SlideShare a Scribd company logo

Security in the DevOps pipeline of containerized core application: Case Study Finnova

Aarno Aukia, profile picture
Aarno Aukia

The document outlines the development and security practices of the Finnova platform, focusing on digitization and the implementation of DevOps strategies by VSHN. It emphasizes the importance of automation, security compliance, and modularization in application management, highlighting a collaborative approach between software development and IT operations. Key takeaways include the adoption of 'infrastructure as code,' continuous improvement processes, and the transition to cloud-native governance for enhanced agility and security.

Software
Related topics:
Information Security
1 of 23
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24.08.2020I Finnova 1 Finnova – Christian Reinhard, Head Application Management VSHN - Aarno Aukia, CTO & Partner CISO SUMMIT ZURICH
INTRODUCTION 1 USER STORY – FROM THE IDEA TO OPENSHIFT PLATFORM 2 SECURITY WITHIN THE PLATFORM 3 4 Agenda CISO Summit 5 DEVOPS (VSHN) KEY TAKEAWAYS
Introduction 24.08.2020 I Finnova3 Digitization within Finnova
Finnova Application Management Seewen more than just Application Management 4 FINNOVA APPLICATION MANAGEMENT SEEWEN FINNOVA SOLUTIONS FINNOVA CONSULTING FINNOVA PRODUKTHAUS
INTRODUCTION 1 USER STORY – FROM THE IDEA TO OPENSHIFT PLATFORM 2 SECURITY WITHIN THE PLATFORM 3Agenda CISO Summit 4 5 DEVOPS (VSHN) KEY TAKEAWAYS
03.08.20207 A solution arises from a customer need together with the customer – Finnova Portal as a Service CMS-Portal TechnologieFinnova Omega Platform Development PartnerFinnova Open Platform Orchestrierung mit Prozessen und FIL-Services Finnova Core Betrieb des CMS-Portals im SaaS-Modell | Workshop Neobank OPERATION AND APPLICATION MANAGEMENT AT FINNOVA AM IN SEEWEN
Finnova Plattform 8 Portal as a Service Portal WAF WAF WAF Core Γ Core Γ Core Γ OMEGA Ω OMEGA Ω OMEGA Ω Finnova Core Suite 3rd Party Portal „Liferay“ – ti&m
INTRODUCTION 1 USER STORY – FROM THE IDEA TO OPENSHIFT PLATFORM 2 SECURITY WITHIN THE PLATFORM 3Agenda CISO Summit 4 5 DEVOPS (VSHN) KEY TAKEAWAYS
24.08.2020 Hier steht der Präsentationstitel I10
12 Deployment Process & Security DEV (Repository) Files (Pods) Docker Images Container (OpenShift) Betrieb AM Seewen (PRD) GitHub Code Image-Scan (Security & Compliance Policies) » Code Analyse » Image Scanning » Container Hardening Runtime » Network Security » Monitoring » Logging & Reporting » Code Security » Access » Security & Auditing SecurityDeployment
24.08.2020 Portal as a Service13 Architecture and Security
INTRODUCTION 1 USER STORY – FROM THE IDEA TO OPENSHIFT PLATFORM 2 SECURITY WITHIN THE PLATFORM 3Agenda CISO Summit KEY TAKEAWAYS 4 5 DEVOPS (VSHN)
VSHN - The DevOps Company Collaboration between Software Development (Dev) and IT-Operations (Ops) ● Automate as much as possible (“Infrastructure as code”) ● use standard services (layers of abstractions with clear API) to abstract complexity ● Cost efficient and lean way of working ● Agility: ability to react to new/changing requirements ● One team with a common goal: ship stable features ● Continuous improvement 1515 DevOps
VSHN - The DevOps Company 1616 DevOps: People, Processes & Tools
VSHN - The DevOps Company DevOps + Security Engineering = DevSecOps 1717
VSHN - The DevOps Company ● “Full Stack Audit” ● Review design document ● Every layer was custom built ○ physical hardware ○ handcrafted servers ○ manual application deployment ● Review each layer ● Review each layer again next year... 1818 Traditional IT governance
VSHN - The DevOps Company ● Standardized components ○ already audited, some even externally certified ○ re-used, economies of scale, CMMI level 5 ○ tech controls (AAI, RBAC, logs/SIEM) implemented once ○ financial controls implemented once ● Infrastructure: private/public cloud, onprem ● Ops: Container orchestration platform ● Review design document & platform configuration 1919 Cloud native IT governance
VSHN - The DevOps Company ● prevent configuration drift ○ immutable (application) infrastructure using containers ○ deploy dev/test/stage/prod envs from CI/CD ● prevent manual errors ○ validate configuration in CI/CD before deployment ○ standardization on (minimal, hardened) OS and container orchestrator ○ deployment automation removes need for (most) root prod access ● security by default ○ image scanning, dependency vulnerability management ○ process/storage/network separation of applications/environments ○ volumes & ingresspoints best practice (documentation, monitoring, backup, SSL/TLS/WAF) ○ AAI for admin & application, audit trail logging of CI/CD, control & application planes ○ key & secrets management ● 2020 IT governance controls in container platforms
VSHN - The DevOps Company ● compute resources billable by project ● self-service-onboarding possible ● autoscaling, scale-down dev envs outside office hours ● vendor procurement/due diligence/certification management ● SLA, 24x7, service process, escalation management clearly defined 2121 IT governance financial/compliance controlling
INTRODUCTION 1 USER STORY – FROM THE IDEA TO OPENSHIFT PLATFORM 2 SECURITY WITHIN THE PLATFORM 3Agenda CISO Summit KEY TAKEAWAYS 4 5 DEV OPS (VSHN)
VSHN - The DevOps Company ● Modularization ○ Modular digitalization platform enabling multi-tenancy and development autonomy ○ clearly defined layers for API and operations for alignment ● Collaboration ○ BPF orchestration engine to provide end-to-end process for Dev & Ops (Application Management) at Finnova ○ clearly defined layers for operations and specialization 2323 Key takeaways
VSHN - The DevOps Company @aarnoaukia http://about.me/aarno a@vshn.ch ETH → Google → Atrila → VSHN VSHN - The DevOps Company Since 2014, currently 45 VSHNeers in Zürich, Switzerland Helping Developers run applications on any infrastructure making both visitors happy with stability and developers happy with agility 2424 About Aarno & VSHN.ch
Come visit us for a coffee! VSHN AG - Neugasse 10 - CH-8005 Zürich - +41 44 545 53 00 - https://vshn.ch/ - info@vshn.ch https://vshn.ch/kontakt/ Follow us on Twitter! @vshn_ch 25

