DevOps is making its impact on almost every software powered company these days, and that being said, when it came to companies in the finance domain, they were perhaps the slowest to embrace DevOps. But it is safe to say that they are currently leading the digital innovation in this sphere of cloud-native technology. The initial hindrance towards DevOps in financial institutions was because of the principles they adhere towards governance, security, compliance, and regulatory regulations.
Why DevOps for the Finance Industry?
If you think correctly, higher customer engagement and continuous transactions make the industry one of the busiest, and naturally requires uninterrupted infrastructure. The reason is the same, DevOps implementation helps companies develop fast, fail fast, and learn fast so they can fulfill customer expectations and deliver features faster to market than their competitors. When it comes to the finance sector, the technology has not evolved much as many companies assume that it is risky to embrace DevOps rather than beneficial. There is a lot of legacy code and old methodologies still in practice; financial institutions are lagging in digital innovations, and this can be nullified by adopting DevOps.
Challenges of implementing DevOps in the finance industry
Unlike other industries, regulated industries imply several challenges
- Strong restrictions on secured networks
- Fine-grained audit trails
- Strong ACLs models
- Full lifecycle governance
- Integration with 3rd parties
More than anything else, security and compliance are top concerns in financial companies. Many of the executives argue against modernizing legacy software development and DevOps practices. DevOps practices are, in fact, viewed as risk factors to security, and the increased frequency of software releases in DevOps is seen as a threat to governance and regulatory controls.
But, are the needles moving in the finance industry?
The 2020 State of Database DevOps report by Redgate shows that respondents in Financial Services report the highest levels of Database DevOps adoption this year – with proportionally higher rates than any other sector. Well, that is an interesting sign of financial sector maturity in terms of digital innovation.
Image source credit: Redgate
Let us see some case studies of financial companies and their DevOps journey
- Barclays DevOps Adoption
In 2015, Barclays announced that it is adopting DevOps for its digital transformation journey. Now, Barclays processes payments, which equate to around 30% of the UK’s Gross Domestic Product. The developers' morale and quality of code increased because of DevOps and the leadership team at Barclays credited DevOps with significantly reducing the complexity of their codes, which has allowed them to reduce delivery risk and, ultimately, improve the quality of their services.
- DevOps the Lunar Way
A journey that affirms you don't have to be too big to use Kubernetes. They started their cloud-native DevOps journey by splitting the massive monolith application into smaller microservices. To spin up these microservices, they used Ansible, Terraform, and Jenkins and to deploy these microservices as a whole unit (as shown in the image).
Then they suddenly started to experience some of the scaling issues with Microservices. So, they didn't get any of the microservices benefits.
Hence they started looking for ways to get out of this complexity by shifting their focus from machine-oriented to application-oriented architecture. They chose Kubernetes as the abstraction layer along with AWS, not worrying about where the containers are running, and this is how they were able to manage microservices and unlocked the velocity of microservices. They also chose Kubernetes from a security perspective and to specify how the applications should run. Now they run around 80+ microservices in production with the help of Kubernetes:) Watch and learn how they did it in this video 'Running Kubernetes in production at Lunar Way by Kasper Nissen.' - ‘Two years in production with Kubernetes’
- Italy's biggest bank embracing DevOps
A conventional bank running its real business on such a young technology? No way, are you kidding me? Nope, I am not kidding.
Italy's banking group, Intesa Sanpaolo, has made this transition. These are banks who still run their ATM networks on 30-year-old mainframe technology, and embracing the hottest trend & tech is nearly unbelievable.
Even though ING, the banking and financial corporation, changed the way the banks were seen by upgrading itself with Kubernetes and DevOps practices very early in the game, there was still a stigma with adopting Kubernetes in the highly regulated and controlled environments like Healthcare, Banks, etc. The bank's engineering team came up with an initiative strategy in 2018 to throw away the old way of thinking and started embracing the technologies like microservices, container architecture, and migration from monolithic to multi-tier applications. It was transforming itself into a software company, unbelievable. Today the bank runs more than 3,000 applications. Of those, more than 120 are now running in production using the new microservices architecture, including two of the ten most business-critical for the bank.
Read the full case here: How hot is Kubernetes? Even traditional banks are transforming to embrace it
- HSBC going the DevOps way
HSBC is changing the way typical banking works with cloud-native Technology & DevOps. How? Read... The banking sector, as we all know, has a reputation for being highly conservative & known for its slow approach towards the new technology practices and tools. However, one of the world's largest banks is set to become an early user of Google's Cloud Services Platform, to provide core banking services to its business customers.
HSBC plans to build its all-new business banking service to run on a Kubernetes-managed container infrastructure using Google's toolset. HSBC also has excellent partnerships with AWS and Microsoft by favoring the multi-cloud strategy. HSBC's engineering team believes that moving to a container model under the umbrella of Kubernetes is significant because it means the environment is similar across different clouds. HSBC also came up with an initiative of the cultural shift by acquiring people from outside of the banking sector because they wanted to change their culture from within and break the typical ways of hiring the talent. One of the publications reported that HSBC focuses on cloud and DevOps vision with a $10 million investment & HSBC is using CloudBees significantly since 2015 to bolster its software delivery system.
