE INC. DevOps Audit Defence Toolkit
© 2017 VERACODE INC. 32 Parts Unlimited
© 2017 VERACODE INC. 33 The “Pull List”
© 2017 VERACODE INC. 34 Addressing Concerns
© 2017 VERACODE INC. 35 In Detail
© 2017 VERACODE INC. 36© 2017 VERACODE INC. Case Studies
© 2017 VERACODE INC. 37 ING Bank • Used to use heavyweight process frameworks (Prince2, RUP, and CMMI, and ITIL for operations) • Changes were made slowly and were costly • Ad-hoc adoption of Agile with Scrum teams • Adoption of Continuous Delivery and DevOps followed • 500 legacy applications decommissioned • 2 year deployments done in 2 hours
© 2017 VERACODE INC. 38 Capital One • Embraced Agile, DevOps and Cloud from the outset • Less technical debt and bureaucracy • DevOps technology operating model, which it calls “Engineering Excellence.” “Once you go upstream and have development teams truly own their code in production there is an accountability and a quality dynamic that happens that is a very powerful incentive” - Rob Alexander, Capital One CIO
© 2017 VERACODE INC. 39 Thank You! © 2017 VERACODE INC.

Recommended

Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline DevOps.com
 
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveColin Domoney
 
Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration PipelineScale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration PipelineDevOps.com
 
The DevOps Challenge: Open Source Security at Scale
The DevOps Challenge: Open Source Security at ScaleThe DevOps Challenge: Open Source Security at Scale
The DevOps Challenge: Open Source Security at ScaleDevOps.com
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
The Human Side of DevSecOps
The Human Side of DevSecOpsThe Human Side of DevSecOps
The Human Side of DevSecOpsJules Pierre-Louis
 
DevOps: A Culture Transformation, More than Technology
DevOps: A Culture Transformation, More than TechnologyDevOps: A Culture Transformation, More than Technology
DevOps: A Culture Transformation, More than TechnologyCA Technologies
 
Disconnected Pipelines: The Missing Link
Disconnected Pipelines: The Missing LinkDisconnected Pipelines: The Missing Link
Disconnected Pipelines: The Missing LinkEficode
 

Recommended

Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline DevOps.com
 
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveColin Domoney
 
Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration PipelineScale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration PipelineDevOps.com
 
The DevOps Challenge: Open Source Security at Scale
The DevOps Challenge: Open Source Security at ScaleThe DevOps Challenge: Open Source Security at Scale
The DevOps Challenge: Open Source Security at ScaleDevOps.com
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
The Human Side of DevSecOps
The Human Side of DevSecOpsThe Human Side of DevSecOps
The Human Side of DevSecOpsJules Pierre-Louis
 
DevOps: A Culture Transformation, More than Technology
DevOps: A Culture Transformation, More than TechnologyDevOps: A Culture Transformation, More than Technology
DevOps: A Culture Transformation, More than TechnologyCA Technologies
 
Disconnected Pipelines: The Missing Link
Disconnected Pipelines: The Missing LinkDisconnected Pipelines: The Missing Link
Disconnected Pipelines: The Missing LinkEficode
 
Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenImplementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenSeniorStoryteller
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftAmazon Web Services
 
A Day in the Life of a Cross-platform, DevOps-enabled Team
A Day in the Life of a Cross-platform, DevOps-enabled TeamA Day in the Life of a Cross-platform, DevOps-enabled Team
A Day in the Life of a Cross-platform, DevOps-enabled TeamDeborah Schalm
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Deborah Schalm
 
Diving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsDiving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsJules Pierre-Louis
 
DOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - SonatypeDOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - SonatypeGene Kim
 
DevOps
DevOps DevOps
DevOps Hakan Yüksel
 
The Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration ManagementThe Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration ManagementJules Pierre-Louis
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionSeniorStoryteller
 
DevOps introduction
DevOps introductionDevOps introduction
DevOps introductionChristian F. Nissen
 
DevOps without DevOps Tools
DevOps without DevOps ToolsDevOps without DevOps Tools
DevOps without DevOps ToolsJagatveer Singh
 
cdSummit Austin - Orchestrating the continuous delivery process - Andy Pemberton
cdSummit Austin - Orchestrating the continuous delivery process - Andy PembertoncdSummit Austin - Orchestrating the continuous delivery process - Andy Pemberton
cdSummit Austin - Orchestrating the continuous delivery process - Andy PembertonMiles Blatstein
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
 
