Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

DevSecCon Singapore 2019: The journey of digital transformation through DevSecOps in the Banking industry

769 visualizaciones

Publicado el

Nadira Bajrei

IT Continuous Improvement and Knowledge Management at Bank Mandiri Tbk
We all know that the Banking industry is highly regulated. But due to recent changing factors, we had to trigger something we call transformation. Two of the most important reasons why we need transformation are firstly digital disruption, a wave our industry is hard pushed to follow, and secondly the evolving customer expectation and competitive environment, which are impacting the way organisations are delivering value. We need a new way of working to help us stay relevant in the market.

This session will focus on our journey as one of the biggest banks in Indonesia to do digital transformation into DevOps while maintaining security compliance requirements. I will elaborate on the main reason why we need transformation, our journey roadmap, the step by step adoption of CALMS Values in our organisation and how we faced challenges from internal and external site.

Publicado en: Tecnología

DevSecCon Singapore 2019: The journey of digital transformation through DevSecOps in the Banking industry

  1. 1. Singapore | 28 Feb - 01 Mar 2019 The journey of Digital Transformation through Devsecops in Banking Industry NADIRA
  2. 2. Singapore | 28 Feb - 01 Mar 2019 Nadira Bajrei IT Continuous Improvement and Knowledge Management at Bank MandiriTbk MIT from University of Indonesia, IT Governance Specialist. ⁻ 9 years experience as a IT process and governance ⁻ 6 years experience in Banking Industry ⁻ Develop All IT process. ⁻ Integrated whole SDLC process through automation. ⁻ Built up internal community and become community leader for agile and devops. ⁻ Bank Mandiri ChangeAgent for Devops Adoption ⁻ Built up Devsecops IndonesiaCommunity. Email : bajrei.nadira@gmail.com Linkedin: nadirabajrei
  3. 3. Singapore | 28 Feb - 01 Mar 2019 1 2 3 4 Background Transformation Roadmap DevSecOps Journey Challenges AGENDA :
  4. 4. Singapore | 28 Feb - 01 Mar 2019 Background1
  5. 5. Singapore | 28 Feb - 01 Mar 2019 What is digital transformation? Integration of digital technology into all areas of a business, fundamentally changing how you operate and deliver value to customers. It’s also a cultural change that requires organizations to continually challenge the status quo, experiment and get comfortable with failure.
  6. 6. Singapore | 28 Feb - 01 Mar 2019 Engage customers through multiple channels EnterThe Digitalization Era and Competition with Disruptor Achieve OurVision 2020 ”Become Indonesia’s Best, ASEAN’s prominent” Quickly respond to changing customer needs WhyWe Need to doTheTransformation? 1 2 3 4 Digital BankingTransformation Improve internal capabilities in many areas such as : • IT Security, Availability & Reliability • Digital and Infrastructure • People, Process, Governance
  7. 7. Singapore | 28 Feb - 01 Mar 2019 Digital BankingTransformation – Business Function Define the “Digital Banking Roadmap” to become customer – centric organization 2017 Mobile banking launched 2018- Improved Digital Services 2020 - Be no.1 Digital Banking Application • Provide personalized and targeted offers to specifics customer • Drive digital onboarding process • Offer Innovative services / features through external collaboration • Increasing service transaction • Build Cashless ecosystem • Fintech Collaboration • Improve Internal Capabilities to enable digital banking initiatives • Build strong foundation in digital capabilities
  8. 8. Singapore | 28 Feb - 01 Mar 2019 Transformation Roadmap 2
  9. 9. Singapore | 28 Feb - 01 Mar 2019 Infuse agile devops culture and mindset in business and IT Leadership and seek strong buy in and sponsorship to change. Adopt right organizational structure to quickly incubate agile skills and start piloting agile project Start practicing agile with collaborative workspaces, business co- ownership (Product Owner) and right sized governance Start defining policies and procedures for Agile Methodology Start build Devsecops architecture and automate everything 1 2 3 4 5 ProcessPeople Technology Roadmap Plan( 2017-2020)
