As IT organizations push forward with DevOps tools that automate application development and maintenance processes, they can lose sight of the key “who, what, where and when” variables that surround software releases, thus elevating the possibility of noncompliance with a host of regulatory mandates. By embracing blockchain, they can create a tamper-proof way of ensuring regulatory compliance while extending their embrace of IT service automation.
The Kentico 12 audit norms are centered on a well-defined framework to sustain the entire application and comply with the desired standards of performance.
https://www.raybiztech.com/blog/vasu-yerramsetti/how-security-audits-improve-reliability-in-kentico
DevOps vs GDPR: How to Comply and Stay AgileBen Saunders
A joint webinar between Contino and Delphix explaining how DevOps, Cloud and Data Virtualization can be used to accelerate application delivery, yet still allow organisations to remain GDPR compliant.
A leading Biopharmaceuticals organization who are an early innovator of COVID-19 vaccine wanted to achieve an automated process for achieving data integrity and compliance for their manufacturing plant QC and research laboratories.
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide! VISTA InfoSec
The prevalence of cyber security attacks and data breach in the recent years have brought to light how vulnerable organizations are to a cyber-attack. The financial losses and the tarnish of reputation caused by such attacks cannot be underestimated by any organization handling confidential data. Data breach still continues to be a pressing concern for companies across the globe. Indeed, information security has now become a major concern for organizations handling sensitive data and including those who outsource their business requirements to third-party organizations such as SaaS providers, data analytic companies and Cloud computing providers.
Needless to say, all IT managers and security stakeholders have been scrambling to find ways to tackle the situation and gain control over their network and data security. One way to ensure the security and privacy of data is by obtaining a SOC 2 Type1 & Type 2 report from a CPA. So, let us today understand in detail about the SOC 2 audit and its application to your organization.
The Kentico 12 audit norms are centered on a well-defined framework to sustain the entire application and comply with the desired standards of performance.
https://www.raybiztech.com/blog/vasu-yerramsetti/how-security-audits-improve-reliability-in-kentico
DevOps vs GDPR: How to Comply and Stay AgileBen Saunders
A joint webinar between Contino and Delphix explaining how DevOps, Cloud and Data Virtualization can be used to accelerate application delivery, yet still allow organisations to remain GDPR compliant.
A leading Biopharmaceuticals organization who are an early innovator of COVID-19 vaccine wanted to achieve an automated process for achieving data integrity and compliance for their manufacturing plant QC and research laboratories.
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide! VISTA InfoSec
The prevalence of cyber security attacks and data breach in the recent years have brought to light how vulnerable organizations are to a cyber-attack. The financial losses and the tarnish of reputation caused by such attacks cannot be underestimated by any organization handling confidential data. Data breach still continues to be a pressing concern for companies across the globe. Indeed, information security has now become a major concern for organizations handling sensitive data and including those who outsource their business requirements to third-party organizations such as SaaS providers, data analytic companies and Cloud computing providers.
Needless to say, all IT managers and security stakeholders have been scrambling to find ways to tackle the situation and gain control over their network and data security. One way to ensure the security and privacy of data is by obtaining a SOC 2 Type1 & Type 2 report from a CPA. So, let us today understand in detail about the SOC 2 audit and its application to your organization.
The Business Conundrum Facing Manufacturers
Manufacturing companies have traditionally
had an on-again-off-again relationship with
technology. However, the paradigm shift driven
by global manufacturing and distribution,
combined with rapid digital innovation, is
changing this equation.
Manufacturing companies have traditionally
had an on-again-off-again relationship with
technology. However, the paradigm shift driven
by global manufacturing and distribution,
combined with rapid digital innovation, is
changing this equation. Deloitte’s 2016 MHI
survey reveals that 83% of manufacturing
organizations believe investing in key digital
technologies such as IoT, robotics, Big
Data, cloud computing, etc. will be key to
competitive advantage in the near future.1
Development to operations (dev ops) marketHarshalBamble
The global Development and Operations (DevOps) software market is expanding on account of its ability to address inefficiencies faced by the IT industry such as the lagging quality of application development projects, inefficient IT projects, missing deadlines, and outages during or after implementation, resulting in increased cost than expected. Development and Operations connects the development, technical operations, and quality assurance personnel in such a way that the entire process of building, releasing, running, and then repeating occurs as a factory, with clear roles and well-defined inputs and outputs.
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceSonatype
Recent revisions to the Payment Card Industry (PCI) guidelines now require organizations to address potential vulnerabilities caused by use of open source components in their applications.
How to add security in dataops and devopsUlf Mattsson
The emerging DataOps is not Just DevOps for Data. According to Gartner, DataOps is a collaborative data management practice focused on improving the communication, integration and automation of data flows between data managers and consumers across an organization.