More Related Content

PDF
Next gen software operations models in the cloud
Aarno Aukia
 
PDF
[WSO2Con USA 2018] Architecting for Container-native Environments
WSO2
 
PDF
[WSO2Con EU 2018] OpenAPI Specification 3 - The Evolution of Swagger
WSO2
 
PDF
„GitOps with Flux and Flagger“
ConSol Consulting & Solutions Software GmbH
 
PDF
Modern Post-Exploitation Strategies - 44CON 2012
44CON
 
PDF
[WSO2Con EU 2018] Architecting for a Container Native Environment
WSO2
 
PDF
Strengthen Security and Traffic Visibility on Amazon EKS with NGINX
NGINX, Inc.
 
PDF
Process Automation: an Update from the Trenches
Kris Verlaenen
 
Next gen software operations models in the cloud
Aarno Aukia
 
[WSO2Con USA 2018] Architecting for Container-native Environments
WSO2
 
[WSO2Con EU 2018] OpenAPI Specification 3 - The Evolution of Swagger
WSO2
 
„GitOps with Flux and Flagger“
ConSol Consulting & Solutions Software GmbH
 
Modern Post-Exploitation Strategies - 44CON 2012
44CON
 
[WSO2Con EU 2018] Architecting for a Container Native Environment
WSO2
 
Strengthen Security and Traffic Visibility on Amazon EKS with NGINX
NGINX, Inc.
 
