Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Automated Governance – Raising the bar for Agility

45 views

Published on

Thoughtworks Consultants Bal Sandhu and Satyam Argawala demo an opinionated approach to automated governance that builds on the foundations to help unlock agility in today's cloud native landscape.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Automated Governance – Raising the bar for Agility

  1. 1. Satyam Agarwala Lead Consultant Bal Sandhu Consultant
  2. 2. Automated Governance - Raising the Bar for Agility Bal Sandhu Satyam Agarwala
  3. 3. Agenda ! Business agility and flow ! Governance ! Automating governance ! Binary Authorisation & demo ! Benefits & challenges
  4. 4. Agile DevOps Cloud NativeLean Agility
  5. 5. Flow Agile DevOps Cloud NativeLean Agility Engineer Customer
  6. 6. ONE DOES NOT SIMPLY DEPLOY INTO PRODUCTION
  7. 7. What is Governance? Value Risk
  8. 8. What is Governance? Value Risk
  9. 9. Impact of Poor Governance Outages / Incidents
  10. 10. Change Controls Impact of Poor Governance Outages / Incidents
  11. 11. Impact of Poor Governance Batch Size Change Controls Outages / Incidents
  12. 12. Operational Risk Impact of Poor Governance Batch Size Change Controls Outages / Incidents
  13. 13. Q1 Q2 Q3 Q4 Scaling governance deploy time
  14. 14. Scaling governance Q1 Q2 Q3 Q4 deploy time
  15. 15. Scaling governance governance time Q1 Q2 Q3 Q4 deploy time
  16. 16. Scaling governance deploy time Q1 Q2 Q3 Q4
  17. 17. We want to
  18. 18. We want to Improve flow of value to our customers by reducing handoffs
  19. 19. We want to Improve flow of value to our customers by reducing handoffs so that our business agility increases
  20. 20. We want to Improve flow of value to our customers by reducing handoffs so that our business agility increases without introducing risks that make operating the business harder
  21. 21. Automating Governance
  22. 22. Control PointsControl Owners Modelling governance
  23. 23. Evidence Modelling governance Control PointsControl Owners
  24. 24. Evidence based sign offs Modelling governance EvidenceControl PointsControl Owners
  25. 25. Modelling governance Evidence based sign offs EvidenceControl PointsControl Owners
  26. 26. Release Approval Modelling governance Evidence based sign offs EvidenceControl PointsControl Owners
  27. 27. Modelling governance Release Approval Evidence based sign offs EvidenceControl PointsControl Owners
  28. 28. Binary Authorisation - key concepts Attestors
  29. 29. Binary Authorisation - key concepts Attestors Codified control point
  30. 30. Signed using private key Binary Authorisation - key concepts Attestors Codified control point Attestation
  31. 31. Requires attestation from Binary Authorisation - key concepts Signed using private key Attestors Codified control point Attestation Policy
  32. 32. Verifies using public key Binary Authorisation - key concepts Requires attestation from Signed using private key Attestors Codified control point Attestation Policy Enforcer
  33. 33. Attestors Codified control point Attestation Policy Enforcer Binary Authorisation - key concepts Verifies using public key Requires attestation from Signed using private key
  34. 34. Scenario #1: Need to ensure all deployments have code with 90% test coverage
  35. 35. DeveloperControl Owner Scenario #1: Ensure all deployments have code with 90% test coverage
  36. 36. DeveloperControl Owner Scenario #1: Ensure all deployments have code with 90% test coverage Commit CI & CD
  37. 37. DeveloperControl Owner Scenario #1: Ensure all deployments have code with 90% test coverage CI & CD Test Commit
  38. 38. DeveloperControl Owner Scenario #1: Ensure all deployments have code with 90% test coverage Test Build Commit CI & CD
  39. 39. DeveloperControl Owner Scenario #1: Ensure all deployments have code with 90% test coverage Test Build Deploy Image Google Container Registry Commit CI & CD
  40. 40. DeveloperControl Owner Scenario #1: Ensure all deployments have code with 90% test coverage CI & CD Test Build Deploy Image Coverage Attestor Commit Google Container Registry
  41. 41. DeveloperControl Owner Scenario #1: Ensure all deployments have code with 90% test coverage CI & CD Test Build Deploy Image Coverage Attestor Commit Google Container Registry Metadata Store
  42. 42. DeveloperControl Owner Scenario #1: Ensure all deployments have code with 90% test coverage CI & CD Test Build Deploy Image Coverage Attestor Commit Google Container Registry Metadata Store Deploy
  43. 43. Demo #1
