Darrell Grundy, AWS Cloud Security Architect for one of the largest banks in the world, explains how one of the biggest challenges associated with financial services moving to cloud computing is deciding on the amount of flexibility and dynamism that can be granted to DevOps teams and their CI/CD pipelines.

Financial services are renowned for its governance and regulation over stringent information security controls due to the inherent risks associated with financial payments, stock exchange trading rules and large volumes of customer information.

“This can be a shock to developers moving from small Internet start-ups to large financial services organisations”, said Grundy. “Obviously, there is a strong desire for banks to adopt modern software development practices in order to expedite roll out new features to customers and staff and to increase their competitive edge. But striking the right balance between software development freedom, service reliability and information risk management is our main security challenge.”

DevOps pipelines

Cloud computing has championed the concepts of infrastructure-as-code, DevOps pipelines, short-lived compute instances and per-second billing. This has resulted in big gains for cloud customers in terms of time taken to build out required computing environments and the costs associated.

Grundy believes that “cloud computing, DevOps culture and agile software development have forced us to rethink how we manage information security controls in financial services. There’s a shift in focus from analysing the security of the product that drops out of the end of the pipeline to analyse the security of who can put what inside the pipeline.”

Cloud computing is ideally tailored to automated software builds due to its API-based nature. Grundy admitted: “Developers want to automate as much of their process as a possible for efficiency and error reduction reasons. It makes perfect sense for security to follow suit to ensure that integrating the necessary level of control does not introduce an unwanted manual process bottleneck.

“Wherever possible, we want software development teams to vet the quality and safety of their code themselves since they are the experts, which either means code change, manual peer review or automated tool equivalents. Security oversight thereafter can focus on areas of threat and vulnerability management, access control and accountability for pipeline involvement, all of which can make use of automated tooling to reduce laborious manual processes.”

Collapse of role separation

The merging of software development and software operations roles to form a DevOps practice is almost a given in small companies with limited headcount. But in larger financial services companies, software development and software operations roles have traditionally been separated for risk management and segregation of duties reasons.

“Segregation of duties (SoD) as a concept is important in financial services to reduce the risk of fraud, insider trading, data leakage and covering up mistakes without proper investigation. DevOps has collapsed one of the standard SoD requirements. That’s not to suggest that DevOps practices can’t be used within banks. It just means we have to satisfy the SoD requirement by other means, which can include embedded security staff within the DevOps team, automation of authentication secret assignment to services, privileged change activity monitoring, continuous compliance monitoring, etc,” he revealed.

Additionally, there has been a collapse in the number of roles involved in the build of a cloud computing environment. Traditionally, banks employ separate teams of subject matter experts (SME) tasked with designing, deploying and operating application platforms covering areas such as system administration, networks, databases, application development, middleware, cryptography, etc. The advent of DevOps culture has significantly changed this model.

Grundy commented: “The shared responsibility model associated with cloud computing has significantly changed SME role involvement. Partly, SME tasks associated with operating the underlying cloud service infrastructure have been relocated to the cloud provider. This means that DevOps teams predominantly have the skills to build and operate their applications single-handedly.

“However, I don’t believe DevOps staff would claim that they are experts in every aspect of computing that has security relevance. There still remains a security requirement for involving the bank’s SMEs to provide specialised input on security control decisions. Ultimately, the outcome of those decisions is integrated into the code that feeds the pipeline, and further in support of change management process and security compliance monitoring.”

Written by Leah Alger