Bulletproofing Banking & Financial Services in the Cloud with DevSecOps

Digital Dialogues – Podcast

Bulletproofing Banking & Financial Services in the Cloud with DevSecOps

Michael Tayo – AVP of Cloud & Application Security at US Bank
Rajesh Sarangapani – EVP & Head of Innovation at Cigniti
Sairam Vedam – Chief Marketing Officer at Cigniti

  • Here is the Transcript

Sairam: Hi everyone. Welcome to the latest edition of the Digital Dialogues podcast series. As you know the world over, this is the month of cyber security. At our constant endeavor to push our own envelope in terms of bringing in significant thought leadership, pragmatic insights, and engineering-led experiences that have always been at the forefront of what we do. I have two strong industry thought leaders who have been practitioners par excellence in this emerging, exciting, and most importantly, very relevant practice of DevSecOps, particularly what we believe that the banking and financial services, while they operate in the realm of the cloud, need to be bulletproofed. And we think that DevSecOps could be of great value in doing that. So that’s what we have to discuss today. And my name is Sairam Vedam, Global Chief Marketing Officer and the host of the Digital Dialogue podcast series. I have Michael Tayo, Associate Vice president, of cloud and application security and principal information security engineer at the US Bank. Hey, Michael, how have you been doing today thanks for joining in. How’s the day?

Michael: Hey, Sairam. Everything’s going pretty well so far. Very, excited to be here. DevSecOps is a topic that I’m really passionate about in the IT cybersecurity space. So, very excited to share some of my experiences

Sairam: Terrific. I also have Rajesh. Rajesh Sarangapani is the executive vice president and head of innovation at Cigniti. He is a tremendous leader in terms of transforming the visionary thoughts that he’s had into our patented quality engineering platform called BlueSwanTM. He also leads and innovates every single day, particularly owning our practices that include both performance engineering and security engineering. He and his teams have done numerous engagements, and complex projects that we’ve delivered to Fortune 2000 companies, particularly putting what he believes that quality should be first, quality should be at the core of everything that we do, and more so when it comes to having secure applications which are reliable and resilient. Hi Rajesh, welcome to the show. How is it going so far?

Rajesh: Hey, super Sai. Excited to be part of this conversation.

Sairam: Wonderful, and on behalf of I welcome you all once again. Being at the confluence of Digital Assurance and Digital Engineering, we think that a quality-first approach is a secret sauce for building digitally resilient enterprises, helping them go digital-first and thus winning the digital landscape. And today, I’m going to have a little nice conversation with the two experts that are introduced. Michael, maybe we could start with you. Would you help kick off things with your views on emerging technologies that are accelerating the banking financial services industry’s digital transformation endeavors, and what are the complexities that leaders are facing to meet customer expectations?

Michael: In the banking financials, there’s a shift going on right now in the industry. Everyone’s trying to be more modern. There’s the phrase modernization, digital transformation, cloud adoption and so the reliance on a lot of these sorts of cloud platforms and technology operations to enhance the customer experience, brings a lot of risk. So, as security professionals, we’re always, concerned with security and the CIA triad. When it comes to sort of beginning and embarking on this journey of leveraging emerging technologies throughout this digital transformation, it’s always complex when we’re integrating not only security but also trying to leverage new technologies like AI and machine learning, blockchain and a lot of these buzzwords are driving that innovation. But, when you work in such a heavily regulated industry like banking and financials, it can be very difficult to move as fast as you would like because there’s a lot of compliance and as I mentioned, legal requirements in place. So I would say, one of the areas that is maybe like a challenge is just aligning security with existing processes and sort of mapping that to the culture and the people. So a lot of banks and financial service companies have been around for a very long time, hundreds of years. But obviously, during the past 20 years, there’s been a shift in how banking is done. Everything is via a mobile app. Everything is sort of technology-driven. So it’s always sort of super valuable to identify these cultural shifts and make sure that everyone is aware that security is becoming not just the responsibility of the organization, but of every single employer. Just overcoming this challenge will involve a lot of cultural change, training, and a lot of collaboration between not only higher-ups and key stakeholders but also the development team, security, and operational teams as well.