Why Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityWhy Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityEficode
 
Meetup DevOps - Accelerate
Meetup DevOps - AccelerateMeetup DevOps - Accelerate
Meetup DevOps - AccelerateDelta-N
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 
DevOps by examples - Continuous Lifecycle London 2017
DevOps by examples - Continuous Lifecycle London 2017DevOps by examples - Continuous Lifecycle London 2017
DevOps by examples - Continuous Lifecycle London 2017Giulio Vian
 
Back To Basics
Back To BasicsBack To Basics
Back To Basicskamalikamj
 
New DevOps for the DBA
New DevOps for the DBANew DevOps for the DBA
New DevOps for the DBAKellyn Pot'Vin-Gorman
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveColin Domoney
 
DevOps: Security's Big Opportunity
DevOps: Security's Big OpportunityDevOps: Security's Big Opportunity
DevOps: Security's Big OpportunityTimothy Jarrett
 

More Related Content

What's hot

Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenImplementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenSeniorStoryteller
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftAmazon Web Services
 
A Day in the Life of a Cross-platform, DevOps-enabled Team
A Day in the Life of a Cross-platform, DevOps-enabled TeamA Day in the Life of a Cross-platform, DevOps-enabled Team
A Day in the Life of a Cross-platform, DevOps-enabled TeamDeborah Schalm
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Deborah Schalm
 
Diving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsDiving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsJules Pierre-Louis
 
DOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - SonatypeDOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - SonatypeGene Kim
 
The Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration ManagementThe Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration ManagementJules Pierre-Louis
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionSeniorStoryteller
 
DevOps without DevOps Tools
DevOps without DevOps ToolsDevOps without DevOps Tools
DevOps without DevOps ToolsJagatveer Singh
 
cdSummit Austin - Orchestrating the continuous delivery process - Andy Pemberton
cdSummit Austin - Orchestrating the continuous delivery process - Andy PembertoncdSummit Austin - Orchestrating the continuous delivery process - Andy Pemberton
cdSummit Austin - Orchestrating the continuous delivery process - Andy PembertonMiles Blatstein
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
 
Why Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityWhy Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityEficode
 
Meetup DevOps - Accelerate
Meetup DevOps - AccelerateMeetup DevOps - Accelerate
Meetup DevOps - AccelerateDelta-N
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 
DevOps by examples - Continuous Lifecycle London 2017
DevOps by examples - Continuous Lifecycle London 2017DevOps by examples - Continuous Lifecycle London 2017
DevOps by examples - Continuous Lifecycle London 2017Giulio Vian
 
Back To Basics
Back To BasicsBack To Basics
Back To Basicskamalikamj
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 

What's hot (20)

Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenImplementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ Schleen
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
 
A Day in the Life of a Cross-platform, DevOps-enabled Team
A Day in the Life of a Cross-platform, DevOps-enabled TeamA Day in the Life of a Cross-platform, DevOps-enabled Team
A Day in the Life of a Cross-platform, DevOps-enabled Team
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Diving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsDiving Deeper into DevOps Deployments
Diving Deeper into DevOps Deployments
 
DOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - SonatypeDOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - Sonatype
 
DevOps
DevOps DevOps
DevOps
 
The Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration ManagementThe Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration Management
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
 
DevOps introduction
DevOps introductionDevOps introduction
DevOps introduction
 
DevOps without DevOps Tools
DevOps without DevOps ToolsDevOps without DevOps Tools
DevOps without DevOps Tools
 
cdSummit Austin - Orchestrating the continuous delivery process - Andy Pemberton
cdSummit Austin - Orchestrating the continuous delivery process - Andy PembertoncdSummit Austin - Orchestrating the continuous delivery process - Andy Pemberton
cdSummit Austin - Orchestrating the continuous delivery process - Andy Pemberton
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
 
Why Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityWhy Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and Observability
 
Meetup DevOps - Accelerate
Meetup DevOps - AccelerateMeetup DevOps - Accelerate
Meetup DevOps - Accelerate
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
DevOps by examples - Continuous Lifecycle London 2017
DevOps by examples - Continuous Lifecycle London 2017DevOps by examples - Continuous Lifecycle London 2017
DevOps by examples - Continuous Lifecycle London 2017
 
Back To Basics
Back To BasicsBack To Basics
Back To Basics
 
New DevOps for the DBA
New DevOps for the DBANew DevOps for the DBA
New DevOps for the DBA
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 

