Integrating DevOps and Open Source tooling inside an Insurance Company as Manulife is, obviously, a challenge. Actually this challenge is not only technological, links with legacy apps, but also a cultural shift to a new security and risk era. In our journey to DevOps, people were surprised by how we have been close to security and risk teams. Most of people try to avoid them and they expected from us the same. Behind their expectation what also the same old questions ‘But open source and security are not contradictory?’ and ‘If you would like to move faster, how could you do that with security restrictions?’. During this presentation we will go through our technology stacks included Kubernetes, Docker, Microservices… and see how has been our approach to integrate security strategy in our open source platform. Our Gaps & Successes…

1. Jonathan Le Lous
Director Engineering Engagement and
Release Platforms
Thibault Cohen
Release Platforms Lead
Global Technology
1
DevOps & Insurance Company:
Create a Bridge between
Security and Change

2. Jonathan -- @jollfr
2

3. Thibault -- @ttb_lt -- github.com/titilambert
3

4. 4
Ratings
A.M. Best A+
DBRS AA (low)
Fitch AA-
Moody’s A1
S&P AA-
Serving
1 in 3
Canadians
Founded in
1887
Canada’s largest
insurance company
20+
countries
Employee volunteer
hours: 107,288
Community
investment:
$39.9M
Investments in renewable energy and energy efficiency
projects: $10.9B
Manulife economic
impact
Assets managed
and administered
$1 trillion
Statistics as of December 31, 2017
Manulife

5. 5
New technology
companies
Our market is
changing

6. ‘Honouring our Past, Engaging our Future’
“transforming our business to be much more of a technology-driven
company” Roy Gori, Manulife’s CEO.
▪ Legacy – Reducing the Run and Modernize Apps
▪ Net New – Leveraging Micro-services and APIs
6

7. 7
IT Realities

8. Platform Strategy: Kubernetes & PCF
‘‘While Cloud Foundry's PaaS can free up developers from infrastructure management worries,
Kubernetes' container orchestration and cluster management functions can preserve control over
the infrastructure for ops.’’ TechTarget (03/27/2017)
8
1. Legacy Apps
2. DevOps
1. Build Net New apps
2. Production Platform
1. Convergence strategy
2. Decision Framework

9. DevOps = removing barriers
=
CI
CD

10. Example 1: The easy one
▪ All developer teams are using Scrum methodology
▪ All new projects are micro services running in PCF
▪ These projects are stored in GitLab using forking strategy
▪ The CI is based on Jenkins Pipelines
▪ Unit tests, SonarQube, BlackDuck, Fortify, ...
▪ The CD is based on Concourse
▪ 4 persistent PCF environments : DEV/TEST/QA/PROD
10

11. Example 2: Back to the future
▪ Bring a 28 years old application to Gitlab/Jenkins
▪ Migrate more than 30000 commits from Harvest to Git
▪ Reproduce Harvest concepts with Gitlab/Jenkins
▪ Reduce developer learning curve
▪ Next steps:
▪ Move away from Harvest concepts to standard DevOps concepts
▪ Add more automated tests in Jenkins (SonarQube, BlackDuck, Fortify, ...)
▪ Add more tools in the pipeline (Doxygen, HyperSQL, ...)
11

12. Automate Best Practices
12
▪ Generic CI: Code Review, Security, Open
Source Governance, QA..
▪ Security:
▪ Automated Security Scans (Code)
▪ Implemented by-default Security tasks
inside project
▪ Risk Fixe: Upstream Contributions

13. 13
▪ By-default Open Standard
▪ Support Communities (event, membership)
▪ Contribute upstream
▪ Hiring Top Talent
▪ Talk at Open Source Events
BUILD: Leverage Open Source
Open Source
Ecosystems
Manulife
Technical
Leader