SlideShare une entreprise Scribd logo

DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments

Cognizant
Cognizant

As IT organizations push forward with DevOps tools that automate application development and maintenance processes, they can lose sight of the key “who, what, where and when” variables that surround software releases, thus elevating the possibility of noncompliance with a host of regulatory mandates. By embracing blockchain, they can create a tamper-proof way of ensuring regulatory compliance while extending their embrace of IT service automation.

1  sur  12
Télécharger pour lire hors ligne
Digital Systems & Technology DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments As IT organizations push forward with DevOps tools that automate application development and maintenance processes, they can lose sight of the key “who, what, where and when” variables that surround software releases, thus elevating the possibility of noncompliance with a host of regulatory mandates. By embracing blockchain, they can create a tamperproof way of ensuring regulatory compliance while extending their embrace of IT service automation. Executive Summary As digital overturns the value propositions of business models across the globe, enterprises need to stay one step ahead of technology’s unrelenting progress to remain relevant. Businesses rely on enterprise IT to run business better, and IT teams across the world are embracing DevOps1 to automate and accelerate application delivery and support. The global DevOps platform market is expected to grow at a CAGR of 22.5%, reaching a total value of approximately $12.9 billion by 2024, according to researcher Ameri Research.2 Regulated industries such as banking and financial services, as well as healthcare and life sciences, account for more than 50% of the projected DevOps market. These industries have Cognizant 20-20 Insights June 2019
significant regulatory compliance challenges as their applications must meet mandates such as HIPAA,3 Sarbanes Oxley (SOX),4 GAMP 55 and numerous mandates laid out by the U.S. Federal Drug Administration (FDA).6 Based on our estimates, the demand for DevOps in regulated industries is expected to accelerate the CAGR projection cited above. The aforementioned regulatory bodies mandate a stringent process for business processes including application delivery and support. Process compliance is validated by a series of audits that verify the level of compliance measured via tracing of the quality standards adopted by regulated companies. In our view, the traceability of a software release (the who/what/when concerning changes made) will no longer be present — or obvious — when IT organizations use the automated constructs enabled by DevOps. This could lead to noncompliance. As a result, many enterprises are grappling with the paradox of DevOps automation versus increased government scrutiny; eventually, they need to consider a Faustian bargain of trading off speed for statutory compliance. Emerging technologies such as blockchain — which entails both distributed ledger and strong cryptography — offer competitive solutions for diverse business challenges that involve numerous stakeholders. This white paper presents a solution that uses blockchain technology to solve regulatory challenges in DevOps adoption. The solution is available as a feature in our product Cognizant OneDevOps™ Insights,7 which helps organizations measure progress in software delivery through dashboards and metrics. Cognizant 20-20 Insights 2  /  DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
Cognizant 20-20 Insights Regulatory impediments for DevOps adoption As IT organizations adopt DevOps, friction often emerges between IT and the audit department. The cost of auditing increases as the software development lifecycle (SDLC) progresses, because noncompliance identified at later phases of SDLC will result in significant rework, and often significant penalties, for the offending company. Hence, it is vital that appropriate controls are in place during every phase of the SDLC and that auditability is reported in a tamperproof way. DevOps processes challenge the traditional way of thinking about audit, controls, security and risk. IT and audit should be able to find cooperative ways of working so financial processes and controls are in alignment with IT’s efforts to accelerate product rollouts using DevOps principles. The conventional approach requires auditors to review enterprise IT systems and report business risks (BR) associated with automated processes (or DevOps). Business or IT then comes up with an appropriate control strategy (CS) to mitigate the risk and provides evidence of how effectively the control strategy is being followed or adopted. Figure 1 portrays several BR instances identified by an auditor and the appropriate CS and process evidence.8 3  /  DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments Fitting risk with controls Figure 1 Business Risk Control Strategy Process Evidence ❙❙ An internal actor abuses privileges (provided or developed) to commit fraud to the organization and/or its customers. ❙❙ All code is validated through defined controls prior to production deployment to prevent developers from inserting “back doors” or vulnerabilities into production. ❙❙ Static code analysis based on a well-defined coding standard. ❙❙ Change history for the coding standards document (for at least the last five changes). ❙❙ Build statistics for last six months showing details of broken builds due to static code analysis violations. ❙❙ Code is deployed into production that causes an outage, service impairment or data errors. ❙❙ All code is validated prior to production deployment to ensure the service runs correctly in production and interruptions can be fixed quickly. ❙❙ Comprehensive quality management process that clearly defines test cases. ❙❙ Change history for at least the last five changes made to the test cases. ❙❙ Test report statistics for the last six months showing the details of the test executions. ❙❙ An external actor gains unauthorized access to production or preproduction environments (e.g., database, OS, networking) and installs malicious code or changes/ steals data. ❙❙ Unauthorized access is prevented, detected and corrected through the regular review of access credentials and system configurations based on the published SLA for each element of the environment. ❙❙ Well-defined role-based access system implemented across all the stages of software development. ❙❙ Clear event and access logs for access controls for all tools and higher environments.
Cognizant 20-20 Insights Regulatory Compliance’s Toll on App Dev Audits play a vital role in certifying enterprises are ready for business. Specific statutory bodies regulate each industry — for instance, fintech needs to comply with SOX, whereas healthcare needs to abide by HIPAA9 and GAMP 5.The compliances are structural, and not prescriptive, in nature. For instance, GAMP 5 mandates regular quality checks during application development which may include engineering practices like test-driven development (TDD),10 peer reviews and a comprehensive quality management system; however, it does not define the intrinsic details of activities and validations. Each enterprise has the flexibility to define its software development and support processes that broadly comply with the respective guidelines while adherence is reviewed in an audit. The following are the three broad categories of information reviewed during an audit: ❙❙ Segregation of duties: An audit trail of the system of records that holds complete information of the role-based access control system so one person alone cannot make changes to software in production. ❙❙ Traceability: An audit trail of the system of records that traces an artifact across the software delivery pipeline. For instance, the end-to-end traceability of user stories, commits, build numbers, etc. through production deployments. ❙❙ Chain of custody: An audit trail of the system of records that holds complete information of the state and ownership of the software asset across the software delivery pipeline. For instance, who were the developers and approvers associated with the changes across the development phases of the software? 4  /  DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments Quick Take