Process Automation: an Update from the Trenches
Kris Verlaenen
 

What's hot (20)

PDF
Cas d'usage ProtoStellar Cloud replatforming de l'application 1Logistic pour...
VMware Tanzu
 
PDF
Exposing Lambda Functions as Managed APIs
WSO2
 
ODP
Case management applications with BPM
Kris Verlaenen
 
PDF
What Makes up a Modern Application Platform?
All Things Open
 
PDF
CNCF Singapore - Introduction to Envoy
Harish
 
PPTX
Avoid SPOF in Cloud-native Apps
Thang Chung
 
PDF
Building successful business Java apps: How to deliver more, code less, and c...
Red Hat Developers
 
PDF
GitLab's Acquisition Strategy & Approach
Eliran Mesika
 
PDF
Xpdays: Kubernetes CI-CD Frameworks Case Study
Denys Vasyliev
 
PDF
Meetup talk Red Hat OpenShift service mesh
ConSol Consulting & Solutions Software GmbH
 
PPTX
Bring Service Mesh To Cloud Native-apps
Thang Chung
 
PPTX
Control Kubernetes Ingress and Egress Together with NGINX
NGINX, Inc.
 
PDF
The what, why and how of knative
Mofizur Rahman
 
PPTX
GitLab Product Roadmap and Approach
Eliran Mesika
 
PDF
API design-first and Microservices
Sven Bernhardt
 
PPTX
Flexible, Powerful, and Easy-to-Use Ingress Load Balancing with NGINX and Ope...
NGINX, Inc.
 
PPTX
Accelerate Your Development: CI/CD using AWS and Serverless
AaronLieberman5
 
PPTX
DevOps Fest 2019. Дмитрий Лагоза. CD for StartUp, cheap and furious
DevOps_Fest
 
PPTX
MuleSoft Meetup Roma - Processi di Automazione su CloudHub
Alfonso Martino
 
PDF
Microservice API Gateways with NGINX
Geoffrey Filippi
 
Cas d'usage ProtoStellar Cloud replatforming de l'application 1Logistic pour...
VMware Tanzu
 
Exposing Lambda Functions as Managed APIs
WSO2
 
Case management applications with BPM
Kris Verlaenen
 
What Makes up a Modern Application Platform?
All Things Open
 
CNCF Singapore - Introduction to Envoy
Harish
 
Avoid SPOF in Cloud-native Apps
Thang Chung
 
Building successful business Java apps: How to deliver more, code less, and c...
Red Hat Developers
 
GitLab's Acquisition Strategy & Approach
Eliran Mesika
 
Xpdays: Kubernetes CI-CD Frameworks Case Study
Denys Vasyliev
 
Meetup talk Red Hat OpenShift service mesh
ConSol Consulting & Solutions Software GmbH
 
Bring Service Mesh To Cloud Native-apps
Thang Chung
 
Control Kubernetes Ingress and Egress Together with NGINX
NGINX, Inc.
 
The what, why and how of knative
Mofizur Rahman
 
GitLab Product Roadmap and Approach
Eliran Mesika
 
API design-first and Microservices
Sven Bernhardt
 
Flexible, Powerful, and Easy-to-Use Ingress Load Balancing with NGINX and Ope...
NGINX, Inc.
 
Accelerate Your Development: CI/CD using AWS and Serverless
AaronLieberman5
 
DevOps Fest 2019. Дмитрий Лагоза. CD for StartUp, cheap and furious
DevOps_Fest
 
MuleSoft Meetup Roma - Processi di Automazione su CloudHub
Alfonso Martino
 
Microservice API Gateways with NGINX
Geoffrey Filippi
 
Ad

Similar to Security in the DevOps pipeline of containerized core application: Case Study Finnova (20)

PDF
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
PDF
DevSecOps - Security in DevOps
Aarno Aukia
 
PDF
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
PDF
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
PDF
Securing DevOps
Aarno Aukia
 
