Traceabiltity and audit concerns with financial data and Continuous Delivery
"I'll be looking at the challenges we faced in taking a company based on Financial data from one that deploys every year to one that deploys every week or more. And how CD can actively improve, not only deployment speed and reliability, but also compliance, traceability and security.
The main areas of focus will be:
• Who do we answer to?
• Protecting the data
• What regulation means for technology choices
• Auditability : How much meta data?!
• Some specific regulations and how they're addressed and enhanced by CD"
13. Goal: Make financial markets work well – for individuals, for business, large and
small, and for the economy as a whole
FCA
The Financial Conduct Authority
20. “Cloud” is just outsourcing
Our aim is to avoid imposing inappropriate barriers to firms’ ability to outsource to innovative
and developing areas, while ensuring that risks are appropriately identified and managed.
28. Continuous Delivery drives excellent
behaviours from a regulatory compliance
perspective*
*as well as a few really useful side effects like, speed, quality and reliability
38. Treat all your data as if you are likely to be
audited as a regulated body…
….even if you’re not
Editor's Notes
Introduce me!
Career
Database Dev
DBA
Team Lead
Head of
Introduce Callcredit
…this is the story of the last 2 years at Callcredit as we’ve worked to move into a DevOps way of working
First a bit of background for those of you that don’t know us. CC has only existed as a company for about 15 years, when the Skipton Building society decided it would be a cunning plan to set up a 3rd Credit Reference Agency to challenge the big 2What followed was a decade and a half of rapid growth – and it’s that velocity that had created us some amazing opportunities and challenges.
So…
(yes, I’m the king of photoshop…)
So, with new owners and a stated aim to double the revenue of the company in the next 5 years we clearly needed to stop sprinting to stay put and start getting to a place where we’re actually moving somewhere
At this point the question in a few of our heads was could we every really set up like one of the so-called unicorns?
And if not exactly, could we get close?
So… let’s have a look at some of the potential regulatory constraints…
ICO : Responsible for regulating the use and storage of personal information, and for overseeing the implementation of the Freedom of Information (FOI) Act
PCI Security Standards Council : a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. Originally founded by American Express, Discover Financial Services, JCB International, MasterCard, and Visa
FCA – replaced the FSA in 2013 following a review of the collapse of the financial markets some years earlier. Has wide ranging powers to regulate conduct related to the marketing of financial products. Aims to put the consumer’s needs at the centre of everything
Personal data means data which relate to a living individual who can be identified –
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller
Fines up to half a million
So this is NEW
will apply in the UK from 25 May 2018
The principles are similar to those in the DPA, with added detail at certain points and a new accountability requirement
Build and maintain a secure IT network;
Protect cardholder data;
Maintain a vulnerability management programme;
Implement strong access control measures;
Regularly monitor and test networks;
Maintain an information security policy.
If we’re not accredited we simply don’t have a business!
Financial markets need to be honest, fair and effective so that consumers get a fair deal.
It is our aim to make markets work well – for individuals, for business, large and small, and for the economy as a whole.
Able to levy HUGE fines. Biggest so far was £284 million! Levied for bankers caught using chat rooms for fixing foreign exchange rates
Let’s do this!
So, we’ve got THE book, we know there’s a few constraints but we can totally make this work right?
So when I first started talking about CD the general response was…nope
It’ll never work for us…..
But our clients don’t want that much change (CD not CD!)
We can’t put our data in the cloud!
Actually quite a lot of our financial clients already do just that. It’s just that there are some limitations
Which I’ll cover in a bit…
We have a whole bunch of old contracts around where we can store data. i.e in the UK only - what does this mean for Cloud?
DPA - data has to stay in this country - safe harbour ain’t so safe!
Monoliths with a tiny sliver of toxic data inside TB databases.
