Cloud-Native Package Management for the Banking Industry
Technology-forward banks are embracing cloud-native tools in favour of on-premise tools. We explore why banks are moving to the cloud and what package management should look like in finance & banking.
Software development in the banking and finance industry can make you feel like you’re wearing chains. Regulation, compliance, upfront costs, privacy, legacy systems, fear of cyberattacks, and an “if it ain’t broke” approach can lead to a lack of innovation.
Despite these challenges, some technology-forward banks like Capital One, JP Morgan Chase, HSBC, and Wells Fargo have embraced the cloud and introduced DevSecOps and cloud-friendly architectural practices.
This change has been aided by the fact that cloud providers including Google Cloud, AWS, Microsoft and HPE can now guarantee compliance to banking regulations, and the existence of new cloud-native core banking engines like Thought Machine to help banks move off their legacy systems. This cloud transformation helps banks stay competitive, move away from batch processing towards real-time results, attract engineers, reduce costs and come up with new innovative products.
Part of this cloud transformation means updating the tech stack for developers working in banking- Getting rid of ‘on-prem’ applications and moving to their cloud-native tools.
Cloudsmith is seeing new interest from financial institutes that want to implement a cloud-native SaaS product - they are not demanding on-prem versions of our product anymore. Today, let’s dive into the benefits of cloud-native package management tools for the finance industry.
So what do developers working in banking need from their package management solution? They need to be able to:
- Host the formats that are popular in banking software development. This includes Maven, NuGet, Go, Scala, Rust, raw files for binaries, Docker, and Helm. Also, this includes packages for data manipulation like R, Lua, and Conda.
- Help developers visualize, secure, and manage their supply chain, including 3rd party dependencies.
- Sign all artifacts. Checking the signatures and checksums of artifacts is an effective defense against software supply chain attacks (read more about what software supply chain attacks are in our article).
- Allow developers to work in distributed teams.
In the next few sections, we’ll explore:
- Moving to the cloud.
- Package management in banking.
- Securing their supply chain, including their 3rd party open source dependencies.
Moving packages to the Cloud
The banking industry has been slow to adopt the cloud, and many banks still run their own data centers to process huge workloads. Banks have long understood that using cloud infrastructure has cost-saving benefits but were reluctant to move from their ‘on-prem’ systems due to privacy and regulatory reasons. The distrust in the cloud is waning as the risks are understood, and the technology matures. Much of the push to stick with legacy systems is driven by business-as-usual culture, upfront costs, and priority.
Banks have conflicting priorities, making it difficult to find the IT time when systems are happily working- but the pandemic gave many organizations space to relook and revive their IT strategies. Several large banks have undergone a cloud transformation during the pandemic, including:
“A key factor causing ‘core to the cloud’ to reach a tipping point is that cloud-native core banking software applications such as Thought Machine, Mambu, and Finxact are reaching a level of maturity where the journey is worth the effort, ”
says Alan McIntyre, a senior industry director for Banking at Accenture. Maintaining data centers and staying ‘on-prem’ is not just a case of staying still but going backwards.
We've covered the many reasons to move to the cloud as a finance organisation below.
Innovation
Banks need to innovate quickly to meet customers' ever-changing needs. Big Tech and Fintechs are putting banks under competitive pressure by offering financial products. Staying still is no longer an option to survive.
Areas to innovate include:
- Using APIs to extend banking into new spaces outside of traditional banking.
- Banks can use cloud computing to move away from the need to archive data. This historical data can be used in data analytics to see trends.
- Using the cloud, you can move away from siloed systems where customers may have data for their mortgage, credit card, or saving account stored separately. Banking’s cloud architecture means that they can run all bank's products from a single platform.
- Fraud detection.
Real-time results
“Everything is moving to real-time,” Rohan Amin, the chief product officer at Chase. Customers want their services, like their balances, updated immediately in real-time. Cloud computing facilitates moving to real-time as a general model.
Resilience, scalability, and availability
Banks need to have high availability, resiliency, reliability, and scalability to serve the bank customers with minimum downtime. Cloud-native software can quickly re-adjust its resources to meet demand. When volumes spike in financial markets, traders can use extra computing power to analyze price movements and handle bursts of client activity.
A company experiencing rapid growth can use the cloud to expand its infrastructure and computing power. In contrast, the same company using on-prem infrastructure would have to quickly invest in more hardware, software, and Engineers to keep up with rapid growth.
Security
Banks are becoming less wary of the security of the cloud in part because cloud infrastructure providers and services have matured and can now offer controls validated by third-party auditors like ISO, PCI, and SOC, that prove compliance with privacy and banking regulations.
Cloud has security advantages over on-premise systems that rely on physical servers. A secure system needs a secure building, training, constant security updates, high availability, monitoring, and disaster recovery infrastructure.
