Submit Search
Upload
How to apply DevOps in a regulated organisation
•
Download as PPTX, PDF
•
1 like
•
82 views
C
Colin Domoney
Follow
How to apply DevOps in a regulated organisation
Read less
Read more
Software
Report
Share
Report
Share
1 of 39
Download now
Recommended
Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
Colin Domoney
Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
The DevOps Challenge: Open Source Security at Scale
The DevOps Challenge: Open Source Security at Scale
DevOps.com
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
The Human Side of DevSecOps
The Human Side of DevSecOps
Jules Pierre-Louis
DevOps: A Culture Transformation, More than Technology
DevOps: A Culture Transformation, More than Technology
CA Technologies
Disconnected Pipelines: The Missing Link
Disconnected Pipelines: The Missing Link
Eficode
Recommended
Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
Colin Domoney
Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
The DevOps Challenge: Open Source Security at Scale
The DevOps Challenge: Open Source Security at Scale
DevOps.com
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
The Human Side of DevSecOps
The Human Side of DevSecOps
Jules Pierre-Louis
DevOps: A Culture Transformation, More than Technology
DevOps: A Culture Transformation, More than Technology
CA Technologies
Disconnected Pipelines: The Missing Link
Disconnected Pipelines: The Missing Link
Eficode
Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ Schleen
SeniorStoryteller
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
Amazon Web Services
A Day in the Life of a Cross-platform, DevOps-enabled Team
A Day in the Life of a Cross-platform, DevOps-enabled Team
Deborah Schalm
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Deborah Schalm
Diving Deeper into DevOps Deployments
Diving Deeper into DevOps Deployments
Jules Pierre-Louis
DOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - Sonatype
Gene Kim
DevOps
DevOps
Hakan Yüksel
The Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration Management
Jules Pierre-Louis
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
SeniorStoryteller
DevOps introduction
DevOps introduction
Christian F. Nissen
DevOps without DevOps Tools
DevOps without DevOps Tools
Jagatveer Singh
cdSummit Austin - Orchestrating the continuous delivery process - Andy Pemberton
cdSummit Austin - Orchestrating the continuous delivery process - Andy Pemberton
Miles Blatstein
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
Why Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and Observability
Eficode
Meetup DevOps - Accelerate
Meetup DevOps - Accelerate
Delta-N
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
SeniorStoryteller
DevOps by examples - Continuous Lifecycle London 2017
DevOps by examples - Continuous Lifecycle London 2017
Giulio Vian
Back To Basics
Back To Basics
kamalikamj
New DevOps for the DBA
New DevOps for the DBA
Kellyn Pot'Vin-Gorman
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
SeniorStoryteller
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
DevOps: Security's Big Opportunity
DevOps: Security's Big Opportunity
Timothy Jarrett
More Related Content
What's hot
Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ Schleen
SeniorStoryteller
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
Amazon Web Services
A Day in the Life of a Cross-platform, DevOps-enabled Team
A Day in the Life of a Cross-platform, DevOps-enabled Team
Deborah Schalm
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Deborah Schalm
Diving Deeper into DevOps Deployments
Diving Deeper into DevOps Deployments
Jules Pierre-Louis
DOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - Sonatype
Gene Kim
DevOps
DevOps
Hakan Yüksel
The Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration Management
Jules Pierre-Louis
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
SeniorStoryteller
DevOps introduction
DevOps introduction
Christian F. Nissen
DevOps without DevOps Tools
DevOps without DevOps Tools
Jagatveer Singh
cdSummit Austin - Orchestrating the continuous delivery process - Andy Pemberton
cdSummit Austin - Orchestrating the continuous delivery process - Andy Pemberton
Miles Blatstein
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
Why Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and Observability
Eficode
Meetup DevOps - Accelerate
Meetup DevOps - Accelerate
Delta-N
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
SeniorStoryteller
