How JFrog helped an international bank boost software quality, speed deployments, and meet regulatory compliance
As a multi-billion dollar financial institution in its Asia-Pacific country, this international bank has big money at stake every day. Multiple software development teams provide front-end and back-end applications for platforms that include web, mobile, and point-of-service. In this highly regulated industry, the consequences of compliance failure can range from customer restitution to multi-million dollar fines and even a loss of charter.
“We have around 3,500 active users, have accumulated over 110 TB of data, which is growing at a rate of 3 TB per month.”
The bank aimed to modernize software production across their organization through a common development pipeline of best practices for consistency, even while accommodating a diverse set of programming languages, package types, and build ecosystem tools serving nearly 5,000 programmers, testers, and operations engineers. These methods must produce reliable, secure, and compliant outcomes, while enabling multi-year traceability for forensic analysis by bank staff and state regulators.
The bank accomplished these goals through the effective management of packages, binaries, and metadata enabled by the JFrog Artifactory universal binary repository manager, and by using JFrog Xray to help assure that all deployed applications are free of known critical vulnerabilities.
“Xray is so tightly coupled with Artifactory, it’s given us the benefit of blocking a lot of the vulnerable images that are coming inside the bank.”
This modernization success would also provide the bank the opportunity to begin migrating its binary management from on-premises servers to cost-effective compute environments in the public cloud, and to move inactive data to cloud archival storage to comply with stringent data retention mandates.request a demo
Retail and commercial banking
Over 30,000 employees
Over 8 million customers
Over $600 B (U.S. equivalent) in assets under management
Ranked in the top 200 of Forbes Global 2000 World’s Largest Public Companies (2021)
Through effective management of packages and binaries, JFrog enabled the international bank to:
- Speed development by sharing packages and artifacts while reducing external network traffic
- Delivery more frequently, enabling daily deployments of applications and updates
- Accelerate cloud native development with private Docker and Helm registries
- Block application with critical vulnerabilities from being deployed to production
- Comply with regulations for licensing, testing and data retention
- Migrate to the cloud without downtime for scalability and optimum OpEx/CapEx balance
How JFrog Enabled Success
Before the bank’s modernization effort, software development teams chose their own tool sets, resulting in polyglot procedures to verify quality and deliver releases.
The bank modernized its software development processes through a single set of DevOps best practices across the entire enterprise. They sought to improve quality and keep out critical vulnerabilities while delivering software updates more frequently to a growing range of desktops and devices.
Once successfully in place, these practices produced fast-growing volumes of data that put increasing strain on aging on-premises systems. The bank needed a means to affordably archive data and migrate active operations to the cloud.
Here’s how JFrog helped the bank to succeed:
A Single Source of Truth
- “All users are mandated that they have to use Artifactory to store their binaries.”
Proxies for External Repositories
To reduce external network traffic, system administrators at the bank have established remote repositories in Artifactory to proxy all external repository resources, such as Maven Central, npm, and DockerHub. This helps teams uninterrupted access to frequently used dependencies locally, even during connectivity outages, and to guard against improper or malicious overwrites of those dependencies pushed into external repositories.
- “We use remote repositories as a proxy for all external repos. We proxy for npm, Maven Central, and DockerHub.”
Promotion of Immutable Builds
Every software build at the bank must pass through three stages of evaluation, from build, to verify, and finally to release. As the build passes its tests, its immutable binary and metadata are promoted from one stage repository to the next. Only builds whose quality has been checked and promoted to the final release repository are deployed into production.
- “We have a policy of no builds or overwrites. Every time they make a change they have to push a new build.”
- “Builds promoted to verify are tested in the test environment. When they’re a hundred percent happy, then it goes to production.”
- “All deployment is done through our release repo, it’s mandatory and compulsory for all teams to do that.”
Using the JFrog Platform’s fine-grained permission control, the bank’s system administrators maintain service accounts to restrict access to repositories based on their role.