The goal of DataOps is to create predictable delivery and change management of data, data models and related artifacts. DataOps uses technology to automate data delivery with the appropriate levels of security, quality and metadata to improve the use and value of data in a dynamic environment.
This session will discuss how to add Security in DataOps and DevOps.
DevOps trends, too, are continuously evolving to meet the changing demands of the corporate environment. Let’s take a look at the future of DevOps and the trends you should expect to see. https://bit.ly/3V2pSv1
Application architecture is required to ensure the structural integrity of an application portfolio, but it can seem impossible to ensure adherence to these standards. CAST changes all of that by automatically analyzing applications across all tiers and languages to provide Architects with the actionable metrics and information needed to assess the how well the architectural designs, rules and standards have been followed.
Smart Solutions - DevOps Best Practices for Real Estate Software Development....SculptSoft Private Limited
Discover smart solutions in real estate software development through SculptSoft's guide on DevOps best practices. Gain insights into the transformative impact of streamlined processes, collaborative workflows, and efficient development cycles. Whether you're in real estate or technology, this resource provides key strategies for optimizing software development in the real estate industry.
How do we get a SOC 2?” Do those words strike fear and anxiety into your heart as an infosec professional? Do you have visions of being buried under a mountain of fancy risk management software, endless numbers of spreadsheets, and losing sleep for weeks implementing complex audit logging software? Well, take a deep breath and join this talk, in which we break down how to achieve SOC 2 Type II compliance without losing your mind. Your guide today has led many companies of various sizes- but mostly tiny startups- through several years of successful SOC 2 audits, and is here to break it all down. Bring your notebook as we explain why and how.
This talk will not focus on endless checkboxes, or push compliance at the expense of security. Instead, it will be a real world view of how to achieve compliance audit success without wasting your time, creating busy work, undoing your hard work securing your users’ data, and building a resilient architecture. We’ll explore how to automate, what to automate, how to build a control set that fits your organization, and how to come out the SOC 2 hero.
Modernizing the Supply Chain into the 21st CenturyAnil John
U.S. Customs (CBP/Trade) Presentation at the 2022 FedID Conference on using W3C Verifiable Credentials and W3C Decentralized Identifiers to digitize the supply chain
Businesses involved in mergers and acquisitions must exercise due di.docxdewhirstichabod
Businesses involved in mergers and acquisitions must exercise due diligence in ensuring that the technology environment of the future organization is robust and adequately protects their information assets and intellectual property.. Such an effort requires time and open sharing to understand the physical locations, computing environment, and any gaps to address. Lack of information sharing can lead to a problematic systems integration and hamper the building of a cohesive enterprise security posture for the merged organization.
Often the urgency of companies undergoing a merger and acquisition (M&A) impedes comprehensive due diligence, especially in cybersecurity. This creates greater challenges for the cybersecurity engineering architect, who typically leads the cybersecurity assessment effort and creates the roadmap for the new enterprise security solution for the future organization. However, the business interest and urgency in completing the merger can also represent an opportunity for CISOs to leverage additional resources and executive attention on strategic security matters.
In this project, you will create a report on system security issues during an M&A. The details of your report, which will also include an executive briefing and summary, can be found in the final step of the project.
There are nine steps to the project. The project as a whole should take two weeks to complete. Begin with the workplace scenario and then continue to Step 1.
Deliverable
Cybersecurity for a Successful Acquisition, Slides to Support Executive Briefing
Step 1: Conduct a Policy Gap Analysis
As you begin Step 1 of your system security report on cybersecurity for mergers and acquisitions, keep in mind that the networks of companies going through an M&A can be subject to cyberattack. As you work through this step and the others, keep these questions in mind:
Are companies going through an M&A prone to more attacks or more focused attacks?
If so, what is the appropriate course of action?
Should the M&A activities be kept confidential?
Now, look at the existing security policies in regard to the acquisition of the media streaming company. You have to explain to the executives that before any systems are integrated, their security policies will need to be reviewed.
Conduct a policy gap analysis to ensure the target company's security policies follow relevant industry standards as well as local, state, and national laws and regulations. In other words, you need to make sure the new company will not inherit any statutory or regulatory noncompliance from either of the two original companies. This step would also identify what, if any, laws and regulations the target company is subject to. If those are different from the laws and regulations the acquiring company is subject to, then this document should answer the following questions:
How would you identify the differences?
How would you learn about the relevant laws and regulations?
How would .
How to Secure Your Outsourced Operations: The Ultimate Guide to DevOps as a S...basilmph
DevOps is a progressive software development paradigm that bridges the divide between software developers (Dev), IT operations (Ops), and additional stakeholders. The fundamental goal is to facilitate the creation of high-quality software products in the shortest time possible, without compromising on any aspects.
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Cognizant
Organizations rely on analytics to make intelligent decisions and improve business performance, which sometimes requires reproducing business processes from a legacy application to a digital-native state to reduce the functional, technical and operational debts. Adaptive Scrum can reduce the complexity of the reproduction process iteratively as well as provide transparency in data analytics porojects.