1. AUTOMATION Exists only for lower environments Lack of traceability 2. PROCESS Well-defined; however, manual Checklist- based 3. DATA Scattered evidences Manual collation 4. CULTURE Show and tell Often reactive Cognizant 20-20 Insights Blockchain as an application delivery backbone Application delivery in regulated industries must comply with a host of compliance guidelines, which makes enterprise automation and DevOps transformation extremely challenging. A solution that enables organizations to run DevOps automation alongside existing controls on the software delivery process and provides enough evidence of traceability, segregation of duties, and chain of custody in a clear and tamper-resistant way is the need of the hour. A blockchain primer Blockchain technology is piloted across enterprises to solve issues with trust, security, immutability and traceability across all the parties involved in a business transaction. Blockchain’s technology infrastructure allows multiple stakeholders to share a common truth in an immutable and decentralized manner via a distributed ledger. The issues of trust, security, immutability and traceability are addressed by blockchain components such as smart contracts, digital signatures and cryptography. 5  /  DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments Top-four regulatory compliance pain points during an audit All the below areas and pain points hamper DevOps automation and make audits both time-consuming and process-heavy. Source: Cognizant Figure 2 An internal survey conducted across our regulated projects show the impact of audits (internal as well as external) on application delivery. The top four areas and their pain points are depicted in Figure 2.
Cognizant 20-20 Insights The transfer of an asset from one stage of the SDLC to another is recorded within the blockchain infrastructure. For instance, all the events and states of a software asset (i.e., user story or requirement, code commits, build versions, packages, deployments, tests and defects) are linked to each other and stored inside the blockchain infrastructure. The details for each of the transactions — including the person who made the change, the exact time stamp and the associated metadata — are also archived in a tamperproof fashion. This information serves as the source of truth for auditors for reviewing the process associated with software development. All the associated transactions are recorded within blockchain infrastructure for the respective phase of software development. A blockchain-based enterprise DevOps solution can both accelerate application delivery and comply with regulatory requirements, where the risk-based controls and processes are clearly enforced and recorded in a private permissioned blockchain network such as Hyperledger Fabric.11 Our solution is built around a private permissioned distributed ledger such as Hyperledger Fabric that serves as the backbone of the enterprise DevOps ecosystem — typically, an integrated system of SDLC and information technology service Blockchain’s evolution into DevOps Figure 3 6  /  DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments Traditional DevOps (Before State) Blockchain Based DevOps (After State) JENKINS BUILDS GIT CODE GIT CODE HP ALM DEFECTS JIRA USER STORY SDLC information present within the boundaries of various DevOps tools resulting in isolated automation and lack of transparency SDLC information from DevOps tools recorded within blockchain in a tamperproof way for use in audit and compliance ASSET SMART CONTRACT CONSENSUS JENKINS BUILDS JIRA USER STORY HP ALM DEFECTS BLOCKCHAIN
Cognizant 20-20 Insights management (ITSM) tools (see Figure 4). The DevOps implementation would typically comprise subsystems of continuous integration, continuous delivery, release management and environment management. Each subsystem may have manual or automated processes for validating application quality such as static code analysis, unit testing, code coverage, regression testing, etc. In a typical DevOps implementation, each of the SDLC and ITSM tools are integrated with each other such that the construct of a delivery pipeline allows seamless movement of code across the build, deploy, test and release stages of the application lifecycle. The blockchain implementation for a DevOps ecosystem will comprise the following components: Business Requirement User Story/ Feature Code Commits Continuous Integration Deployment Testing Release Change Management Operations Agents 1. Segregation of duties 2. Chain of custody 3. Traceability Regulatory AuditorBlockchain Technology BLUEPRINT JIRA GIT JENKINS CHEF SE PLUTORA SERVICE NOW DYNATRACE Figure 4 How DevOps capabilities are extended via blockchain DevOps application delivery pipeline 7  /  DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments Our solution is built around a private permissioned distributed ledger such as Hyperledger Fabric that serves as the backbone of the enterprise DevOps ecosystem — typically, an integrated system of SDLC and information technology service management tools.
❙❙ Agents: Data collectors that focus on assembling data for specific events from respective SDLC tools. All information about a change in state of an asset inside a tool will be queried by the agents and will be sent to the blockchain for validation and archiving. For instance, agents that work with application lifecycle management (ALM) and source code management (SCM) tools collect metadata for stories and commits for state changes. ❙❙ Event handler: The data from the agents is parsed and processed prior to being archived on the blockchain. The event handler invokes an appropriate smart contract based on the data collected by the agent. For instance, data from ALM and SCM tools is parsed; the event handler then invokes the respective smart contracts to record the information to the blockchain infrastructure. ❙❙ Smart contracts: Definitions of the policies and processes that require adherence for a specific regulatory guideline are codified inside smart contracts. These constitute the decentralized business logic that validates and archives the data within the blockchain infrastructure ❙❙ Query component: This is the subsystem that focuses on querying information from the blockchain. It takes input such as asset details (e.g., user story identifier, code commit number, etc.), queries the blockchain and returns all the transactions associated with details such as who, what, when and how. The information retrieved is presented in the user interface where auditors and regulatory authorities can review adherence. ❙❙ Auditor view: The regulatory authorities will have a view of the following: >> Segregation of duties: This means a clear view of the personas who made changes. For instance, implementation of role-based access control across the SDLC and ITSM to prevent one person from making changes to systems in production. >> Traceability: The ability to look at the software asset’s trace events associated with any particular change request or change of state. >> Chain of custody: The ability to look at detailed drill-down information on each state or phase of the software asset shown inside the traceability function that addresses the questions what, when and how. ❙❙ DevOps ecosystem: This refers to the SDLC and ITSM tool chains that are integrated to facilitate the automated code movement and deployment across various environments. 8  /  DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments Cognizant 20-20 Insights
