How JFrog Enabled Success

Before the bank’s modernization effort, software development teams chose their own tool sets, resulting in polyglot procedures to verify quality and deliver releases.

The bank modernized its software development processes through a single set of DevOps best practices across the entire enterprise. They sought to improve quality and keep out critical vulnerabilities while delivering software updates more frequently to a growing range of desktops and devices.

Once successfully in place, these practices produced fast-growing volumes of data that put increasing strain on aging on-premises systems. The bank needed a means to affordably archive data and migrate active operations to the cloud.

Here’s how JFrog helped the bank to succeed:

A Single Source of Truth

Once the JFrog Platform was installed, management mandated to all system users in the bank that they were required to use Artifactory to store their packages, artifacts, and binaries. While Java and JavaScript are the predominant languages, Artifactory ultimately became used for over 20 distinct package types including Maven, Docker, npm, and Gradle. Teams share proprietary packages across the bank organization through thousands of repositories in Artifactory.

• “All users are mandated that they have to use Artifactory to store their binaries.”

Proxies for External Repositories

To reduce external network traffic, system administrators at the bank have established remote repositories in Artifactory to proxy all external repository resources, such as Maven Central, npm, and DockerHub. This helps teams uninterrupted access to frequently used dependencies locally, even during connectivity outages, and to guard against improper or malicious overwrites of those dependencies pushed into external repositories.

• “We use remote repositories as a proxy for all external repos. We proxy for npm, Maven Central, and DockerHub.”

Promotion of Immutable Builds

Every software build at the bank must pass through three stages of evaluation, from build, to verify, and finally to release. As the build passes its tests, its immutable binary and metadata are promoted from one stage repository to the next. Only builds whose quality has been checked and promoted to the final release repository are deployed into production.

• “We have a policy of no builds or overwrites. Every time they make a change they have to push a new build.”
• “Builds promoted to verify are tested in the test environment. When they’re a hundred percent happy, then it goes to production.”
• “All deployment is done through our release repo, it’s mandatory and compulsory for all teams to do that.”

Role-Based Permissions

Using the JFrog Platform’s fine-grained permission control, the bank’s system administrators maintain service accounts to restrict access to repositories based on their role.

• “They have the permissions mainly to publish and promote and deploy and that’s all they do.”
• “Developers can push to build, and promote only to verify. Support can promote from verify to release, and can deploy only from release.”

Integrating With Build Ecosystems

The bank does not operate with a centralized build system; developer teams at the bank choose their own CI/CD tools, and run them on their own servers. Using JFrog plugins, the JFrog CLI and REST APIs, all parts of this diverse ecosystem are empowered to push resulting builds and metadata to repositories in the bank’s central Artifactory deployment.

• Around 80-85% of our teams are using Jenkins, and each asset has their own Jenkins, Bamboo, or whatever.

Accelerating Cloud Native Development

Artifactory’s native support for Docker and Helm helped accelerate the bank’s adoption of container-based microservices architectures. Using private Docker registries in Artifactory, the bank’s developer teams can distribute and share container images within the organization.

• “Of our 110 terabytes of data, I would say 50 terabytes would just be Docker.”

Blocking Vulnerabilities

Using policies and watches in JFrog Xray the bank scans key repositories to flag binaries with dependencies that have known vulnerabilities, and prevent them from being deployed into production systems.

• “Xray is so tightly coupled with Artifactory, it’s given us the benefit of blocking a lot of the vulnerable images that are coming inside the bank.”

Scaling with High Availability

The bank ensures responsiveness of their mission-critical repository manager through high availability deployments of Artifactory and Xray, employing a set of load-balanced, redundant instances within the self-managed cluster.

• “We have around 3,500 active users, have accumulated over 110 TB of data, which is growing at a rate of 3 TB per month.”

Artifact Cold Storage

After three years of successful production, the bank had accumulated over 110 TB of packages, artifacts, binaries, and metadata in Artifactory repos, which continues to grow an additional 3 TB each month. Regulatory requirements demand all data be retained for an extended period. Indexing this much data daily, especially for Xray scanning, takes a long time to complete, impacting productivity. 

Using the Artifact Cold Storage feature of Artifactory, the bank was able to archive 80 TB of legacy data — over 70% of the total — to low-cost AWS Glacier cloud storage, while retaining continuous traceability. With only 30 TB of active data, Artifactory and Xray performance was restored. Through Artifactory, the bank scheduled automated archiving of all data untouched in the previous 12 months.

• “Only a year ago it was growing only 2 TB a month, now it’s 3 TB — it’s the containers that push it.”
• “We are a highly regulated industry, very tightly governed and controlled. We retain data for at least seven years for forensics.”
• “We don’t allow any deletes or overwrites so there is a lot of growth in artifact tree storage and our component graph is huge. Xray performs better because the [live] subset of data is very small compared to what is now in cold storage.”

Cloud Migration

After initially hosting Artifactory and Xray on servers in the bank’s data center, the bank later migrated operations to self-managed clusters in a commercial cloud provider. Using a hybrid computing model enabled by the JFrog Platform, the bank was able to shift active workloads to the new cloud environment with minimal impact to daily production — development teams were seldom aware that the change was taking place.

• “As we moved to the cloud we in-sourced the skill and know-how for all the building and maintaining while still embedding in an outsourced cloud environment. In doing that we were able to iterate really fast.”
• “We’ve gone from aging hardware and limited capacity to an elastic cloud environment where we deploy and build everything automated and we’re able to do that in quick succession.”

Final Results: 

Using the JFrog Platform to enable the best practices of DevOps, the bank was able to modernize their software development processes, resulting in:

• Faster pace of software development across all teams
• Daily deployments into production environments
• Accelerated cloud native development through containerization
• Enforce security policies through role-based access controls
• High-quality releases to production; critical vulnerabilities blocked
• Enable forensic analysis through traceability of software components
• Automatic low-cost archiving for efficiency and data retention policy compliance
• Scale with high availability and enabling migration to the cloud

With this successful transformation, the bank can support growth, while ensuring the quality of its mission-critical software applications.