- “They have the permissions mainly to publish and promote and deploy and that’s all they do.”
- “Developers can push to build, and promote only to verify. Support can promote from verify to release, and can deploy only from release.”
Integrating With Build Ecosystems
The bank does not operate with a centralized build system; developer teams at the bank choose their own CI/CD tools, and run them on their own servers. Using JFrog plugins, the JFrog CLI and REST APIs, all parts of this diverse ecosystem are empowered to push resulting builds and metadata to repositories in the bank’s central Artifactory deployment.
- Around 80-85% of our teams are using Jenkins, and each asset has their own Jenkins, Bamboo, or whatever.
Accelerating Cloud Native Development
Artifactory’s native support for Docker and Helm helped accelerate the bank’s adoption of container-based microservices architectures. Using private Docker registries in Artifactory, the bank’s developer teams can distribute and share container images within the organization.
- “Of our 110 terabytes of data, I would say 50 terabytes would just be Docker.”
Using policies and watches in JFrog Xray the bank scans key repositories to flag binaries with dependencies that have known vulnerabilities, and prevent them from being deployed into production systems.
- “Xray is so tightly coupled with Artifactory, it’s given us the benefit of blocking a lot of the vulnerable images that are coming inside the bank.”
Scaling with High Availability
The bank ensures responsiveness of their mission-critical repository manager through high availability deployments of Artifactory and Xray, employing a set of load-balanced, redundant instances within the self-managed cluster.
- “We have around 3,500 active users, have accumulated over 110 TB of data, which is growing at a rate of 3 TB per month.”
Artifact Cold Storage
After three years of successful production, the bank had accumulated over 110 TB of packages, artifacts, binaries, and metadata in Artifactory repos, which continues to grow an additional 3 TB each month. Regulatory requirements demand all data be retained for an extended period. Indexing this much data daily, especially for Xray scanning, takes a long time to complete, impacting productivity.
Using the Artifact Cold Storage feature of Artifactory, the bank was able to archive 80 TB of legacy data — over 70% of the total — to low-cost AWS Glacier cloud storage, while retaining continuous traceability. With only 30 TB of active data, Artifactory and Xray performance was restored. Through Artifactory, the bank scheduled automated archiving of all data untouched in the previous 12 months.
- “Only a year ago it was growing only 2 TB a month, now it’s 3 TB — it’s the containers that push it.”
- “We are a highly regulated industry, very tightly governed and controlled. We retain data for at least seven years for forensics.”
- “We don’t allow any deletes or overwrites so there is a lot of growth in artifact tree storage and our component graph is huge. Xray performs better because the [live] subset of data is very small compared to what is now in cold storage.”
After initially hosting Artifactory and Xray on servers in the bank’s data center, the bank later migrated operations to self-managed clusters in a commercial cloud provider. Using a hybrid computing model enabled by the JFrog Platform, the bank was able to shift active workloads to the new cloud environment with minimal impact to daily production — development teams were seldom aware that the change was taking place.
- “As we moved to the cloud we in-sourced the skill and know-how for all the building and maintaining while still embedding in an outsourced cloud environment. In doing that we were able to iterate really fast.”
- “We’ve gone from aging hardware and limited capacity to an elastic cloud environment where we deploy and build everything automated and we’re able to do that in quick succession.”
Using the JFrog Platform to enable the best practices of DevOps, the bank was able to modernize their software development processes, resulting in:
- Faster pace of software development across all teams
- Daily deployments into production environments
- Accelerated cloud native development through containerization
- Enforce security policies through role-based access controls
- High-quality releases to production; critical vulnerabilities blocked
- Enable forensic analysis through traceability of software components
- Automatic low-cost archiving for efficiency and data retention policy compliance
- Scale with high availability and enabling migration to the cloud
With this successful transformation, the bank can support growth, while ensuring the quality of its mission-critical software applications.