Although banking organizations that host their software on-prem take security very seriously, it is expensive and consumes many working hours. Cloud providers are driven to focus on security as their business and reputation depend on providing a robust and secure service. As a result, cloud providers use highly sophisticated security tools and resources beyond the reach of most in-house teams.
Security is a risk when moving to the cloud but by designing a system with security in mind and by incorporating security into your build and deploy process- your system can be more secure than a traditional on-prem system and stay compliant with regulations.
Cost of Maintenance and Infrastructure
The upfront cost savings of not having loads of servers in a server farm and “doubling up” by maintaining remote locations for disaster recovery—which all banks require—is significant. Cloud software is hosted for you. You don’t have to worry about maintaining your “on-prem” software or infrastructure- no updates, no security patches, no replacing obsolete hardware.
Cloud-native technologies allow businesses to reduce the total cost of ownership for businesses, especially when you factor in the staff costs of maintaining “on-prem,” never mind just the licensing fees.
Distributed Teams
Devs need a package management solution to handle a distributed workforce giving everyone similar low latency access speeds. Tools that don’t do this can lead to reduced collaboration, developer unhappiness, and lack of confidence in your software process.
Attracting Engineers
Software engineers are hard to come by, COBOL and assembler specialists even more so. Engineers want to work with the latest technologies. Banks need to embrace tooling that takes advantage of the automation and scalability of cloud-native technologies- freeing up your engineering and server resources to build your products.
Cloud-Native Package Management
Migrating to the cloud has helped many banks and financial institutions compete, improve efficiencies, and lower costs. On-premise software cannot compete with cloud-native software in terms of scalability and flexibility.
Cloudsmith is a cloud-native package management tool that makes life simpler for engineers. Don’t worry about infrastructure, patching, upgrades, replications, or scaling. Our cloud-native architecture enabled us to develop a smart CDN for software packages, called the Package Delivery Network (PDN). The PDN is optimized to ensure lightning-fast delivery for deploying or shipping licensed software to your customers.
Package Management in Finance
A package/artifact/image groups together files containing your software, along with the metadata about the software and dependencies in a well-defined format.
Packages promote code reuse, as code can be dropped into another application and used easily. Packages are created using a package manager and are usually stored in a repository, like Cloudsmith (Read our article for a more comprehensive introduction to package management).
Finance Software Packages
The table below details some common software packages used in banking and fintech:
If you're curious to learn more about specific package formats, check out our articles:
Package Management in Core Banking
Banking applications tend to use programming languages that support high-performant computation 'cores' with the least amount of pain, easy to maintain and are stable over time.
Java is used extensively in the financial services industry, so Maven is one of the most popular packages used in banking. Scala seamlessly integrates with Java and is extensively used for large-scale processing. C# and its NuGet packages are popular in banking for similar reasons to Java. C++ is often used in projects that require speed like trading systems but it is often associated with the legacy banking systems.
Go, and Rust are the new kids on the block in banking and replacing some core bank functionality. They are both super fast, have nice modern features, and developers tend to find them simpler and more enjoyable.
Package Management in Data Analytics
Data in banks is growing day by day, it’s driving new insights, security, and new products.
Data scientists, data analysts, and software engineers in banking analyze large datasets and require high performance- particular software formats specialize in data analytics including Python, CRAN, Conda, and R.
Package Management in the Cloud
Banking in the cloud requires specific package formats like Docker for containerization, Helm for deploying apps to Kubernetes cluster, and Terraform to automate the provisioning of resources to cloud infrastructure.
Cloudsmith is a universal, secure, and cloud-native package management platform built for modern enterprises and distributed teams. We support all formats, including Maven, NuGet, Go, Scala, Rust, Docker, Helm, R, Lua, Conda, and raw file formats, which can be used for any file format, including binaries.
Because it is unusual for any tech stack to use only one type of format, Cloudsmith provides universal, multi-format repositories. Multi-format repositories allow you to store packages of different types in one repository. They are especially useful if your tech stack uses multiple languages and containers and can help simplify and reduce the number of repositories you manage.
Cloudsmith blends package management and software supply chain management, storing all your software artifacts, dependencies, and metadata. Have one place to store, manage and secure all your packages accessible from anywhere in the world without compromising performance.
Banking, open-source, and securing the supply chain
The attack surface for the software supply chain is vast. It includes all of the steps that go into developing and deploying your software including:
- Code
- 3rd party dependencies
- Scripts
- Tests
- Environmental variables
- IDEs
- Plugins
- Source code repositories
- CI/CD tools
- Package repositories
Recent attacks like SolarWinds, CodeCov, Log4Shell, and attacks on public repositories have prompted efforts to improve the security of software supply chains. The focus on supply chain security has highlighted the importance of package repositories and package management.
