Keynote at the Swiss CISO Summit September 2, 2020, in Zürich Switzerland
Christian Reinhard, Leader Application Management, Finnova AG Bankware
Aarno Aukia, CTO & Partner, VSHN - The DevOps Company
Finnova offers innovative software solutions for the banking sector as a software product and also in the form of a software-as-a-service model. There are strong needs and incentives to assume responsibility for confidentiality, integrity, and availability.
Christian and Aarno will present the current state of the Dev(Sec)Ops pipelines of their own products, the application management processes and automation for first- and third-party software and finally the con- tainer platforms and tools used for operational secu- rity engineering. The speakers will provide insights of challenges and experiences.
4. Finnova Application Management Seewen
more than just Application Management
4
FINNOVA APPLICATION
MANAGEMENT SEEWEN
FINNOVA SOLUTIONS FINNOVA CONSULTING FINNOVA PRODUKTHAUS
5. INTRODUCTION
1
USER STORY – FROM
THE IDEA TO
OPENSHIFT
PLATFORM
2
SECURITY WITHIN THE
PLATFORM
3Agenda
CISO Summit
4 5
DEVOPS (VSHN) KEY TAKEAWAYS
6. 03.08.20207
A solution arises from a customer need together with the customer –
Finnova Portal as a Service
CMS-Portal TechnologieFinnova Omega Platform Development PartnerFinnova Open Platform
Orchestrierung mit
Prozessen und FIL-Services
Finnova Core
Betrieb des CMS-Portals im SaaS-Modell
| Workshop Neobank
OPERATION AND APPLICATION MANAGEMENT AT FINNOVA AM IN SEEWEN
7. Finnova Plattform
8
Portal as a Service
Portal
WAF WAF WAF
Core Γ Core Γ Core Γ
OMEGA
Ω
OMEGA
Ω
OMEGA
Ω
Finnova Core Suite
3rd Party Portal
„Liferay“ – ti&m
8. INTRODUCTION
1
USER STORY – FROM
THE IDEA TO
OPENSHIFT
PLATFORM
2
SECURITY WITHIN THE
PLATFORM
3Agenda
CISO Summit
4 5
DEVOPS (VSHN) KEY TAKEAWAYS
12. INTRODUCTION
1
USER STORY – FROM
THE IDEA TO
OPENSHIFT
PLATFORM
2
SECURITY WITHIN THE
PLATFORM
3Agenda
CISO Summit
KEY TAKEAWAYS
4 5
DEVOPS (VSHN)
13. VSHN - The DevOps Company
Collaboration between Software Development (Dev) and IT-Operations (Ops)
● Automate as much as possible (“Infrastructure as code”)
● use standard services (layers of abstractions with clear API) to abstract
complexity
● Cost efficient and lean way of working
● Agility: ability to react to new/changing requirements
● One team with a common goal: ship stable features
● Continuous improvement
1515
DevOps
14. VSHN - The DevOps Company 1616
DevOps:
People, Processes & Tools
15. VSHN - The DevOps Company
DevOps + Security Engineering = DevSecOps
1717
16. VSHN - The DevOps Company
● “Full Stack Audit”
● Review design document
● Every layer was custom built
○ physical hardware
○ handcrafted servers
○ manual application deployment
● Review each layer
● Review each layer again next year...
1818
Traditional IT governance
17. VSHN - The DevOps Company
● Standardized components
○ already audited, some even externally certified
○ re-used, economies of scale, CMMI level 5
○ tech controls (AAI, RBAC, logs/SIEM) implemented once
○ financial controls implemented once
● Infrastructure: private/public cloud, onprem
● Ops: Container orchestration platform
● Review design document & platform
configuration
1919
Cloud native IT governance
18. VSHN - The DevOps Company
● prevent configuration drift
○ immutable (application) infrastructure using containers
○ deploy dev/test/stage/prod envs from CI/CD
● prevent manual errors
○ validate configuration in CI/CD before deployment
○ standardization on (minimal, hardened) OS and container orchestrator
○ deployment automation removes need for (most) root prod access
● security by default
○ image scanning, dependency vulnerability management
○ process/storage/network separation of applications/environments
○ volumes & ingresspoints best practice (documentation, monitoring, backup, SSL/TLS/WAF)
○ AAI for admin & application, audit trail logging of CI/CD, control & application planes
○ key & secrets management
● 2020
IT governance controls in container platforms
19. VSHN - The DevOps Company
● compute resources billable by project
● self-service-onboarding possible
● autoscaling, scale-down dev envs outside office hours
● vendor procurement/due diligence/certification management
● SLA, 24x7, service process, escalation management clearly defined
2121
IT governance financial/compliance controlling
20. INTRODUCTION
1
USER STORY – FROM
THE IDEA TO
OPENSHIFT
PLATFORM
2
SECURITY WITHIN THE
PLATFORM
3Agenda
CISO Summit
KEY TAKEAWAYS
4 5
DEV OPS (VSHN)
21. VSHN - The DevOps Company
● Modularization
○ Modular digitalization platform enabling multi-tenancy and development autonomy
○ clearly defined layers for API and operations for alignment
● Collaboration
○ BPF orchestration engine to provide end-to-end process for Dev & Ops (Application
Management) at Finnova
○ clearly defined layers for operations and specialization
2323
Key takeaways
22. VSHN - The DevOps Company
@aarnoaukia http://about.me/aarno a@vshn.ch
ETH → Google → Atrila → VSHN
VSHN - The DevOps Company
Since 2014, currently 45 VSHNeers in Zürich, Switzerland
Helping Developers run applications on any infrastructure making both visitors
happy with stability and developers happy with agility
2424
About Aarno & VSHN.ch
23. Come visit us for a coffee!
VSHN AG - Neugasse 10 - CH-8005 Zürich - +41 44 545 53 00 - https://vshn.ch/ - info@vshn.ch
https://vshn.ch/kontakt/
Follow us on Twitter!
@vshn_ch
25