The Business Conundrum Facing Manufacturers
Manufacturing companies have traditionally
had an on-again-off-again relationship with
technology. However, the paradigm shift driven
by global manufacturing and distribution,
combined with rapid digital innovation, is
changing this equation.
Manufacturing companies have traditionally
had an on-again-off-again relationship with
technology. However, the paradigm shift driven
by global manufacturing and distribution,
combined with rapid digital innovation, is
changing this equation. Deloitte’s 2016 MHI
survey reveals that 83% of manufacturing
organizations believe investing in key digital
technologies such as IoT, robotics, Big
Data, cloud computing, etc. will be key to
competitive advantage in the near future.1
Development to operations (dev ops) marketHarshalBamble
The global Development and Operations (DevOps) software market is expanding on account of its ability to address inefficiencies faced by the IT industry such as the lagging quality of application development projects, inefficient IT projects, missing deadlines, and outages during or after implementation, resulting in increased cost than expected. Development and Operations connects the development, technical operations, and quality assurance personnel in such a way that the entire process of building, releasing, running, and then repeating occurs as a factory, with clear roles and well-defined inputs and outputs.
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceSonatype
Recent revisions to the Payment Card Industry (PCI) guidelines now require organizations to address potential vulnerabilities caused by use of open source components in their applications.
How to add security in dataops and devopsUlf Mattsson
The emerging DataOps is not Just DevOps for Data. According to Gartner, DataOps is a collaborative data management practice focused on improving the communication, integration and automation of data flows between data managers and consumers across an organization.
The goal of DataOps is to create predictable delivery and change management of data, data models and related artifacts. DataOps uses technology to automate data delivery with the appropriate levels of security, quality and metadata to improve the use and value of data in a dynamic environment.
This session will discuss how to add Security in DataOps and DevOps.
DevOps trends, too, are continuously evolving to meet the changing demands of the corporate environment. Let’s take a look at the future of DevOps and the trends you should expect to see. https://bit.ly/3V2pSv1
Application architecture is required to ensure the structural integrity of an application portfolio, but it can seem impossible to ensure adherence to these standards. CAST changes all of that by automatically analyzing applications across all tiers and languages to provide Architects with the actionable metrics and information needed to assess the how well the architectural designs, rules and standards have been followed.
Smart Solutions - DevOps Best Practices for Real Estate Software Development....SculptSoft Private Limited
Discover smart solutions in real estate software development through SculptSoft's guide on DevOps best practices. Gain insights into the transformative impact of streamlined processes, collaborative workflows, and efficient development cycles. Whether you're in real estate or technology, this resource provides key strategies for optimizing software development in the real estate industry.
How do we get a SOC 2?” Do those words strike fear and anxiety into your heart as an infosec professional? Do you have visions of being buried under a mountain of fancy risk management software, endless numbers of spreadsheets, and losing sleep for weeks implementing complex audit logging software? Well, take a deep breath and join this talk, in which we break down how to achieve SOC 2 Type II compliance without losing your mind. Your guide today has led many companies of various sizes- but mostly tiny startups- through several years of successful SOC 2 audits, and is here to break it all down. Bring your notebook as we explain why and how.
This talk will not focus on endless checkboxes, or push compliance at the expense of security. Instead, it will be a real world view of how to achieve compliance audit success without wasting your time, creating busy work, undoing your hard work securing your users’ data, and building a resilient architecture. We’ll explore how to automate, what to automate, how to build a control set that fits your organization, and how to come out the SOC 2 hero.
Modernizing the Supply Chain into the 21st CenturyAnil John
U.S. Customs (CBP/Trade) Presentation at the 2022 FedID Conference on using W3C Verifiable Credentials and W3C Decentralized Identifiers to digitize the supply chain
Businesses involved in mergers and acquisitions must exercise due di.docxdewhirstichabod
Businesses involved in mergers and acquisitions must exercise due diligence in ensuring that the technology environment of the future organization is robust and adequately protects their information assets and intellectual property.. Such an effort requires time and open sharing to understand the physical locations, computing environment, and any gaps to address. Lack of information sharing can lead to a problematic systems integration and hamper the building of a cohesive enterprise security posture for the merged organization.
Often the urgency of companies undergoing a merger and acquisition (M&A) impedes comprehensive due diligence, especially in cybersecurity. This creates greater challenges for the cybersecurity engineering architect, who typically leads the cybersecurity assessment effort and creates the roadmap for the new enterprise security solution for the future organization. However, the business interest and urgency in completing the merger can also represent an opportunity for CISOs to leverage additional resources and executive attention on strategic security matters.
In this project, you will create a report on system security issues during an M&A. The details of your report, which will also include an executive briefing and summary, can be found in the final step of the project.