DevOps by examples - Continuous Lifecycle London 2017
DevOps by examples - Continuous Lifecycle London 2017
Giulio Vian
Back To Basics
Back To Basics
kamalikamj
New DevOps for the DBA
New DevOps for the DBA
Kellyn Pot'Vin-Gorman
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
SeniorStoryteller
What's hot
(20)
Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ Schleen
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
A Day in the Life of a Cross-platform, DevOps-enabled Team
A Day in the Life of a Cross-platform, DevOps-enabled Team
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Diving Deeper into DevOps Deployments
Diving Deeper into DevOps Deployments
DOES14 - Joshua Corman - Sonatype
DOES14 - Joshua Corman - Sonatype
DevOps
DevOps
The Coming Earthquake in IIS and SQL Configuration Management
The Coming Earthquake in IIS and SQL Configuration Management
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
DevOps introduction
DevOps introduction
DevOps without DevOps Tools
DevOps without DevOps Tools
cdSummit Austin - Orchestrating the continuous delivery process - Andy Pemberton
cdSummit Austin - Orchestrating the continuous delivery process - Andy Pemberton
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
Why Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and Observability
Meetup DevOps - Accelerate
Meetup DevOps - Accelerate
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
DevOps by examples - Continuous Lifecycle London 2017
DevOps by examples - Continuous Lifecycle London 2017
Back To Basics
Back To Basics
New DevOps for the DBA
New DevOps for the DBA
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
Similar to How to apply DevOps in a regulated organisation
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
DevOps: Security's Big Opportunity
DevOps: Security's Big Opportunity
Timothy Jarrett
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
DevOps.com
Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOps
DevOps.com
How to get the best out of DevSecOps - a developers perspective
How to get the best out of DevSecOps - a developers perspective
Colin Domoney
Enterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast Presentation
Compuware
Balancing DevOps Speed with Quality
Balancing DevOps Speed with Quality
Shashi Kiran
DOES14 - Stephen Elliot - IDC - Delivering DevOps Business Metrics that Matter
DOES14 - Stephen Elliot - IDC - Delivering DevOps Business Metrics that Matter
Gene Kim
DevOps: What, who, why and how?
DevOps: What, who, why and how?
Red Gate Software
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
DevOps.com
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
Deborah Schalm
Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack
Deborah Schalm
DevOps and the DBA
DevOps and the DBA
Kellyn Pot'Vin-Gorman
SD DevOps Meet-up - Exploring Quadrants of DevOps Maturity
SD DevOps Meet-up - Exploring Quadrants of DevOps Maturity
Brian Dawson
State of DevOps - Takeaways for Sales & Marketing Professionals
State of DevOps - Takeaways for Sales & Marketing Professionals
UBM (Technology)
DataOps in Financial Services: enable higher-quality test ing + lower levels ...
DataOps in Financial Services: enable higher-quality test ing + lower levels ...
Ugo Pollio
Introduction to DevOps slides.pdf
Introduction to DevOps slides.pdf
BoreVishnusai
Tales from an Enterprise DevOps transformation
Tales from an Enterprise DevOps transformation
Lee Eason
Moving Towards Operability & Organising for Continuous Delivery
Moving Towards Operability & Organising for Continuous Delivery
Equal Experts
Database as code in Devops - DBを10分間で1000個構築するDB仮想化テクノロジーとは?(Adam)
Database as code in Devops - DBを10分間で1000個構築するDB仮想化テクノロジーとは?(Adam)
Insight Technology, Inc.
Similar to How to apply DevOps in a regulated organisation
(20)
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
DevOps: Security's Big Opportunity
DevOps: Security's Big Opportunity
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOps
How to get the best out of DevSecOps - a developers perspective
How to get the best out of DevSecOps - a developers perspective
Enterprise DevOps and the Modern Mainframe Webcast Presentation
Enterprise DevOps and the Modern Mainframe Webcast Presentation
Balancing DevOps Speed with Quality
Balancing DevOps Speed with Quality
DOES14 - Stephen Elliot - IDC - Delivering DevOps Business Metrics that Matter
DOES14 - Stephen Elliot - IDC - Delivering DevOps Business Metrics that Matter
DevOps: What, who, why and how?
DevOps: What, who, why and how?