Blockchain-enabled DevOps transformation Accelerated DevOps A DevOps implementation backed by blockchain technology can serve as a backbone for enterprise IT, which can release an application to production faster, resolve issues quicker and improve the user experience without compromising on quality and auditability. Based on our assessment for a large banking customer, where DevOps practices were not applied for preproduction and production due to stronger regulatory compliance requirements and audits, for a product release that takes 90 days, 50% of the time was spent on manual release activities and record-keeping. This includes time spent on environments, deployments and approvals. A solution such as blockchain-based DevOps can bring down the release timelines by 70%, while more effectively enabling regulatory compliance. Transparency & traceability All the events associated with an artifact (e.g., a requirement, user story or defect) in application delivery are recorded as they occurred within blockchain infrastructure as a transparent and tamperproof system of records. The system of records will serve as a complete audit trail associated with the artifact along with its digital imprints ensuring compliance. Cultural shift: A departure from sample-based audits The ability to record the transfer of a software asset inside blockchain from one stage of development to another allows real-time, comprehensive audits without sampling. Due to the practical complexities in accessing, analyzing and reviewing data along with evidence, auditors restrict reviews of sampled data sets and specific periods. With this feature, the following results can be expected: 9  /  DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments Cognizant 20-20 Insights Based on our assessment for a large banking customer, where DevOps practices were not applied for preproduction and production due to stronger regulatory compliance requirements and audits, for a product release that takes 90 days, 50% of the time was spent on manual release activities and record-keeping. This includes time spent on environments, deployments and approvals. A solution such as blockchain-based DevOps can bring down the release timelines by 70%, while more effectively enabling regulatory compliance.
❙❙ Audit preparation time will be reduced by one- third due to all the information being recorded as an immutable source within blockchain. ❙❙ The number of stakeholders involved in the audit process will be reduced due to automation. ❙❙ Automation will reduce manual error and the audit trail recorded inside the blockchain, which further improves the transparency of the audit process. Looking forward Blockchain technology opens up a new model of operating DevOps by defining compliance as code. The entire application delivery lifecycle could be codified as smart contracts through various DevOps tools such as Git, Jenkins, Jira and HP ALM. Smart contracts would validate the entry and exit points of the various stages of the application delivery pipeline, shifting IT away from proprietary checks inside specific tools. Since the quality gates and validations are abstracted away from the DevOps tools, this helps IT to accommodate process changes with greater agility and confidence. Enterprises understand that audits are a routine part of doing business, and they anticipate greater challenges in complying with regulatory standards that are updated to accommodate changing socioeconomic and geopolitical developments. Given blockchain’s growing maturity as an enterprise infrastructure, we recommend that IT leaders review their existing application delivery and DevOps processes and consider embracing distributed ledger technology to enable a more proactive and automated approach to regulatory compliance. Blockchain-technology-driven DevOps will help IT organizations to release software at the will of the business, secure in the knowledge that regulatory procedures are being met with confidence and accuracy. Blockchain technology opens up a new model of operating DevOps by defining compliance as code. The entire application delivery lifecycle could be codified as smart contracts through various DevOps tools such as Git, Jenkins, Jira and HP ALM. Smart contracts would validate the entry and exit points of the various stages of the application delivery pipeline, shifting IT away from proprietary checks inside specific tools. 10  /  DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments Cognizant 20-20 Insights
Cognizant 20-20 Insights 11  /  DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments About the authors Karthikeyan Vedagiri Associate Director, Digital Engineering Practice, Cognizant Karthikeyan Vedagiri is an Associate Director, Projects, within Cognizant’s Digital Engineering Practice, where he focuses on the development of products and accelerators for Cognizant OneDevOps™. He has more than 15 years of experience in product engineering and quality assurance and specializes in design and architecture of test automation frameworks, deployment pipelines and DevOps platforms for emerging technologies such as cloud, container and platform as a service (PaaS). Karthikeyan has a bachelor’s degree in engineering, with specialization in electronics and communication, from Madras University, Tamil Nadu, India. He can be reached at Karthikeyan.Vedagiri@cognizant.com | www.linkedin.com/in/karthikeyan-vedagiri/. Rajkumar Chandrasekaran Chief Architect, Digital Engineering Practice, Cognizant Rajkumar Chandrasekaran is a Chief Architect within Cognizant’s Digital Engineering Practice. He has 17 years of experience in the field of large-scale application development and has played varied roles, from application architecting through reengineering of applications. Rajkumar is currently architecting Cognizant’s OneDevOps™ platform and is responsible for product development in the DevOps space. He has a bachelor’s degree in engineering, with specialization in computer science, from MS University, Tamil Nadu, India. Rajkumar can be reached at Rajkumar.Chandrasekaran@cognizant.com | www.linkedin.com/in/rajkumar-chandrasekaran-98309012/. Endnotes 1 DevOps is a software development methodology that aims to accelerate the software delivery process by means of collaboration between the development and operations teams through automation. See https://en.wikipedia.org/wiki/ DevOps. 2 DevOps Platform Market Outlook To 2024, Ameri Research, May 3, 2017, www.ameriresearch.com/devops-platform- market-outlook-2024/ 3 www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html 4 www.investopedia.com/terms/s/sarbanesoxleyact.asp 5 https://ispe.org/sites/default/files/publications/guidance-documents/ISPE-GAMP5-table-content.pdf. 6 www.fda.gov/media/73141/download 7 https://onedevops.atlassian.net/wiki/spaces/OI/overview 8 DevOps Audit Defense Toolkit is a community-built process framework for DevOps and Compliance, written by James DeLuccia, IV, Jeff Gallimore, Gene Kim, and Byron Miller. 9 www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html 10 http://agiledata.org/essays/tdd.html. 11 Hyperledger Fabric is an enterprise grade permissioned distributed ledger platform for a broad set of industry use cases; www.hyperledger.org/projects/fabric.
© Copyright 2019, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means,electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners. Codex 4008 World Headquarters 500 Frank W. Burr Blvd. Teaneck, NJ 07666 USA Phone: +1 201 801 0233 Fax: +1 201 801 0243 Toll Free: +1 888 937 3277 European Headquarters 1 Kingdom Street Paddington Central London W2 6BD England Phone: +44 (0) 20 7297 7600 Fax: +44 (0) 20 7121 0102 India Operations Headquarters #5/535 Old Mahabalipuram Road Okkiyam Pettai, Thoraipakkam Chennai, 600 096 India Phone: +91 (0) 44 4209 6000 Fax: +91 (0) 44 4209 6060 About Cognizant Digital Engineering Cognizant’s Digital Engineering team designs, engineers and delivers digital products and experiences that drive digital-first business models. It offers the most comprehensive engineering expertise and client-centric methodology for sustainable innovation. The Cognizant Digital Engineering team was named in the HFS Research Winner’s Circle in Software Product Engineering for its consulting capability, deep client relationships and strong partnership ecosystem for software product engineering. About Cognizant Cognizant (Nasdaq-100: CTSH) is one of the world’s leading professional services companies, transforming clients’ business, operating and technology models for the digital era. Our unique industry-based, consultative approach helps clients envision, build and run more innovative and efficient businesses. Headquartered in the U.S., Cognizant is ranked 193 on the Fortune 500 and is consistently listed among the most admired companies in the world. Learn how Cognizant helps clients lead with digital at www.cognizant.com or follow us @Cognizant.