There are nine steps to the project. The project as a whole should take two weeks to complete. Begin with the workplace scenario and then continue to Step 1.
Deliverable
Cybersecurity for a Successful Acquisition, Slides to Support Executive Briefing
Step 1: Conduct a Policy Gap Analysis
As you begin Step 1 of your system security report on cybersecurity for mergers and acquisitions, keep in mind that the networks of companies going through an M&A can be subject to cyberattack. As you work through this step and the others, keep these questions in mind:
Are companies going through an M&A prone to more attacks or more focused attacks?
If so, what is the appropriate course of action?
Should the M&A activities be kept confidential?
Now, look at the existing security policies in regard to the acquisition of the media streaming company. You have to explain to the executives that before any systems are integrated, their security policies will need to be reviewed.
Conduct a policy gap analysis to ensure the target company's security policies follow relevant industry standards as well as local, state, and national laws and regulations. In other words, you need to make sure the new company will not inherit any statutory or regulatory noncompliance from either of the two original companies. This step would also identify what, if any, laws and regulations the target company is subject to. If those are different from the laws and regulations the acquiring company is subject to, then this document should answer the following questions:
How would you identify the differences?
How would you learn about the relevant laws and regulations?
How would .
How to Secure Your Outsourced Operations: The Ultimate Guide to DevOps as a S...basilmph
DevOps is a progressive software development paradigm that bridges the divide between software developers (Dev), IT operations (Ops), and additional stakeholders. The fundamental goal is to facilitate the creation of high-quality software products in the shortest time possible, without compromising on any aspects.
Similar to DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments (20)
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Cognizant
Organizations rely on analytics to make intelligent decisions and improve business performance, which sometimes requires reproducing business processes from a legacy application to a digital-native state to reduce the functional, technical and operational debts. Adaptive Scrum can reduce the complexity of the reproduction process iteratively as well as provide transparency in data analytics porojects.
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesCognizant
Experience is evolving into a strategy that reaches across technology companies. We offer guidance on the rise of experience and its role in business modernization, with details on how orgnizations can build the ecosystem to support it.
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...Cognizant
The T&L industry appears poised to accelerate its long-overdue modernization drive, as the pandemic spurs an increased need for agility and resilience, according to our study.
Enhancing Desirability: Five Considerations for Winning Digital InitiativesCognizant
To be a modern digital business in the post-COVID era, organizations must be fanatical about the experiences they deliver to an increasingly savvy and expectant user community. Getting there requires a mastery of human-design thinking, compelling user interface and interaction design, and a focus on functional and nonfunctional capabilities that drive business differentiation and results.
The Work Ahead in Manufacturing: Fulfilling the Agility MandateCognizant
According to our research, manufacturers are well ahead of other industries in their IoT deployments but need to marshal the investment required to meet today’s intensified demands for business resilience.
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...Cognizant
Higher-ed institutions expect pandemic-driven disruption to continue, especially as hyperconnectivity, analytics and AI drive personalized education models over the lifetime of the learner, according to our recent research.
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Cognizant
In recent years, insurers have invested in technology platforms and process improvements to improve
claims outcomes. Leaders will build on this foundation across the claims landscape, spanning experience,
operations, customer service and the overall supply chain with market-differentiating capabilities to
achieve sustainable results.
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Cognizant
Amid constant change, industry leaders need an upgraded IT infrastructure capable of adapting to audience expectations while proactively anticipating ever-evolving business requirements.
Green Rush: The Economic Imperative for SustainabilityCognizant
Green business is good business, according to our recent research, whether for companies monetizing tech tools used for sustainability or for those that see the impact of these initiatives on business goals.
Policy Administration Modernization: Four Paths for InsurersCognizant
The pivot to digital is fraught with numerous obstacles but with proper planning and execution, legacy carriers can update their core systems and keep pace with the competition, while proactively addressing customer needs.
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalCognizant
Utilities are starting to adopt digital technologies to eliminate slow processes, elevate customer experience and boost sustainability, according to our recent study.
AI in Media & Entertainment: Starting the Journey to ValueCognizant
Up to now, the global media & entertainment industry (M&E) has been lagging most other sectors in its adoption of artificial intelligence (AI). But our research shows that M&E companies are set to close the gap over the coming three years, as they ramp up their investments in AI and reap rising returns. The first steps? Getting a firm grip on data – the foundation of any successful AI strategy – and balancing technology spend with investments in AI skills.
Operations Workforce Management: A Data-Informed, Digital-First ApproachCognizant
As #WorkFromAnywhere becomes the rule rather than the exception, organizations face an important question: How can they increase their digital quotient to engage and enable a remote operations workforce to work collaboratively to deliver onclient requirements and contractual commitments?