Sairam: Yeah. Absolutely relevant Michael. There is nothing that I can’t agree, with going a little further, if we focus on the cloud in all the forms that it exists today, how do you think it’s going to advance the industry? What are those emerging trends that you see that are gathering momentum based on what they have to offer to customer and employee experience?

Michael: This is actually one of my favorite topics. Because I specialize in cloud and application security. So I’m all for leveraging the cloud. I think some of the advancements that it brings are just scalability. You can do things a lot more bigger and broader and that sort of helps increase that agility and speed. I think there’s a lot of competition, in the banking and financial services industries because, typically when you open an account with a bank pretty much going to be with that bank for the majority of your life. It’s only very rare that people decide to change banks. Having that sort of agility and being able to sort of develop fast and deliver services to your customers quicker just helps and increases that customer experience. Related to that, not only scalability and agility but cost efficiency. And it is not, 1 to 1 across the board. However, there are some cost-reduction benefits of leveraging cloud technology. Various industries may benefit more than others, but I’d say emerging trends regarding hybrid and multi-cloud adoption, edge computing, and serverless. They offer a bunch of new opportunities for teams to be able to scale and move a lot faster.

Sairam: That’s quite a few sorts of complex new modern-day technologies that you spoke about as well. I’m sure that this is not as easy as what people think, and it requires a lot of expertise. That’s the reason why I would like to have our expert on the other side of the table, Rajesh coming in now. Rajesh, as a global leader in cloud migration assurance services, which I’m sure some of the key work that you’ve been leading at, what kind of engagements that you’ve sort of delivered where the large enterprise customers that he works with have leveraged the cloud to achieve digital outcomes? Or, maybe we would also love to see how some of your clients have overcome the initial inertia and then leverage the cloud migration. Finally, and in the process, what are those challenges that they had to sort of solve with the expertise that we bring in as a lever to accelerate digital transformation? Some insights would be of help. Rajesh.

Rajesh: Yeah, that’s true. I think, in many ways, we see as Michael did, allude to the fact that it’s a highly regulated industry to the way we’ve been set up as an organization. We have always been perimeter aware, if you will, which means that you have a boundary that you guard and then you see that very closely today. And with cloud sort of coming in and the various digital technologies being put together. The other thing that you see is specification has also opened up another layer of finding through the enterprise, expanding itself beyond the perimeter that was always guarded by the security professionals, by the teams that are almost looking at 24/7 at your perimeter and trying to understand how do I secure this? And with cloud and digital transformation that is sort of kicking in and saying, hey, how do I do the best in that space? Can I outsource some of my work that has been probably monotonous or regular or not so core to my industry, maybe a workday or stuff that’s out there and you sort of expand beyond the horizon of your perimeter, and then you invite probably in a secure way that you believe? You use this technology probably for various reasons, CapEx or the core is not what you want today and then you’re expanding. All of this and with data that was there in your data centers, now you have to figure out how to secure and still be compliant and can I govern it very well? And these apps, mind you, have been designed for their data centers. Probably they are not at that point in time, maybe the way security conscious we have been Today, probably they were not at that point in time when they were designing. Maybe the data is not encrypted at rest or in transit. These are some blind spots that we might hit. So it’s great. There is a definite leverage of the cloud. There is scalability, the possibility of you acquiring capacity and scale, and efficiencies for sure. But I think it also leaves a lot of thinking to happen, especially in the security for regulated industries, if you will. I think there is this constant challenge of making sure we are right. And I think Michael brought about a good aspect as well. When we talk about the change that is happening, customer experience that leads to a cultural shift, and we want to adopt new technologies that will give you the scale, and speed that we are talking about, means also that we have to understand what we are responsible for, right? I owned everything. Tomorrow when it transitions, probably what we call a shared responsibility model, we have to figure out where the cloud providers end and where is as a bank or a BFSI provider where it starts. This whole thing is a learning curve that every one of these enterprises has to go through. There is a good amount of knowledge available to tap into in the form of experience. Folks like Michael and others to look at how we would do this. At Cigniti, we have a methodology that will help us sort of demystify this journey understand what the nuances are, and practice it in a way that you would be able to de-risk yourself or take cognizant of the fact that security is thought through and eventually, make sure that you’re able to deliver or counter some of these challenges by gaining maybe greater visibility, use products that will help you to encrypt data while it’s moving, while at rest, and so on. Understand all of these nuances, and then eventually help deliver better software so that you’re able to sort of leverage the cloud and not lose off from some of the small providers that are fintech providers that are more nimble and agile, which will eventually come and play. So my take would be, yes, there are challenges, but there are solutions as well that people have practiced which can be a starting point and then contextualize them for your clients as well, so that you’re able to sort of reap from some of the best practices that are out there.