Over 80% of software contains open-source software (OSS). 3rd party OSS dependencies are used in all software, including the financial services supply chain. Proprietary software is not more secure than OSS, but an exploit in a popular OSS can have a huge impact. A critical exploit in the Log4J open-source package, Log4Shell, has sent ripples in banking circles due to the extensive use of Java in banking.
The answer is not to turn away from open source, but to adopt techniques to increase trust in builds and artifacts like OpenSSF’s sigstore, scorecards, SLSA levels, in-toto, and utilize and generate a Software Bill of materials (SBOM).
In order for banks to use a SaaS-based package repository, they should expect:
Robust Security
If banks are going to use cloud SaaS products to store their packages they need strong security features to prove they are trustworthy:
- Robust access control with 2FA for distribution and development
- Single Sign On (SSO)
- Event and audit logging
- High availability
- Accreditations like ISO 27001 - Cloudsmith is ISO-27001 certified!
- All communication and storage should be encrypted in-transit and at-rest
The Single Source of Truth
Private repositories that support many formats provide one single place to track, manage, distribute and understand all software pulled into your stack. A central trusted store forces you to apply processes and controls to that ingress/egress of software packages.
Provenance of Packages
Package repositories can secure your packages and interrogate the provenance of packages:
- Package metadata includes information on dependencies, licenses, versions, who wrote the code, results from vulnerability scans, and information from CI tools. Package repositories need to extract, store and surface all of this data as it is intrinsic to resolving the provenance of software packages.
- Attest to the provenance of all the software assets and their dependencies by signing and verifying every package uploaded.
- Your package repository should help you secure your OSS dependencies by integrating with new technologies like sigstore, which help you sign and verify the history of a package.
- Provide event logs on package usage.
- Your package repository should provide upstreams for these external feeds to protect from outages from 3rd party repositories.
- Understand what dependencies are in your supply chain by consuming, generating, and analyzing Software Bill of Materials (SBOM).
Automation
Package repositories should promote automation by applying Continuous Packaging (CP) techniques to integrate programmatically with CI, CD, and scanning tools. Automating as much of the software supply chain as possible can significantly reduce the possibility of human error, improve quality, and traceability and help make builds more reproducible.
Securing open-source software supply chains
A software supply chain attack is a cyber-attack that seeks to damage an organization by targeting elements in its software pipeline like its open-source dependencies. A report conducted by the EU Agency for Cybersecurity (ENISA) projected “2021 may have 4 times more supply chain attacks than 2020”, with more than half of these attacks being attributed to Advanced Persistent Threats (APTs) from nation-state actors.
There has been a massive effort by the US Government and OSS foundations led by the Open Source Security Foundation (OpenSSF) to help maintainers and consumers of OSS build secure software. Early this year, in the wake of the vulnerability exposed in Log4j, The White House convened government and private sector stakeholders to discuss how to improve the security of OSS as it is “a national security concern.” There is a particular focus on securing projects used by critical infrastructure such as banks.
Last year the US President issued an Executive Order mandating a Software Bill-of-Materials (SBOM) for critical software. OpenSSF’s sigstore is another high-profile initiative to secure the OSS supply chain by making signing OSS packages easy and meaningful.
Securing software supply chains will require a combination of using secure developer-focused tooling, an increase in automation, education, and adopting new strategies to trust and verify open source dependencies.
Securing software supply chains with Cloudsmith
Cloudsmith establishes trust and provenance in your software supply chain, including your OSS 3rd party dependencies, by surfacing your package metadata informing you about the package checksums, how, and who built your packages, and what dependencies are in your packages. Cloudsmith also isolates and protects your software supply chain from public upstream sources like Maven Central by proxying or caching your OSS artifacts.
Cloudsmith has started work on integrating with emerging technologies to help trust and secure the open-source supply chain. Cloudsmith will be releasing support for:
- Cosign: Cosign, part of Sigstore, which aims to make signatures invisible architecture. Cloudsmith will add support for Cosign as a method for signing containers.
- SBOMs: Customers will be able to attach SBOMs to packages via Cosign, which can then be viewed in Cloudsmith and/or downloaded into other systems.
A Package Management Solution for Banking and Fintech
Nobody wants banks to be the first adopters of unproven technologies. Cloud infrastructure has matured to a point where many tier-one banks are undergoing a cloud transformation.
Cloud-native package management solutions are part of this transformation.
Software developers working in finance need package management tools to work with their package formats such as Maven, Conda, Scala, Go, R Packages, Docker, or Helm.
On top of that, finance software developers need tools that are easy to automate against to help them secure their supply chain, that scale as they grow, and can work with a distributed team.
If you’re a fintech or a banking organization that’s looking for a simple solution to secure development artifacts, you can sign up for a free 14-day trial and set up your first repository in just 60 seconds.
Liked this article? Don\'t be selfish (:-), share with others: Tweet