Similar to How to apply DevOps in a regulated organisation

How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveColin Domoney
 
DevOps: Security's Big Opportunity
DevOps: Security's Big OpportunityDevOps: Security's Big Opportunity
DevOps: Security's Big OpportunityTimothy Jarrett
 
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!DevOps.com
 
Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOpsYour Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOpsDevOps.com
 
How to get the best out of DevSecOps - a developers perspective
How to get the best out of DevSecOps - a developers perspectiveHow to get the best out of DevSecOps - a developers perspective
How to get the best out of DevSecOps - a developers perspectiveColin Domoney
 
Enterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast PresentationEnterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast PresentationCompuware
 
Balancing DevOps Speed with Quality
Balancing DevOps Speed with QualityBalancing DevOps Speed with Quality
Balancing DevOps Speed with QualityShashi Kiran
 
DOES14 - Stephen Elliot - IDC - Delivering DevOps Business Metrics that Matter
DOES14 - Stephen Elliot - IDC - Delivering DevOps Business Metrics that MatterDOES14 - Stephen Elliot - IDC - Delivering DevOps Business Metrics that Matter
DOES14 - Stephen Elliot - IDC - Delivering DevOps Business Metrics that MatterGene Kim
 
DevOps: What, who, why and how?
DevOps: What, who, why and how?DevOps: What, who, why and how?
DevOps: What, who, why and how?Red Gate Software
 
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesScale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesDevOps.com
 
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesScale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesDeborah Schalm
 
Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack Deborah Schalm
 
SD DevOps Meet-up - Exploring Quadrants of DevOps Maturity
SD DevOps Meet-up - Exploring Quadrants of DevOps MaturitySD DevOps Meet-up - Exploring Quadrants of DevOps Maturity
SD DevOps Meet-up - Exploring Quadrants of DevOps MaturityBrian Dawson
 
State of DevOps - Takeaways for Sales & Marketing Professionals
State of DevOps - Takeaways for Sales & Marketing ProfessionalsState of DevOps - Takeaways for Sales & Marketing Professionals
State of DevOps - Takeaways for Sales & Marketing ProfessionalsUBM (Technology)
 
DataOps in Financial Services: enable higher-quality test ing + lower levels ...
DataOps in Financial Services: enable higher-quality test ing + lower levels ...DataOps in Financial Services: enable higher-quality test ing + lower levels ...
DataOps in Financial Services: enable higher-quality test ing + lower levels ...Ugo Pollio
 
Introduction to DevOps slides.pdf
Introduction to DevOps slides.pdfIntroduction to DevOps slides.pdf
Introduction to DevOps slides.pdfBoreVishnusai
 
Tales from an Enterprise DevOps transformation
Tales from an Enterprise DevOps transformationTales from an Enterprise DevOps transformation
Tales from an Enterprise DevOps transformationLee Eason
 
Moving Towards Operability & Organising for Continuous Delivery
Moving Towards Operability & Organising for Continuous DeliveryMoving Towards Operability & Organising for Continuous Delivery
Moving Towards Operability & Organising for Continuous DeliveryEqual Experts
 
Database as code in Devops - DBを10分間で1000個構築するDB仮想化テクノロジーとは?(Adam)
Database as code in Devops - DBを10分間で1000個構築するDB仮想化テクノロジーとは?(Adam)Database as code in Devops - DBを10分間で1000個構築するDB仮想化テクノロジーとは?(Adam)
Database as code in Devops - DBを10分間で1000個構築するDB仮想化テクノロジーとは?(Adam)Insight Technology, Inc.
 

Similar to How to apply DevOps in a regulated organisation (20)

How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
 
DevOps: Security's Big Opportunity
DevOps: Security's Big OpportunityDevOps: Security's Big Opportunity
DevOps: Security's Big Opportunity
 
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
 
Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOpsYour Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOps
 
How to get the best out of DevSecOps - a developers perspective
How to get the best out of DevSecOps - a developers perspectiveHow to get the best out of DevSecOps - a developers perspective
How to get the best out of DevSecOps - a developers perspective
 
Enterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast PresentationEnterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast Presentation
 
Balancing DevOps Speed with Quality
Balancing DevOps Speed with QualityBalancing DevOps Speed with Quality
Balancing DevOps Speed with Quality
 
DOES14 - Stephen Elliot - IDC - Delivering DevOps Business Metrics that Matter
DOES14 - Stephen Elliot - IDC - Delivering DevOps Business Metrics that MatterDOES14 - Stephen Elliot - IDC - Delivering DevOps Business Metrics that Matter
DOES14 - Stephen Elliot - IDC - Delivering DevOps Business Metrics that Matter
 
DevOps: What, who, why and how?
DevOps: What, who, why and how?DevOps: What, who, why and how?
DevOps: What, who, why and how?
 