Sairam: Awesome. Thank you. It’s been quite an in-depth explanation, and I’ll bring Michael back now. So Michael, as a result of rapid and varied cloud adoption, I’m sure there are a lot of security pitfalls that the banking and fintech readers are likely to fall for, and they just don’t know it yet. That’s a very scary situation to be in. With your experience, could you throw some light on what is that you have been seeing in such a scenario?

Michael: Yeah. It’s a big problem in all industries, but sort of relevant to banking and financial services. I think with the increase in rapid cloud adoption there is that heightened risk and opportunity to make a mistake and accidentally mess up because there’s the constant pressure to move fast and deliver, but that doesn’t always put security at the top of mind and some of these challenges could lead to data breaches. So obviously banks and a lot of financial services companies have tons of consumer data and the bad guys out there, the malicious threat actors, they’re out there trying to get this data. One simple misconfiguration in the cloud I’ll give a very simple example. It could be storage buckets or a database. Maybe you accidentally left a storage bucket public when you deployed a certain piece of infrastructure. Maybe you didn’t have checks and balances within your CI CD pipeline, and that allowed you to deploy a misconfigured security bucket when you’re doing that at scale, when you have thousands of buckets, it’s hard to keep track of that unless you have the correct technologies and guardrails in place. Data breaches are a big sort of security risk, misconfigurations of cloud infrastructure, and inadequate compliance, I think there’s a lot of due diligence and due care that security leaders need to be mindful of when adopting the cloud because there’s a misconception that if you deploy infrastructure into the cloud, you’re automatically secure by default. Well, that’s true to a certain extent. There are various settings and configuration opportunities for you to really embed security into that product and even take it a step further, and I don’t want to get ahead of myself. But the topic of DevSecOps, how do you embed security into that deployment lifecycle of resources? Are you running security checks at the pipeline level prior to the actual provisioning of infrastructure? I think as IT leaders, we need to do our best to try and get ahead of these threats. There’s the buzzword of shift left. Fundamentally, we need to be proactive in addressing these issues to ensure that our data is secure and integral when meeting these compliance frameworks. And we’re not even allowing the opportunity for security risk to be introduced.

Sairam: Got it. Just to extend that thought process. Gartner’s recent hype cycle, Michael, referred to DevSecOps as transformational and leading enterprises. I’m sure both of you have been seeing that they’ve been leveraging DevSecOps to mitigate the security risks, while software leads to digital transformation. As a technology leader in banking, how have you seen DevSecOps emerge as a game changer in the industry?