Recommandé

Fortify Continuous Delivery
Fortify Continuous DeliveryFortify Continuous Delivery
Fortify Continuous DeliveryMainstay
 
How Security Audits Improve Reliability in Kentico 12
How Security Audits Improve Reliability in Kentico 12How Security Audits Improve Reliability in Kentico 12
How Security Audits Improve Reliability in Kentico 12Ray Business Technologies
 
Techno Arms Dealers and High Frequency Traders
Techno Arms Dealers and High Frequency TradersTechno Arms Dealers and High Frequency Traders
Techno Arms Dealers and High Frequency TradersCloudCheckr
 
internal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideinternal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideSatchit Dokras
 
DevOps vs GDPR: How to Comply and Stay Agile
DevOps vs GDPR: How to Comply and Stay AgileDevOps vs GDPR: How to Comply and Stay Agile
DevOps vs GDPR: How to Comply and Stay AgileBen Saunders
 
Implementation of-logilab-sdms-in-the-biopharama-industry-for-vaccine-research
Implementation of-logilab-sdms-in-the-biopharama-industry-for-vaccine-researchImplementation of-logilab-sdms-in-the-biopharama-industry-for-vaccine-research
Implementation of-logilab-sdms-in-the-biopharama-industry-for-vaccine-researchAgaram Technologies
 
Swetana A Purohit
Swetana A PurohitSwetana A Purohit
Swetana A PurohitSwetana Purohit
 
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide! SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide! VISTA InfoSec
 

Recommandé

Fortify Continuous Delivery
Fortify Continuous DeliveryFortify Continuous Delivery
Fortify Continuous DeliveryMainstay
 
How Security Audits Improve Reliability in Kentico 12
How Security Audits Improve Reliability in Kentico 12How Security Audits Improve Reliability in Kentico 12
How Security Audits Improve Reliability in Kentico 12Ray Business Technologies
 
Techno Arms Dealers and High Frequency Traders
Techno Arms Dealers and High Frequency TradersTechno Arms Dealers and High Frequency Traders
Techno Arms Dealers and High Frequency TradersCloudCheckr
 
internal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideinternal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideSatchit Dokras
 
DevOps vs GDPR: How to Comply and Stay Agile
DevOps vs GDPR: How to Comply and Stay AgileDevOps vs GDPR: How to Comply and Stay Agile
DevOps vs GDPR: How to Comply and Stay AgileBen Saunders
 
Implementation of-logilab-sdms-in-the-biopharama-industry-for-vaccine-research
Implementation of-logilab-sdms-in-the-biopharama-industry-for-vaccine-researchImplementation of-logilab-sdms-in-the-biopharama-industry-for-vaccine-research
Implementation of-logilab-sdms-in-the-biopharama-industry-for-vaccine-researchAgaram Technologies
 
Swetana A Purohit
Swetana A PurohitSwetana A Purohit
Swetana A PurohitSwetana Purohit
 
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide! SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide! VISTA InfoSec
 
The Digital Manufacturer
The Digital ManufacturerThe Digital Manufacturer
The Digital ManufacturerPercy-Mitchell
 
The digital-manufacturer
The digital-manufacturer The digital-manufacturer
The digital-manufacturer Percy-Mitchell
 
The digital-manufacturer
The digital-manufacturerThe digital-manufacturer
The digital-manufacturerPercy-Mitchell
 
Development to operations (dev ops) market
Development to operations (dev ops) marketDevelopment to operations (dev ops) market
Development to operations (dev ops) marketHarshalBamble
 
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceTools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceSonatype
 
Compliance at Velocity with Chef (2)
Compliance at Velocity with Chef (2)Compliance at Velocity with Chef (2)
Compliance at Velocity with Chef (2)Toby Thorslund
 
DevOps
DevOps DevOps
DevOps Hakan Yüksel
 
Whitepaper: 4 Approaches to Systems Integration
Whitepaper: 4 Approaches to Systems IntegrationWhitepaper: 4 Approaches to Systems Integration
Whitepaper: 4 Approaches to Systems IntegrationAudacia
 
Continuous delivery for digital transformation renu rajani v0 1
Continuous delivery for digital transformation renu rajani v0 1Continuous delivery for digital transformation renu rajani v0 1
Continuous delivery for digital transformation renu rajani v0 1Innovation Roots
 
How to add security in dataops and devops
How to add security in dataops and devopsHow to add security in dataops and devops
How to add security in dataops and devopsUlf Mattsson
 
Future Of DevOps Trends 2023
Future Of DevOps Trends 2023Future Of DevOps Trends 2023
Future Of DevOps Trends 2023WeCode Inc
 
CAST for the Architect
CAST for the ArchitectCAST for the Architect
CAST for the ArchitectCAST
 
Smart Solutions - DevOps Best Practices for Real Estate Software Development....
Smart Solutions - DevOps Best Practices for Real Estate Software Development....Smart Solutions - DevOps Best Practices for Real Estate Software Development....
Smart Solutions - DevOps Best Practices for Real Estate Software Development....SculptSoft Private Limited
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Wendy Knox Everette
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelinesamburyj3c9
 
Modernizing the Supply Chain into the 21st Century
Modernizing the Supply Chain into the 21st CenturyModernizing the Supply Chain into the 21st Century
Modernizing the Supply Chain into the 21st CenturyAnil John
 
Cobi t vs itil
Cobi t vs itilCobi t vs itil
Cobi t vs itilRodrigo Costa
 
ca-and-microsoft-are-collaborating-to-enable-the-iot-driven-application-economy
ca-and-microsoft-are-collaborating-to-enable-the-iot-driven-application-economyca-and-microsoft-are-collaborating-to-enable-the-iot-driven-application-economy
ca-and-microsoft-are-collaborating-to-enable-the-iot-driven-application-economyDoug Antaya
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxdewhirstichabod
 
How to Secure Your Outsourced Operations: The Ultimate Guide to DevOps as a S...
How to Secure Your Outsourced Operations: The Ultimate Guide to DevOps as a S...How to Secure Your Outsourced Operations: The Ultimate Guide to DevOps as a S...
How to Secure Your Outsourced Operations: The Ultimate Guide to DevOps as a S...basilmph
 
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Cognizant
 
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingData Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingCognizant
 

Contenu connexe

Similaire à DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments

The Digital Manufacturer
The Digital ManufacturerThe Digital Manufacturer
The Digital ManufacturerPercy-Mitchell
 
The digital-manufacturer
The digital-manufacturer The digital-manufacturer
The digital-manufacturer Percy-Mitchell
 
The digital-manufacturer
The digital-manufacturerThe digital-manufacturer
The digital-manufacturerPercy-Mitchell
 
Development to operations (dev ops) market
Development to operations (dev ops) marketDevelopment to operations (dev ops) market
Development to operations (dev ops) marketHarshalBamble
 