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesScale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
 
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesScale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
 
Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack
 
DevOps and the DBA
DevOps and the DBADevOps and the DBA
DevOps and the DBA
 
SD DevOps Meet-up - Exploring Quadrants of DevOps Maturity
SD DevOps Meet-up - Exploring Quadrants of DevOps MaturitySD DevOps Meet-up - Exploring Quadrants of DevOps Maturity
SD DevOps Meet-up - Exploring Quadrants of DevOps Maturity
 
State of DevOps - Takeaways for Sales & Marketing Professionals
State of DevOps - Takeaways for Sales & Marketing ProfessionalsState of DevOps - Takeaways for Sales & Marketing Professionals
State of DevOps - Takeaways for Sales & Marketing Professionals
 
DataOps in Financial Services: enable higher-quality test ing + lower levels ...
DataOps in Financial Services: enable higher-quality test ing + lower levels ...DataOps in Financial Services: enable higher-quality test ing + lower levels ...
DataOps in Financial Services: enable higher-quality test ing + lower levels ...
 
Introduction to DevOps slides.pdf
Introduction to DevOps slides.pdfIntroduction to DevOps slides.pdf
Introduction to DevOps slides.pdf
 
Tales from an Enterprise DevOps transformation
Tales from an Enterprise DevOps transformationTales from an Enterprise DevOps transformation
Tales from an Enterprise DevOps transformation
 
Moving Towards Operability & Organising for Continuous Delivery
Moving Towards Operability & Organising for Continuous DeliveryMoving Towards Operability & Organising for Continuous Delivery
Moving Towards Operability & Organising for Continuous Delivery
 
Database as code in Devops - DBを10分間で1000個構築するDB仮想化テクノロジーとは?(Adam)
Database as code in Devops - DBを10分間で1000個構築するDB仮想化テクノロジーとは?(Adam)Database as code in Devops - DBを10分間で1000個構築するDB仮想化テクノロジーとは?(Adam)
Database as code in Devops - DBを10分間で1000個構築するDB仮想化テクノロジーとは?(Adam)
 

Recently uploaded

The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 

Recently uploaded (20)