Five Priorities for Quality Engineering When Taking Banking to the CloudCognizant
As banks move to cloud-based banking platforms for lower costs and greater agility, they must seamlessly integrate technologies and workflows while ensuring security, performance and an enhanced user experience. Here are five ways cloud-focused quality assurance helps banks maximize the benefits.
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedCognizant
Changing market dynamics are propelling Asia-Pacific businesses to take a highly disciplined and focused approach to ensuring that their AI initiatives rapidly scale and quickly generate heightened business impact.
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...Cognizant
Intelligent automation continues to be a top driver of the future of work, according to our recent study. To reap the full advantages, businesses need to move from isolated to widespread deployment.
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
1. Digital Systems & Technology
DevOps & Blockchain: Powering
Rapid Software Delivery in
Regulated Environments
As IT organizations push forward with DevOps tools that automate application
development and maintenance processes, they can lose sight of the key
“who, what, where and when” variables that surround software releases, thus
elevating the possibility of noncompliance with a host of regulatory mandates.
By embracing blockchain, they can create a tamperproof way of ensuring
regulatory compliance while extending their embrace of IT service automation.
Executive Summary
As digital overturns the value propositions of business
models across the globe, enterprises need to stay
one step ahead of technology’s unrelenting progress
to remain relevant. Businesses rely on enterprise IT
to run business better, and IT teams across the world
are embracing DevOps1
to automate and accelerate
application delivery and support.
The global DevOps platform market is expected to
grow at a CAGR of 22.5%, reaching a total value of
approximately $12.9 billion by 2024, according to
researcher Ameri Research.2
Regulated industries such
as banking and financial services, as well as healthcare
and life sciences, account for more than 50% of the
projected DevOps market. These industries have
Cognizant 20-20 Insights
June 2019
2. significant regulatory compliance challenges as
their applications must meet mandates such as
HIPAA,3
Sarbanes Oxley (SOX),4
GAMP 55
and
numerous mandates laid out by the U.S. Federal
Drug Administration (FDA).6
Based on our estimates, the demand for DevOps in
regulated industries is expected to accelerate the
CAGR projection cited above. The aforementioned
regulatory bodies mandate a stringent process for
business processes including application delivery
and support. Process compliance is validated by a
series of audits that verify the level of compliance
measured via tracing of the quality standards
adopted by regulated companies.
In our view, the traceability of a software release
(the who/what/when concerning changes made)
will no longer be present — or obvious — when
IT organizations use the automated constructs
enabled by DevOps. This could lead to
noncompliance. As a result, many enterprises are
grappling with the paradox of DevOps automation
versus increased government scrutiny; eventually,
they need to consider a Faustian bargain of trading
off speed for statutory compliance.
Emerging technologies such as blockchain —
which entails both distributed ledger and strong
cryptography — offer competitive solutions for
diverse business challenges that involve numerous
stakeholders. This white paper presents a solution
that uses blockchain technology to solve regulatory
challenges in DevOps adoption. The solution is
available as a feature in our product Cognizant
OneDevOps™ Insights,7
which helps organizations
measure progress in software delivery through
dashboards and metrics.
Cognizant 20-20 Insights
2 / DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
3. Cognizant 20-20 Insights
Regulatory impediments for DevOps adoption
As IT organizations adopt DevOps, friction often
emerges between IT and the audit department.
The cost of auditing increases as the software
development lifecycle (SDLC) progresses, because
noncompliance identified at later phases of SDLC
will result in significant rework, and often significant
penalties, for the offending company. Hence, it is
vital that appropriate controls are in place during
every phase of the SDLC and that auditability is
reported in a tamperproof way.
DevOps processes challenge the traditional way of
thinking about audit, controls, security and risk. IT
and audit should be able to find cooperative ways
of working so financial processes and controls are
in alignment with IT’s efforts to accelerate product
rollouts using DevOps principles.
The conventional approach requires auditors to
review enterprise IT systems and report business
risks (BR) associated with automated processes
(or DevOps). Business or IT then comes up with
an appropriate control strategy (CS) to mitigate
the risk and provides evidence of how effectively
the control strategy is being followed or adopted.
Figure 1 portrays several BR instances identified
by an auditor and the appropriate CS and process
evidence.8
3 / DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
Fitting risk with controls
Figure 1
Business Risk Control Strategy Process Evidence
❙❙ An internal actor abuses
privileges (provided or
developed) to commit fraud
to the organization and/or its
customers.
❙❙ All code is validated through
defined controls prior to
production deployment to
prevent developers from
inserting “back doors” or
vulnerabilities into production.
❙❙ Static code analysis based on a
well-defined coding standard.
❙❙ Change history for the coding
standards document (for at least
the last five changes).
❙❙ Build statistics for last six months
showing details of broken builds
due to static code analysis
violations.
❙❙ Code is deployed into
production that causes an
outage, service impairment or
data errors.
❙❙ All code is validated prior to
production deployment to
ensure the service runs correctly
in production and interruptions
can be fixed quickly.
