Adopting DevOps in Highly Regulated Industries

Highly Regulated Industries have been slow in adopting DevOps primarily due to regulatory compliance and security concerns. Capgemini Engineering’s DevSecOps approach helps address these constraints, especially traceability to clearly defined requirements, formal risk analysis and mitigation, and separation of roles between development and validation. Here’s 8 best practices, constraints and challenges to consider for your DevOps.

DevOps has become mainstream for a majority of industries that benefit from the speed, cost savings, improved quality and faster time to market. Digital transformation has been one of the key triggers for organizations adopting  DevOps to create differentiation and competitive edge in the market. Highly regulated industries (HRI) such as pharmaceutical, finance and banking, healthcare, and medical device manufacturers must meet strict quality standards to ensure their products/services are safe and do not provide harm to the public. For example, banking and finance organizations need to comply with Sarbanes-Oxley, Basel II, SCI, MiFiD, GDPR regulations; the healthcare industry needs to ensure  HIPPA and HITECH compliance; and pharmaceutical needs to comply with the FDA 21 regulation. However, despite the known benefits and value delivered, highly regulated industries have been slow in implementing DevOps due to regulatory compliance and security concerns.

Integrating security as part of DevOps (DevSecOps) and creating a fine balance with security and compliance would help in mitigating potential security problems, improving compliance, addressing traceability level and auditability requirements, and improve the quality of the system.

A 2019 community survey on DevSecOps indicates that DevOps is gaining importance in banking, telecom and retail spaces. However, healthcare, insurance, manufacturing are still slow in adopting DevOps.

DevOpsConstraints and Challenges:

  1. Separation of duties(SoD): is defined as one of the key control in security and compliance frameworks such as COBIT, ITIL, ISO 27001, and regulations such as Sarbanes-Oxley, PCI-DSS, GLBA. This is to ensure that sensitive data cannot be accessed or altered by unauthorized people, data confidentiality and integrity are satisfied. However, the DevOps approach allows individuals to publish the code and configurations directly into the production environment, thus conflicting with SoD requirements.
  2. Faster delivery velocity: One of the key elements of DevOps is to deliver and deploy code often. For example, the Amazon team deploys code every 11.7 seconds on average, Etsy deploys to its production 50 times a day and the Netflix team deploy code thousands of times per day [1]. This continuous delivery poses a serious challenge for meeting security and compliance requirements.  The shorter release cycles do not give sufficient window to understand risks, carry out audits, perform pen-testing, and assess vulnerability.
  3. Lack of focus on security in the design stage: An agile DevOps approach puts more emphasis on working software, spending less time is on design. Design is revisited and updated over a series of sprints and continuous delivery changes. From a security perspective, sufficient focus is not given towards design preparation, review, documentation and threat modeling.
  4. Managing Change Control: In DevOps, code changes are continuously pushed to production by developers. Without a change control advisory function in place, there is a lack of control, tracking, and authorization process to monitor. Compliance and risk management need to be addressed as part of this continuous changes.

Best Practices for your DevSecOps:

DevSecOps helps companies meet HRI compliance and regulatory requirements. Some of the best practices captured here would act as guidance for implementing DevOps in an efficient and effective manner.

  1. Managing Integrated and continuous compliance and security: Compliance policies, control flows, rules need to be defined and enforced with the automated approach, which would ensure audit trails, logging, and tracking throughout the continuous delivery pipeline. Compliance documentation, which is mandatory from the auditing perspective, needs to be enforced as well.  The right tools help in automated documentation generation and address versioning issues.
  2. End-to-end pipeline DevOps automation: With a few manual processes, automation helps in reducing errors and improving overall efficiency. When implemented in a structured manner and efficiently, end to end Automation helps provide traceability, audit-ability, and reliability across the complete DevOps lifecycle. This further helps in automatically logging the data at each stage and improving traceability, which is one of the main compliance criteria. For example, automated testing helps efficient validation without manual intervention across multiple combinations of environments and deliver better quality.  Implementing end-to-end automation across all phases helps address changing regulatory and compliance requirements. Inbuilt controls and orchestrated processes further help in risk reduction and errors.
  3. Consider regulators and auditors as a stakeholder in your DevSecOps: Addressing the audit, risk, compliance and security requirements requires the involvement of auditors and regulators. The early involvement of auditors and compliance officers is highly recommended. By engaging auditors early in the product development stage, there are fewer chances of missing compliance requirements, frequent change requests, and non-compliant audit. Auditors also help in the proper interpretation of regulatory requirements which would not have been understood clearly by DevOps team.
  4. Feedback and metrics for DevSecOps: Continuous monitoring is key in the DevOps context, which helps capture data at different stages and provide fast and continuous feedback to the team. While a feedback mechanism can be largely automated, key metrics can be derived from the collected data. The combined approach would help in improving processes, tracking compliance and regulatory requirements and improve overall quality. Metrics can be categorized as Critical and Standard, with the former providing deep insight into the DevSecOps platform and later focusing on continuous improvement. Critical metrics would include compliance and security defects reported, rate of repetitive issues, audit issues reported, time to fix the issues. Standard metrics include test coverage, MTTR, vulnerability patching frequency.

Organizations within highly regulated industries need to find ways to balance compliance, security and regulatory requirements with faster delivery, frequent deployment, and implement necessary controls/checks in the platform. The best practices and guiding principles captured above help these organizations address regulatory and compliance requirements in a DevOps environment. The DevSecOps approach implemented properly in a highly regulated environment improves quality, audibility, reliability, and security.

The Capgemini Engineering DevSecOps Solution

Capgemini Engineering DevSecOps services help to set up processes, tool-chains, and automated workflows for continuous integration and deployment. Our DevAgility initiative, with its centralized pool of infrastructure, aims to foster a culture of DevSecOps by default and institutionalize the use of DevOps tools and processes across all projects.

We enable our customers to accomplish successful migration of their Software Engineering activities to industrialized DevSecOps through the adoption of continuous delivery best practices, processes, and tools. We guide customers through their transformation journey in the following manner:

  • Operational Strategy – Consultancy services to assess the current state with respect to development, testing and operations, and layout a roadmap for DevSecOps adoption at scale
  • Engineering DevSecOps – Design & deployment of DevSecOps pipelines incl.: Continuous Integration and Testing (functional, performance and security), Continuous Release and Deployment (automated environment provisioning, cloud deployment)
  • Operating DevSecOps – Ensuring seamless operations of a fully equipped DevSecOps pipeline & continuous onboarding of projects & people
  • Accelerating Deployment – Software Accelerators to make our clients’ transition to DevSecOps fast and effective

Atul Jadhav Director Engineering
Contact us


Contact a Capgemini Engineering DevOps Security Expert Today!