The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 

How to apply DevOps in a regulated organisation

  • 1. © 2017 VERACODE INC. 1© 2017 VERACODE INC. How to Apply DevOps in a Regulated Organisation
  • 2. © 2017 VERACODE INC. 2 About This Webinar Colin Domoney Consultant Solution Architect @colindomoney Topics: • Benefits of DevOps • The Problem with DevOps • Regulation 101 • Best Practices and Recommendations • DevOps Audit Defence Toolkit • Case Studies
  • 3. © 2017 VERACODE INC. 3 Further Reading Kim, Gene, Kevin Behr, and George Spafford. 2013. The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win. Kim, Gene, Patrick Debois, and John Willis. 2016. The Devops Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations Bird, Jim. ‘DevOps for Finance - O’Reilly Media’. Accessed 19 April 2017. http://www.oreilly.com/w ebops-perf/free/devops- for-finance.csp. ‘2016 State of DevOps Report’. 2017. Puppet. Accessed January 23. https://puppet.com/resources/white- paper/2016-state-of-devops-report. ‘DevOps Audit Defense Toolkit’. Accessed 19 April 2017. https://plus.google.com/communities/10337 2669680429508474.
  • 4. © 2017 VERACODE INC. 4© 2017 VERACODE INC. The Benefits of DevOps
  • 5. © 2017 VERACODE INC. 5 The Benefits of DevOps • High-performing organizations are decisively outperforming their lower-performing peers in terms of throughput. • High performers have better employee loyalty, as measured by employee Net Promoter Score (eNPS). • Improving quality is everyone’s job. • High performers spend 50 percent less time remediating security issues than low performers. • Taking an experimental approach to product development can improve your IT and organizational performance. • Undertaking a technology transformation initiative can produce sizeable cost savings for any organization. Source : ‘2016 State of DevOps Report’. 2017. Puppet. Accessed January 23. https://puppet.com/resources/white-paper/2016-state-of-devops-report.
  • 6. © 2017 VERACODE INC. 6© 2017 VERACODE INC. The Problem with DevOps
  • 7. © 2017 VERACODE INC. 7 A Complete Mismatch ? • “celebrate failure” • “blameless post-mortem” • “fail fast, fail often” • “automated release management” • “breaking down siloes”
  • 8. © 2017 VERACODE INC. 8 Some Basic Problems ‘DevOps Is Great for Startups, but for Enterprises It Won’t Work—Yet’. WSJ, 13 May 2014. https://blogs.wsj.com/cio/2014/05/13/dev ops-is-great-for-startups-but-for- enterprises-it-wont-work-yet/.
  • 9. © 2017 VERACODE INC. 9 Some Basic Problems • Siloed structures and organisational inertia makes changes required by DevOps difficult and expensive • DevOps tooling and solutions not always suited to legacy systems • Building the financial ROI case for a technology-driven business process transformation across business siloes is problematic • The cultural transformation necessary may be hard to achieve in large-scale enterprises
  • 10. © 2017 VERACODE INC. 10 And More Problems • Highly siloed environments present great inertia and resistance to change • Highly interdependent systems making changes difficult to test • Legacy systems and technology • Legacy controls (CMMI, ITIL, ISO standards) • Compliance Implications – Separation of Duties – Severe fines • Perception that DevOps will make IT less secure
  • 11. © 2017 VERACODE INC. 11© 2017 VERACODE INC. Regulation 101
  • 12. © 2017 VERACODE INC. 12 What Are We Talking About?
  • 13. © 2017 VERACODE INC. 13 Regulation and Performance “(the report) found that survey respondents in healthcare, banking, transportation and manufacturing reported a disproportionately high percentage of low-performing IT.” ‘But Wait, There’s More: Extra Data from the 2015 DevOps Survey’. Puppet. Accessed 19 April 2017. https://puppet.com/blog/but-wait-there-s-more- extra-data-from-2015-devops-survey.
  • 14. © 2017 VERACODE INC. 14 The High Cost of Failure • On August 1 2012 new code was deployed to all servers • A single server was missed by an operator • Alerts were missed by operators before market open • Checks were bypassed in code • Rollback made things worse temporarily • Incident lasted only 45 minutes • Lost $440 million • Acquired within four months of incident
  • 15. © 2017 VERACODE INC. 15 Regulators and the Compliance Department • Many, many regulatory bodies • Not applicable to all business units • Often legacy or outdated controls • Internal compliance organisation creates even more stringent requirements • Original intent is lost
  • 16. © 2017 VERACODE INC. 16 Multiple Regulators IT Revolution. DOES16 London - Robert Scherrer - DevOps in a Highly Regulated Financial Infrastructure Company. Accessed 18 April 2017. https://www.youtube.com/watch?v=SczLjDOd F1E&t=40s.
  • 17. © 2017 VERACODE INC. 17© 2017 VERACODE INC. Best Practices and Recommendations
  • 18. © 2017 VERACODE INC. 18 Understanding Your Environment 1. Find a tame auditor 2. Read the regulations 3. Understand the intent 4. Read the internal regulations 5. Challenge … and simplify Puppet. Puppet and DevOps in Regulated Environments. Accessed 18 April 2017. https://www.youtube.com/watch?v=yj9PbsNO2uE&t=1503s.