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceTools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceSonatype
 
Compliance at Velocity with Chef (2)
Compliance at Velocity with Chef (2)Compliance at Velocity with Chef (2)
Compliance at Velocity with Chef (2)Toby Thorslund
 
Whitepaper: 4 Approaches to Systems Integration
Whitepaper: 4 Approaches to Systems IntegrationWhitepaper: 4 Approaches to Systems Integration
Whitepaper: 4 Approaches to Systems IntegrationAudacia
 
Continuous delivery for digital transformation renu rajani v0 1
Continuous delivery for digital transformation renu rajani v0 1Continuous delivery for digital transformation renu rajani v0 1
Continuous delivery for digital transformation renu rajani v0 1Innovation Roots
 
How to add security in dataops and devops
How to add security in dataops and devopsHow to add security in dataops and devops
How to add security in dataops and devopsUlf Mattsson
 
Future Of DevOps Trends 2023
Future Of DevOps Trends 2023Future Of DevOps Trends 2023
Future Of DevOps Trends 2023WeCode Inc
 
CAST for the Architect
CAST for the ArchitectCAST for the Architect
CAST for the ArchitectCAST
 
Smart Solutions - DevOps Best Practices for Real Estate Software Development....
Smart Solutions - DevOps Best Practices for Real Estate Software Development....Smart Solutions - DevOps Best Practices for Real Estate Software Development....
Smart Solutions - DevOps Best Practices for Real Estate Software Development....SculptSoft Private Limited
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Wendy Knox Everette
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelinesamburyj3c9
 
Modernizing the Supply Chain into the 21st Century
Modernizing the Supply Chain into the 21st CenturyModernizing the Supply Chain into the 21st Century
Modernizing the Supply Chain into the 21st CenturyAnil John
 
ca-and-microsoft-are-collaborating-to-enable-the-iot-driven-application-economy
ca-and-microsoft-are-collaborating-to-enable-the-iot-driven-application-economyca-and-microsoft-are-collaborating-to-enable-the-iot-driven-application-economy
ca-and-microsoft-are-collaborating-to-enable-the-iot-driven-application-economyDoug Antaya
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxdewhirstichabod
 
How to Secure Your Outsourced Operations: The Ultimate Guide to DevOps as a S...
How to Secure Your Outsourced Operations: The Ultimate Guide to DevOps as a S...How to Secure Your Outsourced Operations: The Ultimate Guide to DevOps as a S...
How to Secure Your Outsourced Operations: The Ultimate Guide to DevOps as a S...basilmph
 

Similaire à DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments (20)

The Digital Manufacturer
The Digital ManufacturerThe Digital Manufacturer
The Digital Manufacturer
 
The digital-manufacturer
The digital-manufacturer The digital-manufacturer
The digital-manufacturer
 
The digital-manufacturer
The digital-manufacturerThe digital-manufacturer
The digital-manufacturer
 
Development to operations (dev ops) market
Development to operations (dev ops) marketDevelopment to operations (dev ops) market
Development to operations (dev ops) market
 
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceTools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
 
Compliance at Velocity with Chef (2)
Compliance at Velocity with Chef (2)Compliance at Velocity with Chef (2)
Compliance at Velocity with Chef (2)
 
DevOps
DevOps DevOps
DevOps
 
Whitepaper: 4 Approaches to Systems Integration
Whitepaper: 4 Approaches to Systems IntegrationWhitepaper: 4 Approaches to Systems Integration
Whitepaper: 4 Approaches to Systems Integration
 
Continuous delivery for digital transformation renu rajani v0 1
Continuous delivery for digital transformation renu rajani v0 1Continuous delivery for digital transformation renu rajani v0 1
Continuous delivery for digital transformation renu rajani v0 1
 
How to add security in dataops and devops
How to add security in dataops and devopsHow to add security in dataops and devops
How to add security in dataops and devops
 
Future Of DevOps Trends 2023
Future Of DevOps Trends 2023Future Of DevOps Trends 2023
Future Of DevOps Trends 2023
 
CAST for the Architect
CAST for the ArchitectCAST for the Architect
CAST for the Architect
 
Smart Solutions - DevOps Best Practices for Real Estate Software Development....
Smart Solutions - DevOps Best Practices for Real Estate Software Development....Smart Solutions - DevOps Best Practices for Real Estate Software Development....
Smart Solutions - DevOps Best Practices for Real Estate Software Development....
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelines
 
Modernizing the Supply Chain into the 21st Century
Modernizing the Supply Chain into the 21st CenturyModernizing the Supply Chain into the 21st Century
Modernizing the Supply Chain into the 21st Century
 
Cobi t vs itil
Cobi t vs itilCobi t vs itil
Cobi t vs itil
 
ca-and-microsoft-are-collaborating-to-enable-the-iot-driven-application-economy
ca-and-microsoft-are-collaborating-to-enable-the-iot-driven-application-economyca-and-microsoft-are-collaborating-to-enable-the-iot-driven-application-economy
ca-and-microsoft-are-collaborating-to-enable-the-iot-driven-application-economy
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docx
 
How to Secure Your Outsourced Operations: The Ultimate Guide to DevOps as a S...
How to Secure Your Outsourced Operations: The Ultimate Guide to DevOps as a S...How to Secure Your Outsourced Operations: The Ultimate Guide to DevOps as a S...
How to Secure Your Outsourced Operations: The Ultimate Guide to DevOps as a S...
 

Plus de Cognizant

Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Cognizant
 
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingData Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingCognizant
 
It Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesIt Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesCognizant
 
Intuition Engineered
Intuition EngineeredIntuition Engineered
Intuition EngineeredCognizant
 
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...Cognizant
 
Enhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital InitiativesEnhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital InitiativesCognizant
 
The Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility MandateThe Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility MandateCognizant
 
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...Cognizant
 
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Cognizant
 
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Cognizant
 
Green Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityGreen Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityCognizant
 
Policy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersPolicy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersCognizant
 
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalThe Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalCognizant
 
AI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueAI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueCognizant
 
Operations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachOperations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachCognizant
 
Five Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudFive Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudCognizant
 
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedGetting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedCognizant
 
Crafting the Utility of the Future
Crafting the Utility of the FutureCrafting the Utility of the Future
Crafting the Utility of the FutureCognizant
 
Utilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformUtilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformCognizant
 
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...Cognizant
 

Plus de Cognizant (20)

Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
 
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingData Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
 
It Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesIt Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
 
Intuition Engineered
Intuition EngineeredIntuition Engineered
Intuition Engineered
 
