Achieving Continuous Delivery in Financial Services
•Download as PPTX, PDF•
1 like•356 views
Traceabiltity and audit concerns with financial data and Continuous Delivery "I'll be looking at the challenges we faced in taking a company based on Financial data from one that deploys every year to one that deploys every week or more. And how CD can actively improve, not only deployment speed and reliability, but also compliance, traceability and security. The main areas of focus will be: • Who do we answer to? • Protecting the data • What regulation means for technology choices • Auditability : How much meta data?! • Some specific regulations and how they're addressed and enhanced by CD"
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Achieving Continuous Delivery in Financial Services
Similar to Achieving Continuous Delivery in Financial Services (20)
Recently uploaded
Recently uploaded (20)
Achieving Continuous Delivery in Financial Services
- 1. Ian Watson Head of DevOps Email : ian.watson@callcreditgroup.com Twitter : @purplemarauder Continuous Delivery vs Copious Regulations
- 2. Can you really achieve Continuous Delivery in the highly regulated world of financial services?
- 3. Is it easy to achieve Continuous Delivery in the highly regulated world of financial services?
- 6. We needed to change
- 10. Goal: regulate the use of “personal data” DPA (Data Protection Act)
- 11. Goal: Europe-wide regulation of the use of “personal data” GDPR (General Data Protection Regulation)
- 12. Goal: Protect Cardholder Data PCI DSS (Payment Card Industry Data Security Standard)
- 13. Goal: Make financial markets work well – for individuals, for business, large and small, and for the economy as a whole FCA The Financial Conduct Authority
- 14. Let’s do this!
- 19. What does this mean for technology choices
- 20. “Cloud” is just outsourcing Our aim is to avoid imposing inappropriate barriers to firms’ ability to outsource to innovative and developing areas, while ensuring that risks are appropriately identified and managed.
- 21. No one ever got fired for buying…..
- 23. Hybrid might be the answer
- 24. (Not so) Safe Harbour
- 27. How much meta data?
- 28. Continuous Delivery drives excellent behaviours from a regulatory compliance perspective* *as well as a few really useful side effects like, speed, quality and reliability
- 30. Corollary Enterprise DevOps = Specialisation + Collaboration
- 31. How autonomous is an autonomous team?
- 32. Traceability
- 33. Traceability
- 34. Security
- 35. Patching
- 38. Treat all your data as if you are likely to be audited as a regulated body… ….even if you’re not
Editor's Notes
- Introduce me!
- Career Database Dev DBA Team Lead Head of
- Introduce Callcredit …this is the story of the last 2 years at Callcredit as we’ve worked to move into a DevOps way of working First a bit of background for those of you that don’t know us. CC has only existed as a company for about 15 years, when the Skipton Building society decided it would be a cunning plan to set up a 3rd Credit Reference Agency to challenge the big 2 What followed was a decade and a half of rapid growth – and it’s that velocity that had created us some amazing opportunities and challenges. So… (yes, I’m the king of photoshop…)
- So, with new owners and a stated aim to double the revenue of the company in the next 5 years we clearly needed to stop sprinting to stay put and start getting to a place where we’re actually moving somewhere
- At this point the question in a few of our heads was could we every really set up like one of the so-called unicorns? And if not exactly, could we get close?
- So… let’s have a look at some of the potential regulatory constraints…
- ICO : Responsible for regulating the use and storage of personal information, and for overseeing the implementation of the Freedom of Information (FOI) Act PCI Security Standards Council : a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. Originally founded by American Express, Discover Financial Services, JCB International, MasterCard, and Visa FCA – replaced the FSA in 2013 following a review of the collapse of the financial markets some years earlier. Has wide ranging powers to regulate conduct related to the marketing of financial products. Aims to put the consumer’s needs at the centre of everything
- Personal data means data which relate to a living individual who can be identified – (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller Fines up to half a million
- So this is NEW will apply in the UK from 25 May 2018 The principles are similar to those in the DPA, with added detail at certain points and a new accountability requirement
- Build and maintain a secure IT network; Protect cardholder data; Maintain a vulnerability management programme; Implement strong access control measures; Regularly monitor and test networks; Maintain an information security policy. If we’re not accredited we simply don’t have a business!
- Financial markets need to be honest, fair and effective so that consumers get a fair deal. It is our aim to make markets work well – for individuals, for business, large and small, and for the economy as a whole. Able to levy HUGE fines. Biggest so far was £284 million! Levied for bankers caught using chat rooms for fixing foreign exchange rates
- Let’s do this! So, we’ve got THE book, we know there’s a few constraints but we can totally make this work right?