Michael: Yeah. I’m a big advocate for DevSecOps. I think it’s definitely a game-changer. And I consider it more of like a methodology in a way of doing things. I think an approach that combines development security and operations is the best way forward. When teams are sort of developing strategies to deploy software or employ whatever sort of forward-thinking technology or whatever the organization offers by safeguarding their operations, and I guess kind of putting like a safety blanket over the development that builds trust and builds an environment that’s forever dynamic, but with security embedded. We want to enable our engineers and developers to do what they do best, right? They develop software and they make good products. But what was happening in the security industry is that we do not have the checks and balances in place to validate that whatever product was delivered is secure up to your standards. I think when we talk about bulletproofing, banking, and bulletproofing the financial services and industry with cloud and DevSecOps, it’s really about transforming, but I guess enhancing that methodology to ensure that we’re mitigating security risk and we are accelerating the digital transformation. I think there’s always friction with security and development because security professionals are often the ones telling people, you can’t do this, or No, you can’t do that, or Hey, your code has bugs, your code has software in front of abilities. But when we start to work hand in hand with them and foster a culture that is embedding security continuously, it becomes less of a friction point and more of a collaboration and I think as companies and enterprises start to adopt DevSecOps, a lot more customers will be happier because they’ll get the product a lot faster. Compliance will be happy because we’re building security into the product, and then the engineers will be happy because security is not constantly banging on their doors telling them to go fix something. It’s a multitude of things, but the way you phrase it, I think it’s transformative and it’s a methodology that I think will be around for a long time, and it will continue to get more ingrained into our processes.

Sairam: Yeah. I’m sure, DevSecOps is here to stay. There’s no question about it. Also, like the thing that you said, there is always friction with security and security professionals. That’s a good one. It’s for the good of an enterprise to have that friction. Now moving on to a practitioner’s perspective. Rajesh, you have been at the cusp of working with a tremendous amount of technology leaders in the industry. I know these are some seriously large enterprises. Can you reveal your client’s reasons or some of those motivations for them looking to do DevSecOps, particularly to overcome challenges in cloud adoption and beyond?

Rajesh: Yeah, absolutely. I will sort of rephrase or reuse some of the thoughts that Michael did speak about. If you look at a bank probably the first thing that they want to be seen as trustworthy which is probably what think security eventually helps them. If I’m a consumer of a bank, I would say, yeah, I really put the money in the bank because I trust them. That also signifies what they stand as brands and there is a challenge or if there is a reason for not being trustworthy, if you will. That’s a big issue with the bank or anyone in the financial services for that matter. So I think one of the reasons why banks or any other specific industry is consumer-oriented in some segments for sure. I think trust is a major thing and the other reason I have seen is if you are able to communicate along with your brand that they are here to take care by giving insight into what they do in terms of quality. Because software is pervasive, they do their best to get a product in their hands, that they will be able to utilize today. Mobile banking or a digital bank is so pervasive. So I think the second thing is how can they give confidence? Today’s stakeholders as well as the customers that eventually want to use these products and services have a robust process where they are diligent enough to ensure that they are in safe bit and hands and the third one, probably because of the way the industry is regulated and the BFS is also about complying to some of the standards, the regulatory bodies, giving them the confidence overall and saying, yeah, we comply to some of these. We are able to ensure that we follow the best standards, making sure your data is safe or you’re able to give the authorities or the government or whoever wants to look at it, the industry body, the data that shows that this is what we do as process and we collect data and so on. I think if you want to unpack and look at probably two centuries ago when there were no banks we were if I was an individual, probably put in my safe locker, put it in an accessible way, some passwords, some tricks to just safeguard. Now, think that’s outsourced to a bank if you will. And that is also getting digitally enabled. Even if it’s 200 years ago. The same sort of confidence, trust, and compliance matter, even if the bank is more software enabled or is always accessible on mobile and so on, you need to get the trust sort of established for you to make things happen and think whichever approaches you take. DevSecOps gives you that flexibility to not only give trust, confidence, and compliance, meet your compliance requirements, but make your business also happy by balancing speed and ability to deliver software in the way that you want to go after building trust. So I think primarily if I have to say three words trust, confidence, and compliance would be primary goals for this specific side of the House in terms of how we see this as a goal for adoption.