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
 
Enhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital InitiativesEnhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital Initiatives
 
The Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility MandateThe Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility Mandate
 
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
 
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
 
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
 
Green Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityGreen Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for Sustainability
 
Policy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersPolicy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for Insurers
 
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalThe Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
 
AI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueAI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to Value
 
Operations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachOperations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First Approach
 
Five Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudFive Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the Cloud
 
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedGetting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
 
Crafting the Utility of the Future
Crafting the Utility of the FutureCrafting the Utility of the Future
Crafting the Utility of the Future
 
Utilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformUtilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data Platform
 
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
 

DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments

  • 1. Digital Systems & Technology DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments As IT organizations push forward with DevOps tools that automate application development and maintenance processes, they can lose sight of the key “who, what, where and when” variables that surround software releases, thus elevating the possibility of noncompliance with a host of regulatory mandates. By embracing blockchain, they can create a tamperproof way of ensuring regulatory compliance while extending their embrace of IT service automation. Executive Summary As digital overturns the value propositions of business models across the globe, enterprises need to stay one step ahead of technology’s unrelenting progress to remain relevant. Businesses rely on enterprise IT to run business better, and IT teams across the world are embracing DevOps1 to automate and accelerate application delivery and support. The global DevOps platform market is expected to grow at a CAGR of 22.5%, reaching a total value of approximately $12.9 billion by 2024, according to researcher Ameri Research.2 Regulated industries such as banking and financial services, as well as healthcare and life sciences, account for more than 50% of the projected DevOps market. These industries have Cognizant 20-20 Insights June 2019
  • 2. significant regulatory compliance challenges as their applications must meet mandates such as HIPAA,3 Sarbanes Oxley (SOX),4 GAMP 55 and numerous mandates laid out by the U.S. Federal Drug Administration (FDA).6 Based on our estimates, the demand for DevOps in regulated industries is expected to accelerate the CAGR projection cited above. The aforementioned regulatory bodies mandate a stringent process for business processes including application delivery and support. Process compliance is validated by a series of audits that verify the level of compliance measured via tracing of the quality standards adopted by regulated companies. In our view, the traceability of a software release (the who/what/when concerning changes made) will no longer be present — or obvious — when IT organizations use the automated constructs enabled by DevOps. This could lead to noncompliance. As a result, many enterprises are grappling with the paradox of DevOps automation versus increased government scrutiny; eventually, they need to consider a Faustian bargain of trading off speed for statutory compliance. Emerging technologies such as blockchain — which entails both distributed ledger and strong cryptography — offer competitive solutions for diverse business challenges that involve numerous stakeholders. This white paper presents a solution that uses blockchain technology to solve regulatory challenges in DevOps adoption. The solution is available as a feature in our product Cognizant OneDevOps™ Insights,7 which helps organizations measure progress in software delivery through dashboards and metrics. Cognizant 20-20 Insights 2  /  DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
  • 3. Cognizant 20-20 Insights Regulatory impediments for DevOps adoption As IT organizations adopt DevOps, friction often emerges between IT and the audit department. The cost of auditing increases as the software development lifecycle (SDLC) progresses, because noncompliance identified at later phases of SDLC will result in significant rework, and often significant penalties, for the offending company. Hence, it is vital that appropriate controls are in place during every phase of the SDLC and that auditability is reported in a tamperproof way. DevOps processes challenge the traditional way of thinking about audit, controls, security and risk. IT and audit should be able to find cooperative ways of working so financial processes and controls are in alignment with IT’s efforts to accelerate product rollouts using DevOps principles. The conventional approach requires auditors to review enterprise IT systems and report business risks (BR) associated with automated processes (or DevOps). Business or IT then comes up with an appropriate control strategy (CS) to mitigate the risk and provides evidence of how effectively the control strategy is being followed or adopted. Figure 1 portrays several BR instances identified by an auditor and the appropriate CS and process evidence.8 3  /  DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments Fitting risk with controls Figure 1 Business Risk Control Strategy Process Evidence ❙❙ An internal actor abuses privileges (provided or developed) to commit fraud to the organization and/or its customers. ❙❙ All code is validated through defined controls prior to production deployment to prevent developers from inserting “back doors” or vulnerabilities into production. ❙❙ Static code analysis based on a well-defined coding standard. ❙❙ Change history for the coding standards document (for at least the last five changes). ❙❙ Build statistics for last six months showing details of broken builds due to static code analysis violations. ❙❙ Code is deployed into production that causes an outage, service impairment or data errors. ❙❙ All code is validated prior to production deployment to ensure the service runs correctly in production and interruptions can be fixed quickly. ❙❙ Comprehensive quality management process that clearly defines test cases. ❙❙ Change history for at least the last five changes made to the test cases. ❙❙ Test report statistics for the last six months showing the details of the test executions. ❙❙ An external actor gains unauthorized access to production or preproduction environments (e.g., database, OS, networking) and installs malicious code or changes/ steals data. ❙❙ Unauthorized access is prevented, detected and corrected through the regular review of access credentials and system configurations based on the published SLA for each element of the environment. ❙❙ Well-defined role-based access system implemented across all the stages of software development. ❙❙ Clear event and access logs for access controls for all tools and higher environments.