❙❙ Comprehensive quality
management process that
clearly defines test cases.
❙❙ Change history for at least the
last five changes made to the
test cases.
❙❙ Test report statistics for the last
six months showing the details
of the test executions.
❙❙ An external actor gains
unauthorized access to
production or preproduction
environments (e.g., database,
OS, networking) and installs
malicious code or changes/
steals data.
❙❙ Unauthorized access is
prevented, detected and
corrected through the regular
review of access credentials and
system configurations based
on the published SLA for each
element of the environment.
❙❙ Well-defined role-based
access system implemented
across all the stages of software
development.
❙❙ Clear event and access logs for
access controls for all tools and
higher environments.
4. Cognizant 20-20 Insights
Regulatory Compliance’s Toll
on App Dev
Audits play a vital role in certifying enterprises are ready for business. Specific statutory
bodies regulate each industry — for instance, fintech needs to comply with SOX, whereas
healthcare needs to abide by HIPAA9
and GAMP 5.The compliances are structural,
and not prescriptive, in nature. For instance, GAMP 5 mandates regular quality checks
during application development which may include engineering practices like test-driven
development (TDD),10
peer reviews and a comprehensive quality management system;
however, it does not define the intrinsic details of activities and validations.
Each enterprise has the flexibility to define its software development and support
processes that broadly comply with the respective guidelines while adherence is reviewed
in an audit. The following are the three broad categories of information reviewed during
an audit:
❙❙ Segregation of duties: An audit trail of the system of records that holds complete
information of the role-based access control system so one person alone cannot make
changes to software in production.
❙❙ Traceability: An audit trail of the system of records that traces an artifact across the
software delivery pipeline. For instance, the end-to-end traceability of user stories,
commits, build numbers, etc. through production deployments.
❙❙ Chain of custody: An audit trail of the system of records that holds complete
information of the state and ownership of the software asset across the software delivery
pipeline. For instance, who were the developers and approvers associated with the
changes across the development phases of the software?
4 / DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
Quick Take
5. 1. AUTOMATION
Exists only for lower
environments
Lack of
traceability
2. PROCESS
Well-defined;
however, manual
Checklist-
based
3. DATA
Scattered
evidences
Manual
collation
4. CULTURE
Show
and tell
Often
reactive
Cognizant 20-20 Insights
Blockchain as an application delivery backbone
Application delivery in regulated industries must
comply with a host of compliance guidelines,
which makes enterprise automation and DevOps
transformation extremely challenging. A solution
that enables organizations to run DevOps
automation alongside existing controls on the
software delivery process and provides enough
evidence of traceability, segregation of duties, and
chain of custody in a clear and tamper-resistant
way is the need of the hour.
A blockchain primer
Blockchain technology is piloted across enterprises
to solve issues with trust, security, immutability
and traceability across all the parties involved in
a business transaction. Blockchain’s technology
infrastructure allows multiple stakeholders to share
a common truth in an immutable and decentralized
manner via a distributed ledger. The issues of trust,
security, immutability and traceability are addressed
by blockchain components such as smart contracts,
digital signatures and cryptography.
5 / DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
Top-four regulatory compliance pain points during an audit
All the below areas and pain points hamper DevOps automation and make audits both time-consuming and process-heavy.
Source: Cognizant
Figure 2
An internal survey conducted across our regulated projects show the impact of audits
(internal as well as external) on application delivery. The top four areas and their pain points
are depicted in Figure 2.
6. Cognizant 20-20 Insights
The transfer of an asset from one stage of the
SDLC to another is recorded within the blockchain
infrastructure. For instance, all the events and
states of a software asset (i.e., user story or
requirement, code commits, build versions,
packages, deployments, tests and defects)
are linked to each other and stored inside the
blockchain infrastructure. The details for each
of the transactions — including the person who
made the change, the exact time stamp and the
associated metadata — are also archived in a
tamperproof fashion.
This information serves as the source of truth for
auditors for reviewing the process associated
with software development. All the associated
transactions are recorded within blockchain
infrastructure for the respective phase of software
development.
A blockchain-based enterprise DevOps solution
can both accelerate application delivery and
comply with regulatory requirements, where the
risk-based controls and processes are clearly
enforced and recorded in a private permissioned
blockchain network such as Hyperledger Fabric.11
Our solution is built around a private permissioned
distributed ledger such as Hyperledger Fabric that
serves as the backbone of the enterprise DevOps
ecosystem — typically, an integrated system
of SDLC and information technology service
Blockchain’s evolution into DevOps
Figure 3
6 / DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
Traditional DevOps
(Before State)
Blockchain Based DevOps
(After State)
JENKINS
BUILDS
GIT
CODE
GIT
CODE
HP ALM
DEFECTS
JIRA
USER STORY
SDLC information present within the
boundaries of various DevOps tools resulting in
isolated automation and lack of transparency
SDLC information from DevOps tools recorded
within blockchain in a tamperproof way for use in audit
and compliance
ASSET
SMART CONTRACT
CONSENSUS
JENKINS
BUILDS
JIRA
USER STORY
HP ALM
DEFECTS
BLOCKCHAIN
7. Cognizant 20-20 Insights
management (ITSM) tools (see Figure 4). The
DevOps implementation would typically comprise
subsystems of continuous integration, continuous
delivery, release management and environment
management. Each subsystem may have manual
or automated processes for validating application
quality such as static code analysis, unit testing,
code coverage, regression testing, etc.