PDF
DevOps & DevSecOps in Swiss Banking
Aarno Aukia
 
PDF
Moving Applications to the cloud
Aarno Aukia
 
PDF
SecDevOps 2017
Aarno Aukia
 
PDF
DevOps on AWS
Aarno Aukia
 
PDF
A guide to modern software development 2018
Peter Bittner
 
PDF
Continuous security improvements in the DevOps process
Aarno Aukia
 
PDF
It delivery 2016 v5
Pini Cohen
 
PDF
DevOps for E-Commerce
Aarno Aukia
 
PDF
Transforming to OpenStack: a sample roadmap to DevOps
Nicolas (Nick) Barcet
 
PPTX
Driving Enterprise Architecture Redesign: Cloud-Native Platforms, APIs, and D...
WSO2
 
PPTX
Driving Enterprise Architecture Redesign: Cloud-Native Platforms, APIs, and D...
Chris Haddad
 
PDF
How to Design a Backend for IoT
İbrahim Gürses
 
PDF
Wie macht man aus Software einen Online-Service in der Cloud
Aarno Aukia
 
PDF
DevOps - Top Trends In 2019
Vikash Karuna
 
PDF
IT Governance and Security Architecture in Docker, Kubernetes, OpenShift
Aarno Aukia
 
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
DevSecOps - Security in DevOps
Aarno Aukia
 
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
Securing DevOps
Aarno Aukia
 
DevOps & DevSecOps in Swiss Banking
Aarno Aukia
 
Moving Applications to the cloud
Aarno Aukia
 
SecDevOps 2017
Aarno Aukia
 
DevOps on AWS
Aarno Aukia
 
A guide to modern software development 2018
Peter Bittner
 
Continuous security improvements in the DevOps process
Aarno Aukia
 
It delivery 2016 v5
Pini Cohen
 
DevOps for E-Commerce
Aarno Aukia
 
Transforming to OpenStack: a sample roadmap to DevOps
Nicolas (Nick) Barcet
 
Driving Enterprise Architecture Redesign: Cloud-Native Platforms, APIs, and D...
WSO2
 
Driving Enterprise Architecture Redesign: Cloud-Native Platforms, APIs, and D...
Chris Haddad
 
How to Design a Backend for IoT
İbrahim Gürses
 
Wie macht man aus Software einen Online-Service in der Cloud
Aarno Aukia
 
DevOps - Top Trends In 2019
Vikash Karuna
 
IT Governance and Security Architecture in Docker, Kubernetes, OpenShift
Aarno Aukia
 
Ad

More from Aarno Aukia (18)

PDF
DevOps for AI: running LLMs in production with Kubernetes and KubeFlow
Aarno Aukia
 
PDF
The printing press of 2021 - using GitLab to publish the VSHN Handbook
Aarno Aukia
 
PDF
Applikationsmodernisierung: Der Weg von Legacy in die Cloud
Aarno Aukia
 
PDF
Von der Straße in die Cloud: Optimierung von Logistikprozessen mit Docker, Ku...
Aarno Aukia
 
PDF
Kubecon 2019 Recap
Aarno Aukia
 
PDF
My broken container is gone - how to debug containers on container platforms
Aarno Aukia
 
PDF
Automated Server Administration for DevSecOps
Aarno Aukia
 
PDF
Wir arbeiten in der Cloud – eine Herausforderung für das IT Management?
Aarno Aukia
 
PDF
Application Portability using Cloud Native Technology: Docker, Kubernetes
Aarno Aukia
 
PDF
Migration von Applikationen in die Cloud
Aarno Aukia
 
PDF
IPv6 on Container Plattforms
Aarno Aukia
 
PDF
Cloud Native Computing & DevOps
Aarno Aukia
 
PDF
Cloud Native Computing
Aarno Aukia
 
PDF
Cloud Native Computing Meetup Zürich Jan 11 2018
Aarno Aukia
 
PDF
Wie nutzen wir Cloud-Infrastruktur @ VSHN.ch
Aarno Aukia
 
PDF
Scalable Web Applications with 100% open source
Aarno Aukia
 
PDF
Cloud Native Computing Meetup Zürich
Aarno Aukia
 
PDF
Scalable Python with Docker, Kubernetes, OpenShift
Aarno Aukia
 
DevOps for AI: running LLMs in production with Kubernetes and KubeFlow
Aarno Aukia
 