- So when I first started talking about CD the general response was…nope It’ll never work for us…..
- But our clients don’t want that much change (CD not CD!)
- We can’t put our data in the cloud! Actually quite a lot of our financial clients already do just that. It’s just that there are some limitations Which I’ll cover in a bit… We have a whole bunch of old contracts around where we can store data. i.e in the UK only - what does this mean for Cloud? DPA - data has to stay in this country - safe harbour ain’t so safe!
- Monoliths with a tiny sliver of toxic data inside TB databases. Side effect of how quickly we’ve grown, focus on
- Big difference between us and a start-up is the tech question tends to be why rather than why not. i.e. dropbox would be massively handy, but the security concerns that could allow anyone with access to sensitive to easily get it outside of our security perimeter mean we can’t easily leverage mass cloud storage.. Enter MS
- Long been a running discussion whether the “cloud” is actually just other people’s data centre or if it’s something far more than that, but from the view of compliance and regulation it’s almost exactly that. It’s still beholden on the company using the cloud infrastructure/services to ensure that everything they’re doing is compliant not on the cloud provider…
- No one ever got fired for buying…. Well, Microsoft in our case Implicit trust… A lot of effort into getting their services appropriately accredited. When we hand off responsibilities to other firms (as you necessarily do when you move to cloud.) i.e. Auditors will still be asking us about how we protect our data we can’t just assume it’s in safe hands wherever we put it without actually checking
- Implicit trust… MS pushing the compliance angle – they understand working with Enterprises
- Hybrid might be the best solution and again MS are a very neat segue in this area – Office
- Data has to stay in the UK EU privacy law forbids the movement of its citizens’ data outside of the EU, unless it is transferred to a location which is deemed to have “adequate” privacy protections in line with those of the EU. The safe harbour agreement that was made between the EC and the US government essentially promised to protect EU citizens’ data if transferred by American companies to the US. Declared invalid in October 2015
- In reaction to the safe harbour ruling? Possibly
- Heavy emphasis on risk management from FCA means we generally need to have appropriate support contracts in place Opensource is fine, but we do need support We have ELK instances for metrics for example and some v talented SysAdmins supporting and deploying but we still need a support contract in place nonetheless – c50k per project/product
- Audit audit audit! Not only do we store a lot of personal data – PII and PCI – we also store a lot of data about how that data is being used 2 types We have to audit every search – this runs into billions of rows of data. Operational metrics - We also are obliged not to store the data for too long…. Ran into a design challenge actually deleting the data!
- Cloud
- Segregation of duties The tools and practices that we employ for CD make this easy! Previously to get something deployed you’d need an operations engineer/DBA who had access to live. Now we don’t need to disturb them, but can still have the same separation
- So we’re moving entirely away from the way that a lot of the so-called unicorns work, since we can’t have the people that write the code being the people that deploy and support the code. But that’s OK…. In fact maybe that’s better? DevOps is all about a culture of collaboration above all right?
- What this does raise is the question of autonomous teams – one of the cornerstones of the Spotify-like model. So here’s our team of full stack engineers and rock star DBA’s how autonomous can they actually be? The segregation and technology constraints I’ve already talked about do mean that we can’t adopt Facebook’s never say no to the developers attitude, as we simply have to abide by regulations and someone has to be checking what is and isn’t appropriate or pre-approved. With a focus on CD what we can do is furnish the teams with everything they need to get from idea to live without hand-offs that slow us down and/or lead to misunderstandings and errors albeit with certain necessary tools and processes enforced So – autonomous-ish ;)
- A need for end-to-end visibility and traceability leads to automation Traceability – nothing is less traceable than a person! - we know who cut code, what was tested, - We know what was deployed when – really what, not what someone said they’d done
- Source control (for software & “hardware”)
- Security - Less people need access to the live card data environments which helps with “Implement strong access control measures” in PCI
- – we’re able to quickly, safely push through things like zero day security patches. Regulators like this for obvious reasons
- Auditability – Standardisation : Most audits are along the lines of doing what you say you are. This is a much easier discussion when everything is going through the same automated process - not just software deployments - but also server builds
- Immutable infrastructure And some of the new ways of managing infrastructure – containers, PaaS services that are entirely from code make the two previous items even more reliable and more obviously compliant
- You could worse than thinking of your data as if the FCA is likely to audit you…. Gives you sufficient information for trouble-shooting and for providing world-class service to your clients Key to learning to me is that we’re custodians of the data – it’s not ours