In a typical DevOps implementation, each of
the SDLC and ITSM tools are integrated with
each other such that the construct of a delivery
pipeline allows seamless movement of code
across the build, deploy, test and release stages
of the application lifecycle. The blockchain
implementation for a DevOps ecosystem will
comprise the following components:
Business
Requirement
User Story/
Feature
Code
Commits
Continuous
Integration Deployment Testing Release
Change
Management Operations
Agents
1. Segregation of duties
2. Chain of custody
3. Traceability
Regulatory AuditorBlockchain Technology
BLUEPRINT JIRA GIT JENKINS CHEF SE PLUTORA
SERVICE
NOW
DYNATRACE
Figure 4
How DevOps capabilities are extended via blockchain
DevOps application delivery pipeline
7 / DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
Our solution is built around a private permissioned distributed ledger
such as Hyperledger Fabric that serves as the backbone of the
enterprise DevOps ecosystem — typically, an integrated system of
SDLC and information technology service management tools.
8. ❙❙ Agents: Data collectors that focus on
assembling data for specific events from
respective SDLC tools. All information about
a change in state of an asset inside a tool will
be queried by the agents and will be sent to
the blockchain for validation and archiving.
For instance, agents that work with application
lifecycle management (ALM) and source code
management (SCM) tools collect metadata for
stories and commits for state changes.
❙❙ Event handler: The data from the agents is
parsed and processed prior to being archived
on the blockchain. The event handler invokes an
appropriate smart contract based on the data
collected by the agent. For instance, data from
ALM and SCM tools is parsed; the event handler
then invokes the respective smart contracts
to record the information to the blockchain
infrastructure.
❙❙ Smart contracts: Definitions of the policies and
processes that require adherence for a specific
regulatory guideline are codified inside smart
contracts. These constitute the decentralized
business logic that validates and archives the
data within the blockchain infrastructure
❙❙ Query component: This is the subsystem that
focuses on querying information from the
blockchain. It takes input such as asset details
(e.g., user story identifier, code commit number,
etc.), queries the blockchain and returns all the
transactions associated with details such as who,
what, when and how. The information retrieved
is presented in the user interface where auditors
and regulatory authorities can review adherence.
❙❙ Auditor view: The regulatory authorities will
have a view of the following:
>> Segregation of duties: This means a clear
view of the personas who made changes.
For instance, implementation of role-based
access control across the SDLC and ITSM to
prevent one person from making changes to
systems in production.
>> Traceability: The ability to look at the
software asset’s trace events associated
with any particular change request or change
of state.
>> Chain of custody: The ability to look at
detailed drill-down information on each state
or phase of the software asset shown inside
the traceability function that addresses the
questions what, when and how.
❙❙ DevOps ecosystem: This refers to the SDLC
and ITSM tool chains that are integrated to
facilitate the automated code movement and
deployment across various environments.
8 / DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
Cognizant 20-20 Insights
9. Blockchain-enabled DevOps transformation
Accelerated DevOps
A DevOps implementation backed by blockchain
technology can serve as a backbone for enterprise
IT, which can release an application to production
faster, resolve issues quicker and improve the user
experience without compromising on quality and
auditability.
Based on our assessment for a large banking
customer, where DevOps practices were not
applied for preproduction and production due
to stronger regulatory compliance requirements
and audits, for a product release that takes 90
days, 50% of the time was spent on manual release
activities and record-keeping. This includes
time spent on environments, deployments and
approvals. A solution such as blockchain-based
DevOps can bring down the release timelines by
70%, while more effectively enabling regulatory
compliance.
Transparency & traceability
All the events associated with an artifact (e.g., a
requirement, user story or defect) in application
delivery are recorded as they occurred within
blockchain infrastructure as a transparent and
tamperproof system of records. The system
of records will serve as a complete audit trail
associated with the artifact along with its digital
imprints ensuring compliance.
Cultural shift: A departure from
sample-based audits
The ability to record the transfer of a software asset
inside blockchain from one stage of development
to another allows real-time, comprehensive audits
without sampling. Due to the practical complexities
in accessing, analyzing and reviewing data along
with evidence, auditors restrict reviews of sampled
data sets and specific periods. With this feature, the
following results can be expected:
9 / DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
Cognizant 20-20 Insights
Based on our assessment for a large banking customer, where
DevOps practices were not applied for preproduction and
production due to stronger regulatory compliance requirements
and audits, for a product release that takes 90 days, 50% of the time
was spent on manual release activities and record-keeping. This
includes time spent on environments, deployments and approvals.