  • 4. Cognizant 20-20 Insights Regulatory Compliance’s Toll on App Dev Audits play a vital role in certifying enterprises are ready for business. Specific statutory bodies regulate each industry — for instance, fintech needs to comply with SOX, whereas healthcare needs to abide by HIPAA9 and GAMP 5.The compliances are structural, and not prescriptive, in nature. For instance, GAMP 5 mandates regular quality checks during application development which may include engineering practices like test-driven development (TDD),10 peer reviews and a comprehensive quality management system; however, it does not define the intrinsic details of activities and validations. Each enterprise has the flexibility to define its software development and support processes that broadly comply with the respective guidelines while adherence is reviewed in an audit. The following are the three broad categories of information reviewed during an audit: ❙❙ Segregation of duties: An audit trail of the system of records that holds complete information of the role-based access control system so one person alone cannot make changes to software in production. ❙❙ Traceability: An audit trail of the system of records that traces an artifact across the software delivery pipeline. For instance, the end-to-end traceability of user stories, commits, build numbers, etc. through production deployments. ❙❙ Chain of custody: An audit trail of the system of records that holds complete information of the state and ownership of the software asset across the software delivery pipeline. For instance, who were the developers and approvers associated with the changes across the development phases of the software? 4  /  DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments Quick Take
  • 5. 1. AUTOMATION Exists only for lower environments Lack of traceability 2. PROCESS Well-defined; however, manual Checklist- based 3. DATA Scattered evidences Manual collation 4. CULTURE Show and tell Often reactive Cognizant 20-20 Insights Blockchain as an application delivery backbone Application delivery in regulated industries must comply with a host of compliance guidelines, which makes enterprise automation and DevOps transformation extremely challenging. A solution that enables organizations to run DevOps automation alongside existing controls on the software delivery process and provides enough evidence of traceability, segregation of duties, and chain of custody in a clear and tamper-resistant way is the need of the hour. A blockchain primer Blockchain technology is piloted across enterprises to solve issues with trust, security, immutability and traceability across all the parties involved in a business transaction. Blockchain’s technology infrastructure allows multiple stakeholders to share a common truth in an immutable and decentralized manner via a distributed ledger. The issues of trust, security, immutability and traceability are addressed by blockchain components such as smart contracts, digital signatures and cryptography. 5  /  DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments Top-four regulatory compliance pain points during an audit All the below areas and pain points hamper DevOps automation and make audits both time-consuming and process-heavy. Source: Cognizant Figure 2 An internal survey conducted across our regulated projects show the impact of audits (internal as well as external) on application delivery. The top four areas and their pain points are depicted in Figure 2.
  • 6. Cognizant 20-20 Insights The transfer of an asset from one stage of the SDLC to another is recorded within the blockchain infrastructure. For instance, all the events and states of a software asset (i.e., user story or requirement, code commits, build versions, packages, deployments, tests and defects) are linked to each other and stored inside the blockchain infrastructure. The details for each of the transactions — including the person who made the change, the exact time stamp and the associated metadata — are also archived in a tamperproof fashion. This information serves as the source of truth for auditors for reviewing the process associated with software development. All the associated transactions are recorded within blockchain infrastructure for the respective phase of software development. A blockchain-based enterprise DevOps solution can both accelerate application delivery and comply with regulatory requirements, where the risk-based controls and processes are clearly enforced and recorded in a private permissioned blockchain network such as Hyperledger Fabric.11 Our solution is built around a private permissioned distributed ledger such as Hyperledger Fabric that serves as the backbone of the enterprise DevOps ecosystem — typically, an integrated system of SDLC and information technology service Blockchain’s evolution into DevOps Figure 3 6  /  DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments Traditional DevOps (Before State) Blockchain Based DevOps (After State) JENKINS BUILDS GIT CODE GIT CODE HP ALM DEFECTS JIRA USER STORY SDLC information present within the boundaries of various DevOps tools resulting in isolated automation and lack of transparency SDLC information from DevOps tools recorded within blockchain in a tamperproof way for use in audit and compliance ASSET SMART CONTRACT CONSENSUS JENKINS BUILDS JIRA USER STORY HP ALM DEFECTS BLOCKCHAIN
  • 7. Cognizant 20-20 Insights management (ITSM) tools (see Figure 4). The DevOps implementation would typically comprise subsystems of continuous integration, continuous delivery, release management and environment management. Each subsystem may have manual or automated processes for validating application quality such as static code analysis, unit testing, code coverage, regression testing, etc. In a typical DevOps implementation, each of the SDLC and ITSM tools are integrated with each other such that the construct of a delivery pipeline allows seamless movement of code across the build, deploy, test and release stages of the application lifecycle. The blockchain implementation for a DevOps ecosystem will comprise the following components: Business Requirement User Story/ Feature Code Commits Continuous Integration Deployment Testing Release Change Management Operations Agents 1. Segregation of duties 2. Chain of custody 3. Traceability Regulatory AuditorBlockchain Technology BLUEPRINT JIRA GIT JENKINS CHEF SE PLUTORA SERVICE NOW DYNATRACE Figure 4 How DevOps capabilities are extended via blockchain DevOps application delivery pipeline 7  /  DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments Our solution is built around a private permissioned distributed ledger such as Hyperledger Fabric that serves as the backbone of the enterprise DevOps ecosystem — typically, an integrated system of SDLC and information technology service management tools.
  • 8. ❙❙ Agents: Data collectors that focus on assembling data for specific events from respective SDLC tools. All information about a change in state of an asset inside a tool will be queried by the agents and will be sent to the blockchain for validation and archiving. For instance, agents that work with application lifecycle management (ALM) and source code management (SCM) tools collect metadata for stories and commits for state changes. ❙❙ Event handler: The data from the agents is parsed and processed prior to being archived on the blockchain. The event handler invokes an appropriate smart contract based on the data collected by the agent. For instance, data from ALM and SCM tools is parsed; the event handler then invokes the respective smart contracts to record the information to the blockchain infrastructure. ❙❙ Smart contracts: Definitions of the policies and processes that require adherence for a specific regulatory guideline are codified inside smart contracts. These constitute the decentralized business logic that validates and archives the data within the blockchain infrastructure ❙❙ Query component: This is the subsystem that focuses on querying information from the blockchain. It takes input such as asset details (e.g., user story identifier, code commit number, etc.), queries the blockchain and returns all the transactions associated with details such as who, what, when and how. The information retrieved is presented in the user interface where auditors and regulatory authorities can review adherence. ❙❙ Auditor view: The regulatory authorities will have a view of the following: >> Segregation of duties: This means a clear view of the personas who made changes. For instance, implementation of role-based access control across the SDLC and ITSM to prevent one person from making changes to systems in production. >> Traceability: The ability to look at the software asset’s trace events associated with any particular change request or change of state. >> Chain of custody: The ability to look at detailed drill-down information on each state or phase of the software asset shown inside the traceability function that addresses the questions what, when and how. ❙❙ DevOps ecosystem: This refers to the SDLC and ITSM tool chains that are integrated to facilitate the automated code movement and deployment across various environments. 8  /  DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments Cognizant 20-20 Insights