  • 19. © 2017 VERACODE INC. 19 Step by Step 1. Meet the compliance team 2. Categorise risk by severity/prevalence 3. Describe the risk and proposed mitigation 4. Automate the process (if possible) 5. Test and verify the control 6. Communicate the control to stakeholders DevSecCon. DevOps, Security, and Compliance: Working in Unison. Accessed 18 April 2017. https://www.youtube.com/watch?v=2Rq 3q4C1WaU.
  • 20. © 2017 VERACODE INC. 20 ITIL in a DevOps World • Nothing in ITIL is in contradiction with DevOps principles • Issues arise in typical ITIL implementations: – Slow change management process – Enforces siloes and departments “DevOps is basically more about how-to-do, ITIL more about what-to-do”
  • 21. © 2017 VERACODE INC. 21 Change Management Process • ITIL change management process defines three types of change: – Standard (low-risk, follow standard process, can be automated) – Normal (require approval by CAB, manual process) – Emergency (high priority CAB) • Too many changes are classified as ‘normal’ • DevOps best practice suggests: – Try and make as much as possible ‘standard’ and auto-approve – Optimise the CAB process for requests that remain as ‘normal’
  • 22. © 2017 VERACODE INC. 22 Two-speed IT Architecture Two types of IT systems: 1. Slower-changing legacy backend ‘systems of record’ (where money is kept and counted) 2. More agile frontend ‘systems of engagement’ where money is made or lost DevOps makes most sense in the latter case
  • 23. © 2017 VERACODE INC. 23 Control Your Source Code Repositories • Continuous Deployment means any code checked in can potentially reach production within minutes • Best practices include: – Splitting repositories – Using Perforce for fine grained control – Performing peer reviews on ‘pull requests’ to critical code
  • 24. © 2017 VERACODE INC. 24 Protect Your Deployment Pipeline • Continuous Deployment means that your pipeline is a critical piece of infrastructure • Best practices include: – Hardening CI/CD systems to prevent compromise – Review changes to prevent execution of unwanted code – Test for suspicious API calls in unit tests or scripts – Ensure CI/CD runs in isolated containers – Ensure VCS credentials are ‘read only’
  • 25. © 2017 VERACODE INC. 25 Continuous Deployment … or Delivery ? • High risk of automated changes to a live, business-critical system • Live deployments work well for stateless web applications, where users are unlikely to notice a switch in environment • Not well suited to high volume, low latency platforms • Use best practices of Continuous Delivery to ensure changes are always ready to be deployed • Schedule deployment using traditional method (out of hours, etc)
  • 26. © 2017 VERACODE INC. 26 How to Change Without Failing • Minimise the risk of change (automate everything) • Reduce the batch size of changes • Identify problems early (measure your MTTD) • Make sure you can recover (minimise your MTTR) • Be ready to roll back • Incident response – always be prepared
  • 27. © 2017 VERACODE INC. 27 Prove It ! DevOps Enterprise Summit. DOES15 - Bill Shinn - Prove It! The Last Mile for DevOps in Regulated Organizations. Accessed 18 April 2017. https://www.youtube.com/watch?v=g g8gGisl4zM.
  • 28. © 2017 VERACODE INC. 28 Netflix Conformity Monkey Izrailevsky, Yury. ‘The Netflix Simian Army’. Accessed 19 April 2017. http://techblog.netflix.com/2011/07/netflix-simian-army.html.
  • 29. © 2017 VERACODE INC. 29 Chef Inspec ‘InSpec | IT Security and Compliance as Code’. Chef. Accessed 19 April 2017. https://www.chef.io/inspec/. “InSpec is an open-source testing framework for infrastructure with a human- readable language for specifying compliance, security and other policy requirements. When compliance is code, you can integrate automated tests that check for adherence to policy into any stage of your deployment pipeline.”
  • 30. © 2017 VERACODE INC. 30 AWS Inspector https://aws.amazon.com/inspector/
  • 31. © 2017 VERACODE INC. 31© 2017 VERACODE INC. DevOps Audit Defence Toolkit
  • 32. © 2017 VERACODE INC. 32 Parts Unlimited
  • 33. © 2017 VERACODE INC. 33 The “Pull List”
  • 34. © 2017 VERACODE INC. 34 Addressing Concerns
  • 35. © 2017 VERACODE INC. 35 In Detail
  • 36. © 2017 VERACODE INC. 36© 2017 VERACODE INC. Case Studies
  • 37. © 2017 VERACODE INC. 37 ING Bank • Used to use heavyweight process frameworks (Prince2, RUP, and CMMI, and ITIL for operations) • Changes were made slowly and were costly • Ad-hoc adoption of Agile with Scrum teams • Adoption of Continuous Delivery and DevOps followed • 500 legacy applications decommissioned • 2 year deployments done in 2 hours
  • 38. © 2017 VERACODE INC. 38 Capital One • Embraced Agile, DevOps and Cloud from the outset • Less technical debt and bureaucracy • DevOps technology operating model, which it calls “Engineering Excellence.” “Once you go upstream and have development teams truly own their code in production there is an accountability and a quality dynamic that happens that is a very powerful incentive” - Rob Alexander, Capital One CIO
  • 39. © 2017 VERACODE INC. 39 Thank You! © 2017 VERACODE INC.