The printing press of 2021 - using GitLab to publish the VSHN Handbook
Aarno Aukia
 
Applikationsmodernisierung: Der Weg von Legacy in die Cloud
Aarno Aukia
 
Von der Straße in die Cloud: Optimierung von Logistikprozessen mit Docker, Ku...
Aarno Aukia
 
Kubecon 2019 Recap
Aarno Aukia
 
My broken container is gone - how to debug containers on container platforms
Aarno Aukia
 
Automated Server Administration for DevSecOps
Aarno Aukia
 
Wir arbeiten in der Cloud – eine Herausforderung für das IT Management?
Aarno Aukia
 
Application Portability using Cloud Native Technology: Docker, Kubernetes
Aarno Aukia
 
Migration von Applikationen in die Cloud
Aarno Aukia
 
IPv6 on Container Plattforms
Aarno Aukia
 
Cloud Native Computing & DevOps
Aarno Aukia
 
Cloud Native Computing
Aarno Aukia
 
Cloud Native Computing Meetup Zürich Jan 11 2018
Aarno Aukia
 
Wie nutzen wir Cloud-Infrastruktur @ VSHN.ch
Aarno Aukia
 
Scalable Web Applications with 100% open source
Aarno Aukia
 
Cloud Native Computing Meetup Zürich
Aarno Aukia
 
Scalable Python with Docker, Kubernetes, OpenShift
Aarno Aukia
 

Recently uploaded (20)

PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
Introduction to Artificial Intelligence
lohedi9363
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 

Security in the DevOps pipeline of containerized core application: Case Study Finnova