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack
DevOps and the DBA
DevOps and the DBA
SD DevOps Meet-up - Exploring Quadrants of DevOps Maturity
SD DevOps Meet-up - Exploring Quadrants of DevOps Maturity
State of DevOps - Takeaways for Sales & Marketing Professionals
State of DevOps - Takeaways for Sales & Marketing Professionals
DataOps in Financial Services: enable higher-quality test ing + lower levels ...
DataOps in Financial Services: enable higher-quality test ing + lower levels ...
Introduction to DevOps slides.pdf
Introduction to DevOps slides.pdf
Tales from an Enterprise DevOps transformation
Tales from an Enterprise DevOps transformation
Moving Towards Operability & Organising for Continuous Delivery
Moving Towards Operability & Organising for Continuous Delivery
Database as code in Devops - DBを10分間で1000個構築するDB仮想化テクノロジーとは?(Adam)
Database as code in Devops - DBを10分間で1000個構築するDB仮想化テクノロジーとは?(Adam)
Recently uploaded
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
kalichargn70th171
Asset Management Software - Infographic
Asset Management Software - Infographic
Hr365.us smith
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
OnePlan Solutions
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
Power Karaoke
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
ICS
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
VICTOR MAESTRE RAMIREZ
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
shikhaohhpro
EY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
Neo4j
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
MyIntelliSource, Inc.
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
Fatema Valibhai
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
VitsRangannavar
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
MyIntelliSource, Inc.
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
kotipi9215
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
OPEN KNOWLEDGE GmbH
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio, Inc.
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
DNT_Corporate presentation know about us
DNT_Corporate presentation know about us
Dynamic Netsoft
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
Wave PLM
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
BradBedford3
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
bodapatigopi8531
Recently uploaded
(20)
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
Asset Management Software - Infographic
Asset Management Software - Infographic
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
EY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
DNT_Corporate presentation know about us
DNT_Corporate presentation know about us
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
How to apply DevOps in a regulated organisation
1.
© 2017 VERACODE
INC. 1© 2017 VERACODE INC. How to Apply DevOps in a Regulated Organisation
2.
© 2017 VERACODE
INC. 2 About This Webinar Colin Domoney Consultant Solution Architect @colindomoney Topics: • Benefits of DevOps • The Problem with DevOps • Regulation 101 • Best Practices and Recommendations • DevOps Audit Defence Toolkit • Case Studies
3.
© 2017 VERACODE
INC. 3 Further Reading Kim, Gene, Kevin Behr, and George Spafford. 2013. The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win. Kim, Gene, Patrick Debois, and John Willis. 2016. The Devops Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations Bird, Jim. ‘DevOps for Finance - O’Reilly Media’. Accessed 19 April 2017. http://www.oreilly.com/w ebops-perf/free/devops- for-finance.csp. ‘2016 State of DevOps Report’. 2017. Puppet. Accessed January 23. https://puppet.com/resources/white- paper/2016-state-of-devops-report. ‘DevOps Audit Defense Toolkit’. Accessed 19 April 2017. https://plus.google.com/communities/10337 2669680429508474.
4.
© 2017 VERACODE
INC. 4© 2017 VERACODE INC. The Benefits of DevOps
5.
© 2017 VERACODE
INC. 5 The Benefits of DevOps • High-performing organizations are decisively outperforming their lower-performing peers in terms of throughput. • High performers have better employee loyalty, as measured by employee Net Promoter Score (eNPS). • Improving quality is everyone’s job. • High performers spend 50 percent less time remediating security issues than low performers. • Taking an experimental approach to product development can improve your IT and organizational performance. • Undertaking a technology transformation initiative can produce sizeable cost savings for any organization. Source : ‘2016 State of DevOps Report’. 2017. Puppet. Accessed January 23. https://puppet.com/resources/white-paper/2016-state-of-devops-report.
6.
© 2017 VERACODE
INC. 6© 2017 VERACODE INC. The Problem with DevOps
7.
© 2017 VERACODE
INC. 7 A Complete Mismatch ? • “celebrate failure” • “blameless post-mortem” • “fail fast, fail often” • “automated release management” • “breaking down siloes”
8.