Sairam: Very aptly explained. Rajesh. Thanks for that. Maybe, Michael, just to bring you back. The undeniable merits of DevSecOps, are something that none of us have any doubts about. However, a key challenge in its adoption is to have security complement the existing business processes, the culture in place, and the people alongside the cloud technology. Can you share some insights on how this challenge is observed and how it is to be overcome?

Michael: Yeah. That’s a great question. And it’s not easy. I always say Rome wasn’t built in a day. And don’t try to boil the ocean. I think DevSecOps is something that it’s going to have to be a continuous thing. It’s not just like a one-time, one-shoe-fits-all approach. In every industry and every organization, DevSecOps will look a little bit different. I think having DevSecOps is not just some sort of technology solution, but a philosophy, a culture, as a driving force behind, ensuring the safety and resilience of banking and financial services and data within the cloud. I think the hardest part is aligning security with the existing processes. If you were a company that had never done DevSecOps before and tomorrow I say you’ve got to start doing DevSecOps. Where would you start? I think having conversations about what is our existing footprint. Where does the biggest risk lay and who are the people that I need to talk to and get embedded with? And that’s where it gets into culture and people. There are always people who say the technology, the people in the process. I think DevSecOps is a multitude of all three of those things. And so the alignment across the organization is what really becomes difficult. I think to sort of overcome some of these challenges. I think it’s always good to have a top-down approach. I think when you hire leaders who are technology-driven and process-oriented and can preach that security is everyone’s responsibility. I think that helps provide employees and technical leaders with the confidence to take ownership of security. And so that’s always a great way to observe some sort of cultural shift, allowing security to be at the forefront. On top of just the cultural change and the leadership, I think training and collaboration is key. Breaking down silos within organizations is highly beneficial when companies are not only leveraging cloud but just leveraging DevSecOps because when you break down those silos and increase visibility across teams, you’re not able to put more heads together to solve a problem. And there’s no closed loop. You want to have an open loop, you want to have an open feedback loop. So teams are aware of what’s going on. And teams can sort of collaborate between development security and operations. I know that’s a long-winded answer, but I think there’s no one-size-fits-all approach just because these challenges do look different for every sort of organization and industry. But I think at the fundamental level, it starts with culture, it starts with people, it starts with process. And then over time, that sort of bleed into the technology stacks and the type of engineering and automation that you do from a DevSecOps perspective.

Sairam: So pretty relevant. You hit the nail on the head actually, and that was quite detailed as well. Getting back to Rajesh. Rajesh, while it is commonly understood that security is, highly imperative in this industry, can you share some real instances of how DevSecOps is proven, and its ability in production to help companies achieve optimal compliance and assured digital outcomes?

Rajesh: Yeah. I think like you said, everyone understands the importance of being secure, and trustworthy. I think the challenge that we always face is it’s not that whether it’s optional or not. But the challenge is to say, how do we do this so that it suits that I’m able to get to the right digital outcomes while still meeting all the trust, confidence compliance, and so on. A decade ago, it was slightly harder. But last five or six years the data shows that. And when I see a lot of resistance coming from either the DevOps team collaborating with the security team or the security team collaborating with the DevOps teams, my ice-breaking question would be, would the security team need the DevOps team? Or does the DevOps team need the security side of the house? And if you start with the security side of the house, so typically you what you see as data today size, there are zero-day attacks that have been happening or zero-day vulnerabilities that are happening or are all on the rise. The other aspect, which is interesting enough for all our application developers and operations folks, is that supply chain software attacks have also been on the rise. It’s at the highest. We have not concluded completely 2023. We had some 80 such vulnerabilities being pointed out, which means that the famous log port issue that we have got is correct. If you had a DevOps process that is fast, and automated, what would that benefit? The security side of the team is you had the change to be incorporated there faster. They’re easy to deploy. They’re able to automate all of this. This means that the security side of the house that is worried about being open to the public or being constantly attacked because of these vulnerabilities, which are zero days is can we can push software much faster like any other feature. So they benefit really from DevOps. And if you see the other side, why do we need DevOps? I think we spoke about the challenges. Of course, they want to go fast, but then if you don’t build trust and confidence and you’re not compliant, you will have people coming at you. This proves the fact that while we understand security is imperative, digital outcomes are important. We shouldn’t slow down but still be secure. I think we have enough data today for all of us to appreciate that we have to find a way to collaborate. We have to figure out as a team, DevOps, and security to collaborate and figure out what the best optimum speed at a secure sort of configured posture for the organization would be. And I think people are trying to figure it out. I hear Michael talk about DevSecOps typically being articulated as an approach, as a thinking and culture shift. But eventually, I think every one of us would appreciate that the mature guys would eventually take this to a methodology level so that they can really prescribe and then take steps and processes and procedures, automate, put a platform in place that can help them achieve the optimum speed, as well as be more trust or build that confidence for the overall digital outcomes that you are looking for. So yeah, I think that’s how I would see it. So each of us needs the other by way of how we are safe, and secure at the right speed.