A solution such as blockchain-based DevOps can bring down the
release timelines by 70%, while more effectively enabling regulatory
compliance.
10. ❙❙ Audit preparation time will be reduced by one-
third due to all the information being recorded
as an immutable source within blockchain.
❙❙ The number of stakeholders involved in the audit
process will be reduced due to automation.
❙❙ Automation will reduce manual error and the
audit trail recorded inside the blockchain, which
further improves the transparency of the audit
process.
Looking forward
Blockchain technology opens up a new model
of operating DevOps by defining compliance
as code. The entire application delivery lifecycle
could be codified as smart contracts through
various DevOps tools such as Git, Jenkins, Jira
and HP ALM. Smart contracts would validate the
entry and exit points of the various stages of the
application delivery pipeline, shifting IT away from
proprietary checks inside specific tools. Since
the quality gates and validations are abstracted
away from the DevOps tools, this helps IT to
accommodate process changes with greater agility
and confidence.
Enterprises understand that audits are a routine
part of doing business, and they anticipate greater
challenges in complying with regulatory standards
that are updated to accommodate changing
socioeconomic and geopolitical developments.
Given blockchain’s growing maturity as an
enterprise infrastructure, we recommend that IT
leaders review their existing application delivery
and DevOps processes and consider embracing
distributed ledger technology to enable a more
proactive and automated approach to regulatory
compliance.
Blockchain-technology-driven DevOps will help IT
organizations to release software at the will of the
business, secure in the knowledge that regulatory
procedures are being met with confidence and
accuracy.
Blockchain technology opens up a new model of operating
DevOps by defining compliance as code. The entire application
delivery lifecycle could be codified as smart contracts through
various DevOps tools such as Git, Jenkins, Jira and HP ALM. Smart
contracts would validate the entry and exit points of the various
stages of the application delivery pipeline, shifting IT away from
proprietary checks inside specific tools.
10 / DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
Cognizant 20-20 Insights
11. Cognizant 20-20 Insights
11 / DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
About the authors
Karthikeyan Vedagiri
Associate Director, Digital Engineering Practice, Cognizant
Karthikeyan Vedagiri is an Associate Director, Projects, within Cognizant’s Digital Engineering Practice,
where he focuses on the development of products and accelerators for Cognizant OneDevOps™.
He has more than 15 years of experience in product engineering and quality assurance and specializes in
design and architecture of test automation frameworks, deployment pipelines and DevOps
platforms for emerging technologies such as cloud, container and platform as a service (PaaS).
Karthikeyan has a bachelor’s degree in engineering, with specialization in electronics and communication,
from Madras University, Tamil Nadu, India. He can be reached at Karthikeyan.Vedagiri@cognizant.com |
www.linkedin.com/in/karthikeyan-vedagiri/.
Rajkumar Chandrasekaran
Chief Architect, Digital Engineering Practice, Cognizant
Rajkumar Chandrasekaran is a Chief Architect within Cognizant’s Digital Engineering Practice. He has
17 years of experience in the field of large-scale application development and has played varied roles,
from application architecting through reengineering of applications. Rajkumar is currently architecting
Cognizant’s OneDevOps™ platform and is responsible for product development in the DevOps space.
He has a bachelor’s degree in engineering, with specialization in computer science, from MS University,
Tamil Nadu, India. Rajkumar can be reached at Rajkumar.Chandrasekaran@cognizant.com |
www.linkedin.com/in/rajkumar-chandrasekaran-98309012/.
Endnotes
1 DevOps is a software development methodology that aims to accelerate the software delivery process by means of
collaboration between the development and operations teams through automation. See https://en.wikipedia.org/wiki/
DevOps.
2 DevOps Platform Market Outlook To 2024, Ameri Research, May 3, 2017, www.ameriresearch.com/devops-platform-
market-outlook-2024/
3 www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
4 www.investopedia.com/terms/s/sarbanesoxleyact.asp
5 https://ispe.org/sites/default/files/publications/guidance-documents/ISPE-GAMP5-table-content.pdf.
6 www.fda.gov/media/73141/download
7 https://onedevops.atlassian.net/wiki/spaces/OI/overview
8 DevOps Audit Defense Toolkit is a community-built process framework for DevOps and Compliance, written by James
DeLuccia, IV, Jeff Gallimore, Gene Kim, and Byron Miller.
9 www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
10 http://agiledata.org/essays/tdd.html.
11 Hyperledger Fabric is an enterprise grade permissioned distributed ledger platform for a broad set of industry use cases;
www.hyperledger.org/projects/fabric.