- Capital One's Agile to DevOps journey
Capital One’s Agile journey started in late 2011, with just two teams. Slowly more teams started getting trained in Agile development. The developers at Capital One were following the Scaled Agile Framework (SAFe). Initially, since the teams were new to the automation methodologies, integration testing, security testing, unit, and performance testing were all done outside of development sprints by separate test teams. Later, once they understood how important it is to have a collaborative culture, they integrated this testing into the dedicated DevOps teams and automated it well. Then slowly, they moved all testing into the development sprints, adopting a culture of DevOps and uniformity and wiring integration, security, and performance testing into a Continuous Delivery pipeline. As of 2016, they had more than 700 Agile teams following Continuous Delivery. Read the original article on O’Reilly.
- SIX is building a digital infrastructure
SIX is a financial company, building a digital infrastructure and provides services related to the processing of financial information, securities transactions, payment transactions, and more. And it operates the infrastructure for the Swiss financial sector. It is one of the best examples of a successful DevOps transformation in the finance sector both technically and organizationally. Its ATM network relies on container management of smaller services, with automated test and deployment.
Some beneficial consequences of DevOps in a highly regulated environment pointed out by Scherrer, the head of application engineering at SIX include a fine-grained level of traceability via release automation, improved security with automated vulnerability scanning at build time and quality of the systems. Interestingly, simply making sure all critical code gets reviewed while increasing shared knowledge and code quality.
(Source credits: InfoQ)
- LMAX’s Agile to DevOps journey
LMAX, a global financial technology company in which the systems were built from scratch on Agile based best practices: pair programming, TDD, and Continuous Integration. LMAX took further steps in DevOps automation, enforcing teams to automatically deploy code to different environments like integration, acceptance, and performance testing, that ended up building a Continuous Delivery pipeline.
LMAX, till today, has made a massive investment in automated testing and best practices. It has made every build to run through 25,000 unit tests with code coverage failure, taking security into consideration, simple code analysis, and automated integration sanity checks. The practice followed is so well crafted that all of the tests and checks must pass for every piece of code submitted.
The last good build is automatically picked and promoted to integration and then to the acceptance testing, where more than 10,000 end-to-end tests are run on a test cluster, including various tests. More than 24 hours’ worth of tests are executed in parallel in less than an hour.
- A 250-year-old bank's DevOps journey
We are talking about the ABN AMRO Bank here, which is very old and is the third-largest bank in the Netherlands. For them, it all started with using containers in the beginning, and they began to face some problems in the initial stages since it was a bank (financial sector), they usually face more challenges with compliance, governance and the priority was more on security.
On the cloud-native landscape, as there are many tools, it was confusing for them to choose which tool for what as they didn't want each developer team selecting different tools and facing a catastrophic separation from others and licensing issues.
So the need for them was to come up with some clear guidelines for developers, the best cloud features they can consume easily before moving to a cloud-native approach to creating a uniform way of working. They also came up with a plan of having a regulated team that previously worked on tools and processes to share knowledge and best practices. They created a team called 'Stratus.' The mission of this team 'Stratus' is to enable development teams to quickly deliver secure and high-quality software by providing them with easy to use platforms, security, portability across clouds on enterprise level, and reusable software components. The keynote talk video is here: A 250 Year Old Bank's Cloud-Native Journey
- DevOps in Bank of America
Bank of America is one of the world’s biggest financial institutions following DevOps practices, and their digital enterprise operations support nearly 4,300 retail financial centers and approximately 16,600 ATMs worldwide. The award-winning digital bank has nearly 38 million active users, and approx. 29 million mobile users.
Automating security and compliance
As DevOps continues to evolve and move towards the mainstream, it will continue to be the topic of highest interest for many Senior Managers across financial services, and you can see from the above case studies, they are already taking this as a priority. But like we have discussed before, security and compliance are the barriers that might delay and are slowing the innovation in the financial companies.
Start small and keep security as the high priority, start with the simplest DevOps approaches like continuous integration, and then the continuous delivery and deployment using the available tools in the market such as GitHub, Artifactory, Docker, Ansible, Kubernetes, Helm, etc. Over time, steadily, the more you automate, the higher return on investment you'll achieve.
Automating security permissions and controls will help financial companies remove some of their most common software barriers and have their releases out quicker than before, while still maintaining the necessary governance and compliance.
To meet the strict security and compliance regulations of the financial industry, Artifactory has an advanced audit trail log feature that provides full transparency over access control by logging every action that affects access to repositories and packages in Artifactory. To validate and verify the integrity of artifacts, Artifactory’s unique checksum-based storage uses SHA-256 encryption. Artifactory enables finance companies to enjoy the benefits of open source software without compromising on security.
Take a step forward
Now we know that financial services companies need complex and rigorous software development processes to meet intense corporate and regulatory requirements. Yet they are expected to release software faster than ever to meet expectations and beat the competition.
Would you like to witness some great minds in DevOps speak about how companies like Capital One and others are thriving in the Finance sector?
Here is an exclusive and free single day, Finance DevOps Summit, where you will be able to see some great examples of companies, case studies, speakers, and more.