5 Best Practices for DevOps in the Financial Services Industry
by Lauren Camacci, on Sep 30, 2019 9:30:00 AM
To stay competitive in a FinTech world, financial institutions are under pressure to bring updates and new features to production faster than ever. These pressures create new threats to security and compliance, the number one priority of a finance industry company. No matter how quickly you produce a new feature or how cool it is, a security breach can do irreversible damage to your business.
While DevOps adoption is increasing in the finance industry, many questions remain on how to adapt it effectively and securely. To help you get an understanding of what needs to be considered, this article explains 5 best practices for DevOps in the financial services industry, which can help your company stay competitive and safe.
1) Infrastructure as Code
Human error in IT presents the biggest security risk for financial institutions: the more chances for a human mistake along a manual workflow, the more chances for security problems that can hurt the company.
Companies are increasingly adopting Agile practices throughout their entire organization. Agile doesn’t work, however, if IT becomes a bottleneck. The IT bottleneck occurs when projects get held up by an IT department reliant on manual processes.
Adopting a DevOps mentality of Infrastructure as Code (IaC) lets you provision servers automatically and to automate many of the processes that previously required massive IT resources. IaC has the added benefit of increasing security: Automating processes removes human error from the equation at all stages of the process.
Tools like Inedo’s Otter allow companies to configure all servers in a single step and to monitor configuration drift, all automatically. Security and compliance checks can therefore always be running without taxing your IT department’s time or over-relying on human, error-prone checks.
Takeaway #1: The more you have automated, the more secure your IT processes are.
2) Build a Pipeline that Remains Compliant with Financial Regulations and Security
Companies not yet using pipelines for builds and releases face increased risk of lost time and resources as IT struggles to get huge packages to the public. Worse still for financial institutions, there is an increased risk of security problems: without a compliant pipeline, problems can slip through the cracks and cause problems once packages are released.
Using even a basic pipeline (build, test, deploy, release) offers a repeatable process, reducing security work on your team. If you create a pipeline that strictly complies with financial regulations and necessary security measures, you know all packages moving through that pipeline will be in compliance.
This is particularly important if you use open-source tools from third-parties. Incorporating these tools means incorporating their vulnerabilities, so your pipeline must be built to remain compliant and to check for security issues. While you can use the information regularly updated in the National Vulnerability Database to patch security issues manually, using an automated process is more secure, because it is faster and reduces human error.
One program that offers vulnerability scanning and blocking is Inedo’s ProGet, which allows you to secure these third-party, open-source tools. This feature includes the option to create records of vulnerabilities and even to create package access rules, blocking the download of packages known to be insecure.
Blocking certain downloads is a form of gating. Gating your pipeline processes adds an extra layer of security, as it grants certain permissions to certain users. Gating would prevent, for example, an entry-level developer from releasing an application before a compliance officer has checked its security. WebMD uses Inedo’s BuildMaster to create permissions gates that keep their releases in compliance with HIPPA and their HITRUST Certification.
Takeaway #2: The more compliant your pipeline and the less human error involved, the more secure your IT processes will be.
3) Decide on Metrics and Testing
As you’re transitioning your financial institution to a DevOps mentality, it’s very important to provide measurable markers of success to executives while keeping IT team morale high and communication open. You need to be able to show the decision-makers at your company that automating your processes will benefit not just the IT department but the whole company as well as to keep your team on board during changes.
Especially helpful to financial institutions are things like “number of incidents caused by a release” and “percent of all changes that end up causing major incidents.” Correctly automating your release process will almost certainly reduce the number of emergency-level incidents from your releases, saving time, protecting the company’s reputation, and securing customer data. Metrics like “on-time delivery” can show executives the speed of these safer releases.
Solid metrics are also a reliable way to create positive feedback loops for your teams, keeping communication open and morale high. Metrics like “percent of release success rate” can show your team (and your organization) that your DevOps processes are working to benefit everyone.
Takeaway #3: Use metrics to measure success to your team and your company (a past post offers 25 Release Management KPI You Should Be Tracking where you can learn more).
4) Shift Quality Checks Left
You know the headache and panic associated with finding a security flaw just as you’re ready to go to production. Financial institutions are under more pressure than almost any industry to never, ever allow a security breach or failure. A security failure can spell disaster for the institution. But most current IT processes catch security problems way too late in the game.
Thankfully, the industry is trending towards the “shift left.” Simply put, testing must happen early in the process, because “the closer to release that a defect is detected, the more expensive it is to fix.” Once your company adopts a DevOps mentality, you can shift your security testing left, automating continuous testing all along your pipeline. Instead of one, big check at the end of the pipeline, you can build a pipeline that performs security checks automatically at multiple stages, reducing the overall cost to fix a flaw, because problems discovered late are a costly fix.
Government-affiliated companies like Ronin Software are under similar pressures to maintain strict security compliance. Ronin uses Inedo’s BuildMaster to automate their security checks, avoiding the human errors present of checking and fixing security issues manually at the end of the development process.
Takeaway #4: You decrease emergencies at the end of the pipeline when you “shift left” your security checks.
5) Break Up Siloed Delivery Teams
Especially among large, multi-regional or multi-national companies, it is way too easy for silos to form. You’ve probably heard of “the Bob problem,” and you’ve certainly seen it: “Bob” is the one team member who knows how the process works, and without “Bob,” nothing gets done. “Bob” becomes a one-person information silo. This slows down the entire process and, if “Bob” leaves the company or is otherwise unavailable, your financial institution can face major issues, as you rely on rigorous security systems and processes.
DevOps silos create artificial barriers that block good communication and slow down all IT processes. DevOps necessarily breaks silos apart. Don’t expect this to happen overnight. Because DevOps is a mentality, it will take time to adopt, but the investment will be a credit to your company.
Takeaway #5: Don’t be a “Bob”; create an Agile, DevOps environment among your team.
DevOps Adds Speed and Safety to IT in the Financial Services Industry
These 5 best practices for DevOps in the Financial Services Industry can guide you to bring DevOps on board at your finance industry company. Remember: DevOps is a change of methods and mentality. This change won’t happen overnight, but the benefits to your company are immense. DevOps can help you maintain your company’s commitment to security and compliance while keeping pace in the rapidly changing world of FinTech.
Inedo DevOps tools maximize developer time, minimize release risk, and empower stakeholders to bring their vision to life faster. All with the people and technology you have right now.