  10. 10. Singapore | 28 Feb - 01 Mar 2019 DevSecOps Journey 3
  11. 11. Singapore | 28 Feb - 01 Mar 2019 DevOps will complementAgile Methodology to break the “silos” and achieve better Business-ITAlignment, increased delivery certainty and faster speed to market and deliver more secure application. WANTING FLEXIBILITY WANTING CHANGE WANTING STABILITY WANTING SECURITY Wall Wall Wall Customers Development IT Operations IT Security  Create Flexibility  Improve time to market  Create effective change  Add/Modify Features  Create Stability  Enhance services  Create Security  Enhance security services  Security as a code Agile DevOps DevSecOps Better Business - IT alignment Increased Delivery Certainty Faster Speed to Market Deliver more Secure Application 1 2 3 4
  12. 12. Singapore | 28 Feb - 01 Mar 2019 BuildCode Integrate Test Deploy Release Operate Agile Development Continous Integration Continous Delivery Continous Deployment Devops Business decision to go live Security as a code Shift left security testing DevSecOps
  13. 13. Singapore | 28 Feb - 01 Mar 2019 DevOps Values Culture Automation LeanMeasure Sharing
  14. 14. Singapore | 28 Feb - 01 Mar 2019 C Organizational culture is one of the strongest predictors of both IT performance and overall performance of organization We are to do shifting thought and Behaviors, Culture of Safe Failure and also culture of Continous Improvement FROM TO 1) IT Focus (Inside out) 2) Silos 3) Command & Control 4) Task Oriented 5) Blame 6) Reactive 7) Resistant 8) LowTrust 1) Customer Focus (Outside in) 2) Cross Functional 3) Self Organized & Collaboration 4) Outcome Oriented 5) Take Responsibility 6) Proactive 7) Flexible 8) HighTrust
  15. 15. Singapore | 28 Feb - 01 Mar 2019 Organization Structure CIO B B1 C C1 D D1 SM PO Dev Team SM PO Dev Team SM PO Dev Team UI/UX EA Devops Engineer Other SME Stakeholder Stream / Product A Stream / Product B Stream / Product C Dedicated Team Shared Team  From Structural to Matrix Structure  Divided by stream/product  Provide organic growth
  16. 16. Singapore | 28 Feb - 01 Mar 2019 AAdopting automation we avoid tools that enforce silos What We Do? 1. Architect before automating 2. Assess our existing tools and automation capabilities 3. Identify critical gaps 4. Seek vendor for POC 5. Automate high value and repetitive work 6. Optimize workflow bottleneck “Do not underestimate the effort and cost building toolchain from open source applications, open source is not necessarily free, you need to modify the source fit to your needs”
  17. 17. Singapore | 28 Feb - 01 Mar 2019
  18. 18. Singapore | 28 Feb - 01 Mar 2019 Plan Operate ObjectiveTools DeployTestBuildDevelop Agile - CI Devsecops Backlog grooming, define user story, burnt down charts, security Requirement Develop apps and services using version control, traceability, and CI Manage, track and document all changes to application and configuration management Automate test script execution including regression, user acceptance and security Deploy apps and provision environments using automation & standardized configurations Measure performance of environment and application
  19. 19. Singapore | 28 Feb - 01 Mar 2019 Continuous Integration – Continuous Delivery (CI/CD) Life Cycle
  20. 20. Singapore | 28 Feb - 01 Mar 2019 L Muda -Waste Simple statement to identify waste “If you are not adding value , then you are adding waste” How we eliminating waste?  Start finishing stop starting or limit WIP (work in progress)  Avoid hand-overs. Mura - Reduce inconsistency  Make everything as simple as possible Muri – Overburden Its represents the activities where processes, people, or machines are pushed beyond a reasonable limit.  Remove bottlenecks
  21. 21. Singapore | 28 Feb - 01 Mar 2019  No Changes while development 2-speed IT / Bimodal IT 21 Initiation Planning Analysis & Design Development Implementation Closure Waterfall  Evolving requirements and incremental delivery  Frequent changes and faster time to market  Customer oriented products and get early feedback  Accommodate changes during development Agile  Clear expectation and fix requirement  Minimal rate of changes  Focus on application that required highest stability L