  • 9. Blockchain-enabled DevOps transformation Accelerated DevOps A DevOps implementation backed by blockchain technology can serve as a backbone for enterprise IT, which can release an application to production faster, resolve issues quicker and improve the user experience without compromising on quality and auditability. Based on our assessment for a large banking customer, where DevOps practices were not applied for preproduction and production due to stronger regulatory compliance requirements and audits, for a product release that takes 90 days, 50% of the time was spent on manual release activities and record-keeping. This includes time spent on environments, deployments and approvals. A solution such as blockchain-based DevOps can bring down the release timelines by 70%, while more effectively enabling regulatory compliance. Transparency & traceability All the events associated with an artifact (e.g., a requirement, user story or defect) in application delivery are recorded as they occurred within blockchain infrastructure as a transparent and tamperproof system of records. The system of records will serve as a complete audit trail associated with the artifact along with its digital imprints ensuring compliance. Cultural shift: A departure from sample-based audits The ability to record the transfer of a software asset inside blockchain from one stage of development to another allows real-time, comprehensive audits without sampling. Due to the practical complexities in accessing, analyzing and reviewing data along with evidence, auditors restrict reviews of sampled data sets and specific periods. With this feature, the following results can be expected: 9  /  DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments Cognizant 20-20 Insights Based on our assessment for a large banking customer, where DevOps practices were not applied for preproduction and production due to stronger regulatory compliance requirements and audits, for a product release that takes 90 days, 50% of the time was spent on manual release activities and record-keeping. This includes time spent on environments, deployments and approvals. A solution such as blockchain-based DevOps can bring down the release timelines by 70%, while more effectively enabling regulatory compliance.
  • 10. ❙❙ Audit preparation time will be reduced by one- third due to all the information being recorded as an immutable source within blockchain. ❙❙ The number of stakeholders involved in the audit process will be reduced due to automation. ❙❙ Automation will reduce manual error and the audit trail recorded inside the blockchain, which further improves the transparency of the audit process. Looking forward Blockchain technology opens up a new model of operating DevOps by defining compliance as code. The entire application delivery lifecycle could be codified as smart contracts through various DevOps tools such as Git, Jenkins, Jira and HP ALM. Smart contracts would validate the entry and exit points of the various stages of the application delivery pipeline, shifting IT away from proprietary checks inside specific tools. Since the quality gates and validations are abstracted away from the DevOps tools, this helps IT to accommodate process changes with greater agility and confidence. Enterprises understand that audits are a routine part of doing business, and they anticipate greater challenges in complying with regulatory standards that are updated to accommodate changing socioeconomic and geopolitical developments. Given blockchain’s growing maturity as an enterprise infrastructure, we recommend that IT leaders review their existing application delivery and DevOps processes and consider embracing distributed ledger technology to enable a more proactive and automated approach to regulatory compliance. Blockchain-technology-driven DevOps will help IT organizations to release software at the will of the business, secure in the knowledge that regulatory procedures are being met with confidence and accuracy. Blockchain technology opens up a new model of operating DevOps by defining compliance as code. The entire application delivery lifecycle could be codified as smart contracts through various DevOps tools such as Git, Jenkins, Jira and HP ALM. Smart contracts would validate the entry and exit points of the various stages of the application delivery pipeline, shifting IT away from proprietary checks inside specific tools. 10  /  DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments Cognizant 20-20 Insights
  • 11. Cognizant 20-20 Insights 11  /  DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments About the authors Karthikeyan Vedagiri Associate Director, Digital Engineering Practice, Cognizant Karthikeyan Vedagiri is an Associate Director, Projects, within Cognizant’s Digital Engineering Practice, where he focuses on the development of products and accelerators for Cognizant OneDevOps™. He has more than 15 years of experience in product engineering and quality assurance and specializes in design and architecture of test automation frameworks, deployment pipelines and DevOps platforms for emerging technologies such as cloud, container and platform as a service (PaaS). Karthikeyan has a bachelor’s degree in engineering, with specialization in electronics and communication, from Madras University, Tamil Nadu, India. He can be reached at Karthikeyan.Vedagiri@cognizant.com | www.linkedin.com/in/karthikeyan-vedagiri/. Rajkumar Chandrasekaran Chief Architect, Digital Engineering Practice, Cognizant Rajkumar Chandrasekaran is a Chief Architect within Cognizant’s Digital Engineering Practice. He has 17 years of experience in the field of large-scale application development and has played varied roles, from application architecting through reengineering of applications. Rajkumar is currently architecting Cognizant’s OneDevOps™ platform and is responsible for product development in the DevOps space. He has a bachelor’s degree in engineering, with specialization in computer science, from MS University, Tamil Nadu, India. Rajkumar can be reached at Rajkumar.Chandrasekaran@cognizant.com | www.linkedin.com/in/rajkumar-chandrasekaran-98309012/. Endnotes 1 DevOps is a software development methodology that aims to accelerate the software delivery process by means of collaboration between the development and operations teams through automation. See https://en.wikipedia.org/wiki/ DevOps. 2 DevOps Platform Market Outlook To 2024, Ameri Research, May 3, 2017, www.ameriresearch.com/devops-platform- market-outlook-2024/ 3 www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html 4 www.investopedia.com/terms/s/sarbanesoxleyact.asp 5 https://ispe.org/sites/default/files/publications/guidance-documents/ISPE-GAMP5-table-content.pdf. 6 www.fda.gov/media/73141/download 7 https://onedevops.atlassian.net/wiki/spaces/OI/overview 8 DevOps Audit Defense Toolkit is a community-built process framework for DevOps and Compliance, written by James DeLuccia, IV, Jeff Gallimore, Gene Kim, and Byron Miller. 9 www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html 10 http://agiledata.org/essays/tdd.html. 11 Hyperledger Fabric is an enterprise grade permissioned distributed ledger platform for a broad set of industry use cases; www.hyperledger.org/projects/fabric.
  • 12. © Copyright 2019, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means,electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners. Codex 4008 World Headquarters 500 Frank W. Burr Blvd. Teaneck, NJ 07666 USA Phone: +1 201 801 0233 Fax: +1 201 801 0243 Toll Free: +1 888 937 3277 European Headquarters 1 Kingdom Street Paddington Central London W2 6BD England Phone: +44 (0) 20 7297 7600 Fax: +44 (0) 20 7121 0102 India Operations Headquarters #5/535 Old Mahabalipuram Road Okkiyam Pettai, Thoraipakkam Chennai, 600 096 India Phone: +91 (0) 44 4209 6000 Fax: +91 (0) 44 4209 6060 About Cognizant Digital Engineering Cognizant’s Digital Engineering team designs, engineers and delivers digital products and experiences that drive digital-first business models. It offers the most comprehensive engineering expertise and client-centric methodology for sustainable innovation. The Cognizant Digital Engineering team was named in the HFS Research Winner’s Circle in Software Product Engineering for its consulting capability, deep client relationships and strong partnership ecosystem for software product engineering. About Cognizant Cognizant (Nasdaq-100: CTSH) is one of the world’s leading professional services companies, transforming clients’ business, operating and technology models for the digital era. Our unique industry-based, consultative approach helps clients envision, build and run more innovative and efficient businesses. Headquartered in the U.S., Cognizant is ranked 193 on the Fortune 500 and is consistently listed among the most admired companies in the world. Learn how Cognizant helps clients lead with digital at www.cognizant.com or follow us @Cognizant.