  44. 44. DeveloperControl Owner Scenario #1: Ensure all deployments have code with 90% test coverage CI & CD Test Build Deploy Image Coverage Attestor Commit Google Container Registry Metadata Store Deploy GKE Cluster BinAuthZ Enforcer
  45. 45. DeveloperControl Owner Scenario #1: Ensure all deployments have code with 90% test coverage CI & CD Test Build Deploy Image Coverage Attestor Commit Google Container Registry Metadata Store Deploy GKE Cluster BinAuthZ Enforcer BinAuthZ Policies
  46. 46. DeveloperControl Owner Scenario #1: Ensure all deployments have code with 90% test coverage CI & CD Test Build Deploy Image Coverage Attestor Commit Google Container Registry Metadata Store Deploy GKE Cluster BinAuthZ Enforcer BinAuthZ Policies
  47. 47. DeveloperControl Owner Scenario #1: Ensure all deployments have code with 90% test coverage CI & CD Test Build Deploy Image Coverage Attestor Commit Google Container Registry Metadata Store Deploy GKE Cluster BinAuthZ Enforcer BinAuthZ Policies
  48. 48. Scenario #2: Control Owner decided to bump test coverage threshold to 95%
  49. 49. Demo #2
  50. 50. DeveloperControl Owner Scenario #2: Bump test coverage threshold to 95% Test Build Deploy Image Google Container Registry Commit CI & CD
  51. 51. DeveloperControl Owner Scenario #2: Bump test coverage threshold to 95% Test Build Deploy Image Google Container Registry Commit CI & CD Coverage Attestor*
  52. 52. DeveloperControl Owner Scenario #2: Bump test coverage threshold to 95% Test Build Deploy Image Google Container Registry Commit CI & CD Coverage Attestor* Metadata Store
  53. 53. Scenario #3: Developer decides test coverage checks are not needed
  54. 54. Demo #3
  55. 55. DeveloperControl Owner Test Build Deploy Image Google Container Registry Commit CI & CD Scenario #3: Developer decides test coverage checks are not needed
  56. 56. DeveloperControl Owner CI & CD Test Build Deploy Image Commit Google Container Registry Deploy GKE Cluster BinAuthZ Enforcer Scenario #3: Developer decides test coverage checks are not needed
  57. 57. DeveloperControl Owner CI & CD Test Build Deploy Image Commit Google Container Registry Deploy GKE Cluster BinAuthZ Enforcer Scenario #3: Developer decides test coverage checks are not needed
  58. 58. DeveloperControl Owner CI & CD Test Build Deploy Image Commit Google Container Registry Deploy GKE Cluster BinAuthZ Enforcer BinAuthZ Policies Scenario #3: Developer decides test coverage checks are not needed
  59. 59. DeveloperControl Owner CI & CD Test Build Deploy Image Commit Google Container Registry Metadata Store Deploy GKE Cluster BinAuthZ Enforcer BinAuthZ Policies Scenario #3: Developer decides test coverage checks are not needed
  60. 60. DeveloperControl Owner CI & CD Test Build Deploy Image Commit Google Container Registry Metadata Store Deploy GKE Cluster BinAuthZ Enforcer BinAuthZ Policies Scenario #3: Developer decides test coverage checks are not needed
  61. 61. DeveloperControl Owner CI & CD Test Build Deploy Image Commit Google Container Registry Metadata Store Deploy GKE Cluster BinAuthZ Enforcer BinAuthZ Policies Scenario #3: Developer decides test coverage checks are not needed
  62. 62. What else can be codified? ! Build provenance
  63. 63. What else can be codified? ! Build provenance ! Known open source vulnerabilities scan
  64. 64. ! Build provenance ! Known open source vulnerabilities scan ! Entropy check for secrets ! Builds from certified base images ! K8S manifest tests ! Open source license checks ! Unit, Functional & Performance testing ! Organisational specific policies What else can be codified?
  65. 65. Benefits & Challenges
  66. 66. Faster value creation Benefits of automating governance
  67. 67. Faster value creation Deterministic Benefits of automating governance
  68. 68. Faster value creation Deterministic Reduce wastage Benefits of automating governance
  69. 69. Faster value creation Deterministic Reduce wastage Assurance & Autonomy Benefits of automating governance
  70. 70. Ecosystem Maturity Challenges
  71. 71. Ecosystem Maturity Org Culture and support Challenges
  72. 72. Ecosystem Maturity Org Culture and support Org technical maturity Challenges
  73. 73. Conclusion
  74. 74. ! Deploy rate >>> release rate
  75. 75. ! Deploy rate >>> release rate ! Manual Governance imposes ceiling on agility
  76. 76. ! Deploy rate >>> release rate ! Manual Governance imposes ceiling on agility ! Migration to the cloud - a paradigm shift
  77. 77. ! Deploy rate >>> release rate ! Manual Governance imposes ceiling on agility ! Migration to the cloud - a paradigm shift ! Build the foundations but don’t stop once you have
  78. 78. Bal Sandhu Satyam Agarwala Thank you

×