Sairam: Understood. Very relevant. We were coming towards the end of what has been an interesting conversation, but I would like to have some comments from Michael. The reader is looking to delve into DevSecOps or achieve a higher level of DevSecOps maturity. What is the learning curve of DevSecOps look like, especially in the banking and financial services industry?

Michael: Yeah, I think I kind of hinted that at the beginning. The way of banking is changing. Banks are positioning themselves now as, as technology companies. First, we’re pushing app development. We’re pushing software. And so I think with this adoption there is a learning curve. But it requires a lot of mind, a mindset, and a mind shift. It requires a lot of upskilling. The traditional ways of operation and engineering with banks are starting to change, as we speak, I think a lot of banks are pushing more agile methodologies or more product-focused teams and security especially. There’s a lot of upskilling that’s required. I’d say security practice, just, security professionals and engineering automation is something that’s going to require a lot of training, whether that’s in programming development, software engineering, or even low-code no-code tools. That stuff needs to be brought in. To help with that adoption and sort of ease that learning curve, and the maturity journey, just it’s an iterative process. And those improvements will come over time. Those cultural adjustments will create an environment to be able to foster a secure and efficient development pipeline. But to just summarize, I think it requires a lot of upskilling and security, automation, and then continuous monitoring and sort of that continuous Cicd, I think once companies get a good grasp on those three and four things that they’re headed in the right direction, for sure.

Sairam: That’s like a very in-depth explanation. I would say towards the end of it, I probably want to arrive at three conclusions that I heard from each of you. One, obviously DevSecOps is here to stay. And then there is this imminent need to leverage the cloud without compromising what Rajesh said. The compliance and the characteristic of a regulated, enterprise like financial services, and most importantly, the everlasting friction that you spoke about in terms of bringing in security as a culture. I think that brings us to a very interesting juncture where I believe that bulletproofing a fintech enterprise or anything that is regulated, for that matter, a large business, DevSecOps, has to be indulged as a proficient practice that can accelerate the assessment and the ability to look at security right at the beginning of the lifecycle and move to the extremity when the things go to production. It has been an insightful conversation, and I’m sure in the middle you need skilled people, you need platforms. So you need a whole bunch of investments and leadership commitment. But one word if I have to tell from what I’ve heard, it is here to stay. Trust me, it has been a really good conversation, and it has been a privilege for me to host both of you, I’m sure the audience would find it absolutely useful. More so, as we get to share this recording with the audience, we will come back with any questions, comments, and feedback that we could go back with and hopefully very soon we will put this on the website and the social media, and request all our audience to keep writing to us on interesting topics that they think the Digital Dialogues podcast series can host. And I’m sure we’re going to bring in more editions once again thanking both Michael and Rajesh on behalf of Cigniti. This is Sai signing off and everyone has a good day ahead. Thank you.