  • 1. 24.08.2020I Finnova 1 Finnova – Christian Reinhard, Head Application Management VSHN - Aarno Aukia, CTO & Partner CISO SUMMIT ZURICH
  • 2. INTRODUCTION 1 USER STORY – FROM THE IDEA TO OPENSHIFT PLATFORM 2 SECURITY WITHIN THE PLATFORM 3 4 Agenda CISO Summit 5 DEVOPS (VSHN) KEY TAKEAWAYS
  • 4. Finnova Application Management Seewen more than just Application Management 4 FINNOVA APPLICATION MANAGEMENT SEEWEN FINNOVA SOLUTIONS FINNOVA CONSULTING FINNOVA PRODUKTHAUS
  • 5. INTRODUCTION 1 USER STORY – FROM THE IDEA TO OPENSHIFT PLATFORM 2 SECURITY WITHIN THE PLATFORM 3Agenda CISO Summit 4 5 DEVOPS (VSHN) KEY TAKEAWAYS
  • 6. 03.08.20207 A solution arises from a customer need together with the customer – Finnova Portal as a Service CMS-Portal TechnologieFinnova Omega Platform Development PartnerFinnova Open Platform Orchestrierung mit Prozessen und FIL-Services Finnova Core Betrieb des CMS-Portals im SaaS-Modell | Workshop Neobank OPERATION AND APPLICATION MANAGEMENT AT FINNOVA AM IN SEEWEN
  • 7. Finnova Plattform 8 Portal as a Service Portal WAF WAF WAF Core Γ Core Γ Core Γ OMEGA Ω OMEGA Ω OMEGA Ω Finnova Core Suite 3rd Party Portal „Liferay“ – ti&m
  • 8. INTRODUCTION 1 USER STORY – FROM THE IDEA TO OPENSHIFT PLATFORM 2 SECURITY WITHIN THE PLATFORM 3Agenda CISO Summit 4 5 DEVOPS (VSHN) KEY TAKEAWAYS
  • 9. 24.08.2020 Hier steht der Präsentationstitel I10
  • 10. 12 Deployment Process & Security DEV (Repository) Files (Pods) Docker Images Container (OpenShift) Betrieb AM Seewen (PRD) GitHub Code Image-Scan (Security & Compliance Policies) » Code Analyse » Image Scanning » Container Hardening Runtime » Network Security » Monitoring » Logging & Reporting » Code Security » Access » Security & Auditing SecurityDeployment
  • 11. 24.08.2020 Portal as a Service13 Architecture and Security
  • 12. INTRODUCTION 1 USER STORY – FROM THE IDEA TO OPENSHIFT PLATFORM 2 SECURITY WITHIN THE PLATFORM 3Agenda CISO Summit KEY TAKEAWAYS 4 5 DEVOPS (VSHN)
  • 13. VSHN - The DevOps Company Collaboration between Software Development (Dev) and IT-Operations (Ops) ● Automate as much as possible (“Infrastructure as code”) ● use standard services (layers of abstractions with clear API) to abstract complexity ● Cost efficient and lean way of working ● Agility: ability to react to new/changing requirements ● One team with a common goal: ship stable features ● Continuous improvement 1515 DevOps
  • 14. VSHN - The DevOps Company 1616 DevOps: People, Processes & Tools
  • 15. VSHN - The DevOps Company DevOps + Security Engineering = DevSecOps 1717
  • 16. VSHN - The DevOps Company ● “Full Stack Audit” ● Review design document ● Every layer was custom built ○ physical hardware ○ handcrafted servers ○ manual application deployment ● Review each layer ● Review each layer again next year... 1818 Traditional IT governance
  • 17. VSHN - The DevOps Company ● Standardized components ○ already audited, some even externally certified ○ re-used, economies of scale, CMMI level 5 ○ tech controls (AAI, RBAC, logs/SIEM) implemented once ○ financial controls implemented once ● Infrastructure: private/public cloud, onprem ● Ops: Container orchestration platform ● Review design document & platform configuration 1919 Cloud native IT governance
  • 18. VSHN - The DevOps Company ● prevent configuration drift ○ immutable (application) infrastructure using containers ○ deploy dev/test/stage/prod envs from CI/CD ● prevent manual errors ○ validate configuration in CI/CD before deployment ○ standardization on (minimal, hardened) OS and container orchestrator ○ deployment automation removes need for (most) root prod access ● security by default ○ image scanning, dependency vulnerability management ○ process/storage/network separation of applications/environments ○ volumes & ingresspoints best practice (documentation, monitoring, backup, SSL/TLS/WAF) ○ AAI for admin & application, audit trail logging of CI/CD, control & application planes ○ key & secrets management ● 2020 IT governance controls in container platforms
  • 19. VSHN - The DevOps Company ● compute resources billable by project ● self-service-onboarding possible ● autoscaling, scale-down dev envs outside office hours ● vendor procurement/due diligence/certification management ● SLA, 24x7, service process, escalation management clearly defined 2121 IT governance financial/compliance controlling
  • 20. INTRODUCTION 1 USER STORY – FROM THE IDEA TO OPENSHIFT PLATFORM 2 SECURITY WITHIN THE PLATFORM 3Agenda CISO Summit KEY TAKEAWAYS 4 5 DEV OPS (VSHN)
  • 21. VSHN - The DevOps Company ● Modularization ○ Modular digitalization platform enabling multi-tenancy and development autonomy ○ clearly defined layers for API and operations for alignment ● Collaboration ○ BPF orchestration engine to provide end-to-end process for Dev & Ops (Application Management) at Finnova ○ clearly defined layers for operations and specialization 2323 Key takeaways
  • 22. VSHN - The DevOps Company @aarnoaukia http://about.me/aarno a@vshn.ch ETH → Google → Atrila → VSHN VSHN - The DevOps Company Since 2014, currently 45 VSHNeers in Zürich, Switzerland Helping Developers run applications on any infrastructure making both visitors happy with stability and developers happy with agility 2424 About Aarno & VSHN.ch
  • 23. Come visit us for a coffee! VSHN AG - Neugasse 10 - CH-8005 Zürich - +41 44 545 53 00 - https://vshn.ch/ - info@vshn.ch https://vshn.ch/kontakt/ Follow us on Twitter! @vshn_ch 25