  22. 22. Singapore | 28 Feb - 01 Mar 2019 Discovery Workshop (2 Days)  Agile Charter PO-SM-DT-SME-BP-RR 2 1 Sprint Planning (4 hours)  Sprint Goal  Prioritize User Story  Definition of Done  Release Plan PO-SM-DT Sprint Execution (2 weeks)  Specification Document  Test Script & Unit Test Result  Training Material  PTO  Nota Migrasi SM-DT 4 Sprint Review (2 hours)  Demo Result & Acceptance PO-SM-DT-SME-BP-RR 5 Sprint Retrospective (2 hours)  Minutes of Retrospective PO-SM-DT 6 RCB  Migration Approval PO-SM-RCB Member 7 Migration  Deploy to Prod SM-Release Team 8 3 PO - Product Owner SM - Scrum Master DT – Development Team SME – Subject Matter Expert BP – Business Partner RR – Risk Reviewer Our Agile Approach Daily Standup (15 minutes) 3 question : • What you do yesterday • What you do today • What is impediment SM-DT 3 L
  23. 23. Singapore | 28 Feb - 01 Mar 2019 Discovery Workshop Sprint Planning Sprint Execution Daily Stand Up Description Duration Who Involved Defining user stories details, Plan to prepare the supporting infrastructure, acceptance criteria and also definition of done. Sprint Review Retrospective 2 Days Product Owner, Scrum Master, Development Team, SME, Risk Reviewer Determine the stories that match the definition of ready to be prioritized and delivered in the next sprint. 4 Hours Product Owner, Scrum Master, Development Team, SME Development Team,2 Weeks Demo product increment, getting more feedback 2 Hours Start developing and create product increment Development Team, SM (opt) 15 Minutes Align on three key questions within the team: what did you do yesterday, what will you do today, and/or are there any impediments? Product Owner, Scrum Master, Development Team, SME • Review the process from the last sprint: what went well, what didn’t go well, what can we improve • Identify action to improve collaboration 2 Hours Scrum Master, Development Team
  24. 24. Singapore | 28 Feb - 01 Mar 2019 Security within software lifecycle VA/Pentest Operate Source code review Security Req. SIEM Plan Develop Test Deploy Security Hardening Antivirus Patch Management Security Awareness Security guy as SME to build on the mindset that ‘everyone is responsible for security’ with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.
  25. 25. Singapore | 28 Feb - 01 Mar 2019 M If you can’t measure, then you don’t know if you’re improving! The essence of measure in DevOps, namely capture and review your metrics / measurements and then take action. Measure methods Logging and Monitoring Strategy There are a number of useful reliability KPIs that can be captured:  MTTR (Mean Time To Recover/Restore)  Change Fail rate  % of Failed / Successful deployments  Time in cycle
  26. 26. Singapore | 28 Feb - 01 Mar 2019 S Community of Practices to provide sharing values in Devops Agile DevOps Community Infosec Community Cloud Community Data Sciences Community Whatsapp or Telegram Group Formal or Informal Meeting SharedWeb Space  I share / e-KMS Benefits to Members Build professional network of similar interests Access to expertise to seek help with work challenges Nurture personal development and professional identity Help to achieve meaningful work Benefits to Organization Foster capability building Enable knowledge sharing, retention, and reuse Support synergy across units Retention of talents
  27. 27. Singapore | 28 Feb - 01 Mar 2019 Our Community of Practices Activities - Sharing
  28. 28. Singapore | 28 Feb - 01 Mar 2019 Challenges4
  29. 29. Singapore | 28 Feb - 01 Mar 2019 Our Challenges  Cultural Change – resistance to change  Regulatory aspect (Internal audit, Risk and Compliance and also OJK) Devops Benefits  People disconnect between delivery and application support  Collaborations between delivery and application support  Work in silos  Drive integration, repetability & realibility through automation  Handover is slow and complex limiting time to market  Continous evaluation of practices and tools  People disconnect between delivery and application support  Collaborations between delivery and application support  Work in silos  Drive integration, repetability & realibility through automation  Handover is slow and complex limiting time to market
  30. 30. Singapore | 28 Feb - 01 Mar 2019 Thank you Keep CALMS and Do DevOps
  31. 31. Singapore | 28 Feb - 01 Mar 2019 Q n A5

×