Scaling and Securing DevOps at a Global FinTech Provider
This fintech global leader provides a variety of digital financial services to individuals and businesses, including payment processing, money transfers, and credit cards.
The company needed a centralized, scalable, and technology-agnostic repository to store and manage the massive and growing number of artifacts — such as binaries and config files — that its 7,000 developers generate and share using many different programming tools, technologies, architectures and environments.
Because it used disconnected point tools with limited functionality, the company had no central record of its artifacts. It also lacked visibility into the lifecycle of the binary software packages as they were built, tested and released. This also required a lot of maintenance, and caused significant system reliability and performance problems.
This also created security and compliance risks across multiple geographies, hampered scalability, and hurt the agility DevOps teams needed to release software quickly and frequently. As a result, the company couldn’t move as fast as it wanted to update its applications and fix bugs, patch vulnerabilities, and add functionality — a major disadvantage in the highly-competitive fintech market.
With JFrog Artifactory, JFrog Xray and JFrog Distribution — all key components of the JFrog DevOps Platform — the company transformed its DevOps processes, optimizing agility, security, compliance, scale and efficiency.
“JFrog is very low maintenance, streamlined, centralized and self-service, unlike other tools we’ve had that require an army of developers to maintain,” says the senior manager of the team that oversees all DevOps groups and coordinates their activities company-wide.
With Artifactory, it now has a central artifact repository manager that gives the company a single source of truth for its binaries, which makes it easy to track binaries from the time they’re created to their deployment in production. That way, the binaries are easy to locate and update in case they’re found to contain a vulnerability or a compliance violation — critical issues for financial services companies.
“Having this trace that tells you where this artifact came from, and whether it has been scanned for vulnerabilities and compliance issues is super important for us,” he says. “It’s an out-of-the-box audit trail that creates a zero-trust system where you know everything that’s going through the system, who has access to consume or distribute it, and where it went to production.”
Scalability and performance have also improved dramatically — with the reliability of pipelines rising from 60% to 99.9% uptime. “The beauty of Artifactory is that it just works seamlessly and transparently, all the time, unlike our previous solution” he says.
The speed of deployment went up significantly with JFrog. Previously, it would take an hour to deploy one service. Now, the company deploys 50 services in 10 minutes or less. So what would take 50 hours now takes 10 minutes.
“This is critical because the workload of repository management has grown exponentially here. With Artifactory, we can scale easily, while maintaining super low latency,” he says.
In addition to the Artifactory binary tracing capability, the company also uses Xray to do deep recursive scanning of all binaries across the SDLC to detect vulnerabilities and license compliance issues in open source software components. This has dramatically enhanced the company’s ability to ensure that the software it releases is safe by protecting binaries’ supply chain end-to-end. It also boosts the company’s regulatory compliance, which is so critical in the heavily-regulated financial services industry.
“Anything that’s in the form of a library, a binary, a document — anything that developers will download, install, update or store comes from the single source of record JFrog provides us. This takes a lot of my worries away, because it’s not something we need to do manually. It’s baked into the SDLC,” he says. “JFrog is secure by default so we have full confidence in what we’re distributing out there.”
With Artifactory and Xray, the company secures its binaries from their build phase all the way to their production deployments, and with JFrog Distribution, it ensures the integrity of its release bundles, as it delivers them globally to traditional data center environments, remote sites, branch offices, home-based employees, customer smartphones, and edge/IoT endpoints.
Thanks to its scalable, distributed architecture, JFrog Distribution also solves bandwidth limitations, and network bottlenecks. “With JFrog, we’ve got a secure, immutable, verified, governed distribution of release bundles, while ensuring velocity,” he says.
Finally, by centralizing SDLC management with the JFrog DevOps Platform, the company has been able to consolidate into one team the administration of all DevOps teams. This has allowed the company to drastically lower the number of people involved in this administration task; to consolidate and standardize toolsets; and to have full visibility and shared governance across all DevOps teams — on prem, in the cloud and in hybrid environments.
“We no longer have 20 different DevOps teams doing things in 20 different ways with 20 different toolsets and processes,” he says.
In summary, the company has found that with JFrog, “everything leads to DevOps” – — with a consistent operating model globally.
“Our DevOps teams now work in a streamlined, governed and secure way, while being hyper productive and agile,” he says.
“JFrog is very low maintenance, streamlined, centralized and self-service, unlike other tools we’ve had that require an army of developers to maintain.”
— Senior manager of the team that oversees all of the company’s DevOps groups
- Financial technology services
- Lack of a centralized artifact repo manager
- Wobbly performance and scalability
- Weak security and compliance detection
- Single source of truth for binaries
- Dramatically improved uptime and scalability
- Zero-trust, comprehensive security and compliance
- JFrog Enterprise+ on prem; planning cloud migration
- Actively using:
- JFrog Artifactory
- JFrog Xray
- JFrog Distribution