© 2017 VERACODE
INC. 8 Some Basic Problems ‘DevOps Is Great for Startups, but for Enterprises It Won’t Work—Yet’. WSJ, 13 May 2014. https://blogs.wsj.com/cio/2014/05/13/dev ops-is-great-for-startups-but-for- enterprises-it-wont-work-yet/.
9.
© 2017 VERACODE
INC. 9 Some Basic Problems • Siloed structures and organisational inertia makes changes required by DevOps difficult and expensive • DevOps tooling and solutions not always suited to legacy systems • Building the financial ROI case for a technology-driven business process transformation across business siloes is problematic • The cultural transformation necessary may be hard to achieve in large-scale enterprises
10.
© 2017 VERACODE
INC. 10 And More Problems • Highly siloed environments present great inertia and resistance to change • Highly interdependent systems making changes difficult to test • Legacy systems and technology • Legacy controls (CMMI, ITIL, ISO standards) • Compliance Implications – Separation of Duties – Severe fines • Perception that DevOps will make IT less secure
11.
© 2017 VERACODE
INC. 11© 2017 VERACODE INC. Regulation 101
12.
© 2017 VERACODE
INC. 12 What Are We Talking About?
13.
© 2017 VERACODE
INC. 13 Regulation and Performance “(the report) found that survey respondents in healthcare, banking, transportation and manufacturing reported a disproportionately high percentage of low-performing IT.” ‘But Wait, There’s More: Extra Data from the 2015 DevOps Survey’. Puppet. Accessed 19 April 2017. https://puppet.com/blog/but-wait-there-s-more- extra-data-from-2015-devops-survey.
14.
© 2017 VERACODE
INC. 14 The High Cost of Failure • On August 1 2012 new code was deployed to all servers • A single server was missed by an operator • Alerts were missed by operators before market open • Checks were bypassed in code • Rollback made things worse temporarily • Incident lasted only 45 minutes • Lost $440 million • Acquired within four months of incident
15.
© 2017 VERACODE
INC. 15 Regulators and the Compliance Department • Many, many regulatory bodies • Not applicable to all business units • Often legacy or outdated controls • Internal compliance organisation creates even more stringent requirements • Original intent is lost
16.
© 2017 VERACODE
INC. 16 Multiple Regulators IT Revolution. DOES16 London - Robert Scherrer - DevOps in a Highly Regulated Financial Infrastructure Company. Accessed 18 April 2017. https://www.youtube.com/watch?v=SczLjDOd F1E&t=40s.
17.
© 2017 VERACODE
INC. 17© 2017 VERACODE INC. Best Practices and Recommendations
18.
© 2017 VERACODE
INC. 18 Understanding Your Environment 1. Find a tame auditor 2. Read the regulations 3. Understand the intent 4. Read the internal regulations 5. Challenge … and simplify Puppet. Puppet and DevOps in Regulated Environments. Accessed 18 April 2017. https://www.youtube.com/watch?v=yj9PbsNO2uE&t=1503s.
19.
© 2017 VERACODE
INC. 19 Step by Step 1. Meet the compliance team 2. Categorise risk by severity/prevalence 3. Describe the risk and proposed mitigation 4. Automate the process (if possible) 5. Test and verify the control 6. Communicate the control to stakeholders DevSecCon. DevOps, Security, and Compliance: Working in Unison. Accessed 18 April 2017. https://www.youtube.com/watch?v=2Rq 3q4C1WaU.
20.
© 2017 VERACODE
INC. 20 ITIL in a DevOps World • Nothing in ITIL is in contradiction with DevOps principles • Issues arise in typical ITIL implementations: – Slow change management process – Enforces siloes and departments “DevOps is basically more about how-to-do, ITIL more about what-to-do”
21.
© 2017 VERACODE
INC. 21 Change Management Process • ITIL change management process defines three types of change: – Standard (low-risk, follow standard process, can be automated) – Normal (require approval by CAB, manual process) – Emergency (high priority CAB) • Too many changes are classified as ‘normal’ • DevOps best practice suggests: – Try and make as much as possible ‘standard’ and auto-approve – Optimise the CAB process for requests that remain as ‘normal’
22.