Side effect of how quickly we’ve grown, focus on
Big difference between us and a start-up is the tech question tends to be why rather than why not.
i.e. dropbox would be massively handy, but the security concerns that could allow anyone with access to sensitive to easily get it outside of our security perimeter mean we can’t easily leverage mass cloud storage.. Enter MS
Long been a running discussion whether the “cloud” is actually just other people’s data centre or if it’s something far more than that, but from the view of compliance and regulation it’s almost exactly that.
It’s still beholden on the company using the cloud infrastructure/services to ensure that everything they’re doing is compliant not on the cloud provider…
No one ever got fired for buying…. Well, Microsoft in our case
Implicit trust…
A lot of effort into getting their services appropriately accredited. When we hand off responsibilities to other firms (as you necessarily do when you move to cloud.) i.e. Auditors will still be asking us about how we protect our data we can’t just assume it’s in safe hands wherever we put it without actually checking
Implicit trust…
MS pushing the compliance angle – they understand working with Enterprises
Hybrid might be the best solution and again MS are a very neat segue in this area – Office
Data has to stay in the UK
EU privacy law forbids the movement of its citizens’ data outside of the EU, unless it is transferred to a location which is deemed to have “adequate” privacy protections in line with those of the EU.
The safe harbour agreement that was made between the EC and the US government essentially promised to protect EU citizens’ data if transferred by American companies to the US.
Declared invalid in October 2015
In reaction to the safe harbour ruling? Possibly
Heavy emphasis on risk management from FCA means we generally need to have appropriate support contracts in place
Opensource is fine, but we do need support
We have ELK instances for metrics for example and some v talented SysAdmins supporting and deploying but we still need a support contract in place nonetheless – c50k per project/product
Audit audit audit!
Not only do we store a lot of personal data – PII and PCI – we also store a lot of data about how that data is being used
2 types
We have to audit every search – this runs into billions of rows of data.
Operational metrics -
We also are obliged not to store the data for too long…. Ran into a design challenge actually deleting the data!
Cloud
Segregation of duties
The tools and practices that we employ for CD make this easy!
Previously to get something deployed you’d need an operations engineer/DBA who had access to live. Now we don’t need to disturb them, but can still have the same separation
So we’re moving entirely away from the way that a lot of the so-called unicorns work, since we can’t have the people that write the code being the people that deploy and support the code. But that’s OK…. In fact maybe that’s better?
DevOps is all about a culture of collaboration above all right?
What this does raise is the question of autonomous teams – one of the cornerstones of the Spotify-like model.
So here’s our team of full stack engineers and rock star DBA’s how autonomous can they actually be?
The segregation and technology constraints I’ve already talked about do mean that we can’t adopt Facebook’s never say no to the developers attitude, as we simply have to abide by regulations and someone has to be checking what is and isn’t appropriate or pre-approved.
With a focus on CD what we can do is furnish the teams with everything they need to get from idea to live without hand-offs that slow us down and/or lead to misunderstandings and errors albeit with certain necessary tools and processes enforced
So – autonomous-ish ;)
A need for end-to-end visibility and traceability leads to automation
Traceability
– nothing is less traceable than a person!
- we know who cut code, what was tested,
- We know what was deployed when – really what, not what someone said they’d done
Source control (for software & “hardware”)
Security
- Less people need access to the live card data environments which helps with “Implement strong access control measures” in PCI
– we’re able to quickly, safely push through things like zero day security patches. Regulators like this for obvious reasons
Auditability
– Standardisation : Most audits are along the lines of doing what you say you are. This is a much easier discussion when everything is going through the same automated process
- not just software deployments
- but also server builds
Immutable infrastructure
And some of the new ways of managing infrastructure – containers, PaaS services that are entirely from code make the two previous items even more reliable and more obviously compliant
You could worse than thinking of your data as if the FCA is likely to audit you…. Gives you sufficient information for trouble-shooting and for providing world-class service to your clients
Key to learning to me is that we’re custodians of the data – it’s not ours