Last year’s 2019 State of DevOps report surveyed more than 3,000 DevOps practitioners across different industries. The focus of the report was on how an improvement in security measures can assist release velocity. Results indicated that organizations who made the effort to integrate security at all levels and who viewed it as a shared responsibility reaped the rewards of being able to deploy more frequently. This post specifically looks at the survey results of how highly regulated industries, like financial services and insurance, are measured up with regards to security against other industries canvassed for this report.
A way to integrate security across your organization and to meet compliance during and after the cloud native transition is to automate software delivery with GitOps. But before we get there, let’s first examine what kind of security and compliance problems arise within highly regulated environments.
The cloud native journey for financial services
In companies that have significant compliance and regulatory commitments, like financial services organizations, good security practices are of utmost importance. While many financial services organizations are doing quite well implementing DevOps and embracing cloud native, they are not doing that well on the security front. According to the survey, many of these firms are in the middle of their cloud native journey and few will successfully reach the stage where teams can fully automate all of their security concerns.
Strong DevOps but weak security integration
There are many reasons for this security shortcoming. One major issue is that many large financial organizations have been around for decades, and in some cases as long as 100 years. Transforming the technology in a 100 year old organization presents unique challenges on both an organizational level with its many functional silos as well as on a technical level. Many of these organizations are dealing with large amounts of technical debt. Also compliance and other regulatory compliance can be onerous and a literal gating factor when these organizations are trying to transform legacy development practices into a more agile environment.
The report asked respondents about common DevOps practices and then categorized these in order to examine trends across industries.
#1 Ability to expand DevOps practices
Being able to expand quickly and incorporate new DevOps practices is a hallmark of an efficient organization. The financial services and insurance sector fared quite well in the study among their peers and were gauged as having medium level of uptake. However, it was also pointed out that while many organizations in this sector had a strong foundation, they all faced issues reaching the high or elite levels of cloud native adoption.
#2 Ability to deploy on demand
The ability to deploy on demand without overhead is a hallmark of a fully cloud native enterprise. Companies that can deploy faster gain significant competitive advantage. It is one of the main reasons for taking the cloud native journey. 42% of respondents from financial services and insurance industries said they could deploy on demand to production. Out of all of the industries surveyed, financial services and insurance fell on the lower end of the scale.
#3 Audit processes and greater security guarantees
The survey sought to find out if audits in these organizations helped or hindered security. Only 17% of those surveyed in the financial and insurance sectors agreed that the audit process actually minimized risk.
And only 12% strongly agreed that issues identified during the audit process were actually prioritized. This is the lowest of all industries who were surveyed!
How can deployment speed in regulated environments be improved?
In most financial organizations, each product change is checked and audited, making it difficult to automate and ultimately to maintain velocity. Some essential tools, such as an external Container Registry or others types of services in the cloud may also be restricted in such an environment. Also if you want to fully take advantage of DevOps and apply GitOps best practices and continuously deploy changes, production may be locked down because of these extra audit checks.
Today, booting a Kubernetes cluster is dead simple. But managing and automating an entire Kubernetes platform with all of its add-ons can be challenging. For example if you want to run and implement machine learning or a specific finance stack, making it secure, reproducible and auditable is challenging. Also there is the issue of speed, if you can’t spin up an entire application cluster when you need to, your productivity will grind to a halt while you recreate your cluster environment for QA, as an example.
GitOps a workflow for increased security
GitOps is a standardized workflow for how to deploy, configure, monitor and manage Kubernetes. The core idea behind GitOps is that a Git repository always contains the declarative description of the desired state of your production environment. When a change is pushed to either the code repo or to the cluster repo, an alert is sent indicating a change in state. An automated and secure process in place ensures that your production environment always matches the described state in the repository.
When all of your declarative manifests are kept in Git, both application deployments and platform components are easily managed. Applying GitOps best practices, means that a ‘source of truth’ exists for both your infrastructure and application code which ultimately increases velocity, improves system reliability, and can also meet compliance regulations.
The report concluded that getting security right during the transition is not simple. It’s particularly troublesome if your organization hasn’t incorporated and integrated security best practices into all parts of the organization during the shift, and instead left it as an afterthought.
Best practices like GitOps can be implemented early on in your journey to increase velocity, reliability and to strengthen security guarantees, among other benefits.
Have questions on what you need to create a cloud native platform?
The Weaveworks team can help you navigate the vast landscape of cloud native technologies – OSS and paid. Together we can create a cloud native reference architecture that fits your business needs. You can benefit from a Weaveworks’ validated design or you can design, review and select technology options with our help.
Contact us for a demo of the Weave Kubernetes Platform.