© 2017 VERACODE
INC. 22 Two-speed IT Architecture Two types of IT systems: 1. Slower-changing legacy backend ‘systems of record’ (where money is kept and counted) 2. More agile frontend ‘systems of engagement’ where money is made or lost DevOps makes most sense in the latter case
23.
© 2017 VERACODE
INC. 23 Control Your Source Code Repositories • Continuous Deployment means any code checked in can potentially reach production within minutes • Best practices include: – Splitting repositories – Using Perforce for fine grained control – Performing peer reviews on ‘pull requests’ to critical code
24.
© 2017 VERACODE
INC. 24 Protect Your Deployment Pipeline • Continuous Deployment means that your pipeline is a critical piece of infrastructure • Best practices include: – Hardening CI/CD systems to prevent compromise – Review changes to prevent execution of unwanted code – Test for suspicious API calls in unit tests or scripts – Ensure CI/CD runs in isolated containers – Ensure VCS credentials are ‘read only’
25.
© 2017 VERACODE
INC. 25 Continuous Deployment … or Delivery ? • High risk of automated changes to a live, business-critical system • Live deployments work well for stateless web applications, where users are unlikely to notice a switch in environment • Not well suited to high volume, low latency platforms • Use best practices of Continuous Delivery to ensure changes are always ready to be deployed • Schedule deployment using traditional method (out of hours, etc)
26.
© 2017 VERACODE
INC. 26 How to Change Without Failing • Minimise the risk of change (automate everything) • Reduce the batch size of changes • Identify problems early (measure your MTTD) • Make sure you can recover (minimise your MTTR) • Be ready to roll back • Incident response – always be prepared
27.
© 2017 VERACODE
INC. 27 Prove It ! DevOps Enterprise Summit. DOES15 - Bill Shinn - Prove It! The Last Mile for DevOps in Regulated Organizations. Accessed 18 April 2017. https://www.youtube.com/watch?v=g g8gGisl4zM.
28.
© 2017 VERACODE
INC. 28 Netflix Conformity Monkey Izrailevsky, Yury. ‘The Netflix Simian Army’. Accessed 19 April 2017. http://techblog.netflix.com/2011/07/netflix-simian-army.html.
29.
© 2017 VERACODE
INC. 29 Chef Inspec ‘InSpec | IT Security and Compliance as Code’. Chef. Accessed 19 April 2017. https://www.chef.io/inspec/. “InSpec is an open-source testing framework for infrastructure with a human- readable language for specifying compliance, security and other policy requirements. When compliance is code, you can integrate automated tests that check for adherence to policy into any stage of your deployment pipeline.”
30.
© 2017 VERACODE
INC. 30 AWS Inspector https://aws.amazon.com/inspector/
31.
© 2017 VERACODE
INC. 31© 2017 VERACODE INC. DevOps Audit Defence Toolkit
32.
© 2017 VERACODE
INC. 32 Parts Unlimited
33.
© 2017 VERACODE
INC. 33 The “Pull List”
34.
© 2017 VERACODE
INC. 34 Addressing Concerns
35.
© 2017 VERACODE
INC. 35 In Detail
36.
© 2017 VERACODE
INC. 36© 2017 VERACODE INC. Case Studies
37.
© 2017 VERACODE
INC. 37 ING Bank • Used to use heavyweight process frameworks (Prince2, RUP, and CMMI, and ITIL for operations) • Changes were made slowly and were costly • Ad-hoc adoption of Agile with Scrum teams • Adoption of Continuous Delivery and DevOps followed • 500 legacy applications decommissioned • 2 year deployments done in 2 hours
38.
© 2017 VERACODE
INC. 38 Capital One • Embraced Agile, DevOps and Cloud from the outset • Less technical debt and bureaucracy • DevOps technology operating model, which it calls “Engineering Excellence.” “Once you go upstream and have development teams truly own their code in production there is an accountability and a quality dynamic that happens that is a very powerful incentive” - Rob Alexander, Capital One CIO
39.
© 2017 VERACODE
INC. 39 Thank You! © 2017 VERACODE INC.
Download now