Inside ANZ’s ‘industrialised’ CI/CD
- 13 August, 2019 08:15
ANZ’s high-profile agile transformation program – dubbed New Ways of Working, or NWOW – has seen thousands of the bank’s employees shift into tribes, squads and guilds. The program is ANZ's response to the banking sector facing emerging challenges in the form of fintechs, as well as the changing expectations of customers.
The agile transformation has naturally been reflected in the bank’s technology stack, Rakesh Garala, a senior product owner at ANZ, last week told a Google Cloud APAC customer event. Garala said that ANZ has been accelerating its use of containers, building what he describes as an “industrial” approach to CI/CD or “paved roads” that allow its developers to get new features into production faster.
“We've been building great customer experiences for a while, but what we now want to do is build them at speed, and build them and scale,” Garala said.
NWOW has seen the bank transform its people and organisational processes, he said, with ANZ’s 50,000-strong workforce beginning to embrace a “product mindset”. Containers are a key technology supporting the bank's transformation, he said.
The “paved roads” are essentially “industrialised CI/CD capabilities”, giving the bank’s engineers a faster way to get features to customers, as well as offering immediate and transparent feedback if code doesn't actually make it into production.
“Industrialised CI/CD and paved roads is great for speed,” Garala said. “But then how do you scale the management of that across an organisation of 50,000 people across 30 different countries?… How do we build security into the end-to-end supply chain and actually have them enforced via our CI/CD capabilities?”
A solution has been Google Cloud’s Binary Authorization service. Binary Auth can be used to ensure that only trusted, signed container images that have successfully made it through a series of stages in the CI/CD pipeline are deployed with Google Kubernetes Engine (GKE).
Google launched the service last year. Product manager Jianing Sandra Guo wrote in a Google Cloud blog entry that Binary Auth was based on internal Google technology that the company had used to protect its production deployments for close to 10 years.
Garala described it as “simple tool” that gives ANZ confidence that the containers in production “meet particular standards and particular policy requirements”. Binary Auth integrates with a CI/CD pipeline to produce ‘attestations’ (signatures) at different stations during the process of pushing code into production. It verifies every container that goes into production, and allows an organisation to define policies as code, Garala said.
If engineers make a mistake, they can receive feedback straight away as to which policy requirement has not been met, he said.
“What about in a scenario where you have malicious code or you have a malicious actor and trying to put something into your environment?” Garala said. “Well, again, if it's coming from an untrusted source or your policy defines a particular set of other stations for say, third parties or external providers, and Binary Auth will then stop that also as well.”
Binary Auth offers a “coherent way to ensure that the things that move through your CI/CD pipeline or your supply chain actually meet organisational policy,” he added.
Engineers “absolutely love” the tool, he said. “It's a faster pathway for us to get from idea to customers hands,” he added.
Binary Auth is a key governance tool for ANZ, he said. Garala said he’s interested in its potential to help the bank demonstrate that it was meeting its regulatory requirements.
“Could we use binary or to set ourselves particular guardrails that keep us within regulatory requirements?” he said. The result could be “regulatory compliance as code”.