Risk Focus On Infrastructure As Code

Risk Focus On Infrastructure As Code

Infrastructure as Code

Written by: Cary Dym, Global Head of DevOps Business Development

Infrastructure as Code (IaC) transforms and automates the manual process of standing up datacenter environments and processes, such as hardware instantiation, networking, run books, and appliance and software configuration, into automated deployment and configuration.The IaC concept has been around for several years in both startups and many tech firms and is gaining wider traction.  TechNavio cites the increased adoption of IaC as a major trend across all industries and geographies in their Global DevOps Platform Market 2018-2022 report.

Every industry is challenged by Digital Disrupters:  firms that are competing based on enhanced capabilities and lower costs derived from digital innovation.  According to the 2018 IDC Whitepaper, Designing Tomorrow, “Over 67% of companies believe a digitally enabled competitor will gain a competitive advantage within the next five years.”  Traditional companies must be able to move faster at lower cost, and yet continue to manage risk.  Firms willing to undergo digital transformation are able to achieve this with IaC.  Infrastructure cost (CAPEX) and human cost (OPEX) can be reduced by leveraging the dynamic and self-service capabilities that IaC provides.  Increased velocity means recasting multi-step, multi-hour, manual processes—such as racking servers, loading software patches, installing services and applications, configuring networks, and enabling storage—into automated, repeatable, scalable processes that are performed in minutes.  When done properly, IaC reduces risk by addressing traditional IT problems, including configuration drift, human error, inconsistencies, and loss of context.

These additional capabilities – faster delivery of infrastructure, and consistent configuration during the software delivery cycle – allow organizations to make changes faster, with more confidence, and lower risk.

A good place to start Digital Transformation is implementing IaC to facilitate adoption of DevOps practice.  Firms starting on this journey are faced with the hard task of assessing whether the organization has skills and know-how to embark on the journey alone or requires collaboration with skilled practitioners.  Most “not-born-in-the-cloud” firms realize they need to bring in outside resources (unfortunately, sometimes after first failing internally).  Risk Focus has broad industry expertise across Finance, Healthcare and Telecom industries with deep expertise in IaC technologies.  We realize that even large journeys start with a single step and have developed a unique Player-Coach engagement model that facilitates new DevOps principles, enabling demonstration of best-practices through quick-win projects.

At Risk Focus, we are agnostic (yet opinionated) about the tools we use. Our choices are informed by a variety of factors and determined by our clients’ needs.  However, we do have our favorites.  One such tool is Terraform, which is the service provisioner and infrastructure orchestrator in the suite of offerings by HashiCorp. Terraform is cloud-agnostic and supports all major clouds, both public and private.  In hybrid environments where there are advantages to a single set of tooling, Terraform allows our practitioners to quickly develop, validate and roll out orchestration templates.

We implement CM with two tools:  Salt and Ansible.  Ansible focuses on simplicity, and getting going is quick, changes are easy to understand, and organizational adoption tends to be fast.  We recommend Saltfor organizations with greater infrastructure complexity. Salt has a completely declarative model that includes components to dynamically manage configuration and detect drift, along with the ability to layer buildouts and react to signals from the environment, changing infrastructure dynamically in response to changing conditions.  These abilities necessarily require additional complexity and result in a steeper learning curve, but clients with sufficient scale, compliance requirements, or complexity find great benefit from the additional features.

At Risk Focus, our Cloud and DevOps team support transformation initiatives and demonstrate domain expertise in the following areas:

– Infrastructure as Code Orchestration with tools like HashiCorp’s Terraform, as well as cloud-native Orchestration with CloudFormation, ARM, and HEAT.

– Configuration automation with technologies including Salt and Ansible.

– Migrating applications to public cloud, including re-architecting of applications to become more cloud-compatible or cloud-native.

– Containerization including extensive experience with Docker, Docker Swarm, OpenShift, Kubernetes, EKS, GKE, and

– Cloud migration and hybrid cloud implementation using VMWare, Openstack, AWS, GCP and Azure.

– Process and methodology improvements and CI/CD pipeline implementation leveraging tools such as Git, JIRA, Jenkins, and

– Multi-cloud Monitoring and Log aggregation via Splunk, Elastic, and InfluxDB.

Announcing our Pittsburgh Development Center

Announcing our Pittsburgh Development Center

Risk Focus, a consulting firm providing specialized business domain and technology implementations, announces the opening of their new Development Center in Pittsburgh. Risk Focus, founded in 2004, has an established international presence with headquarters in New York City and offices in London, Frankfurt, Toronto and Riga. For the past few years, Risk Focus has focused on expanding their Riga development team with great success attracting world-class developers. The company aims to repeat that achievement and extend its capabilities to meet the growing needs of its North American clients by opening a new development center in Pittsburgh.

Why Pittsburgh? This vibrant, innovative city has a deep pool of technical talent, drawn in by world-class universities, an affordable cost of living, and diverse tech community that has made it a top “NextTech” city. Pittsburgh was recently selected as the #2 Most Livable in the US with a wide variety of museums, rich performing and fine arts communities, perennially winning professional sports teams, and a paradise for foodies.

Pittsburgh combines an existing base of developers who know enterprise with a strong startup community that pairs well with the needs of its North American customers. Peter Meulbroek, Global Head of DevOps Solutions for Risk Focus said, “We view Pittsburgh as a highly-strategic expansion. The city is a high-tech research powerhouse that generates an exceptional level of talent, combined with a strong penchant for reinventing itself.”

The Risk Focus partners have deep ties into Pittsburgh. Tara Ronel, the new Head of Pittsburgh DevOps Solutions is a native Pittsburgher, as are several other Partners. The Risk Focus leadership believes in the community, its innovative culture, deep talent pool and growth opportunities, and expects the company to have a bright future there.

Ms. Ronel summed up the Pitt-RF match, saying, “Pittsburgh and Risk Focus have so much to offer each other. We’re excited to be a part of this dynamic city as it continually evolves and innovates. We’re here for the long haul and look forward to our mutual next generation tech advancements.”


Case Study – Regulatory Reporting Health Check

Content: Market Pressure

Helping a Global Bank Respond to a Regulator’s Audit.

Following the 2008 global financial crisis, policymakers in the G-20 committed to reforming domestic and international rules governing the over-the-counter (OTC) derivatives markets. In response, regulators across the world like CFTC, ESMA, MAS, ASIC, etc have come up with various regulations like central clearing through central counterparties to reduce counterparty risk and reporting of all eligible transactions to trade repositories to increase transparency. Firms are expected to comply with complex regulations constantly and may be subject to severe financial penalties and reputational risk in case of any deficiencies observed by the regulators.

The Client

A Global Bank that is a Swaps Dealer responded to a regulator’s audit of its OTC Trade Reporting by engaging Risk Focus to perform a Regulatory Trade Reporting Health Check.

The Challenge

Ever since the enactment of Dodd Frank in the US and similar regulations like EMIR in Europe, regulators have continued to monitor the data quality of trade submissions and provided additional guidance to trade repositories like the DTCC’s Global Trade Repository (GTR) in a bid to make the submission data more useful for their oversight. For example, EMIR reporting for OTC derivatives began in February 2014. ESMA Level 1 validations were rolled out in December 2014 and subsequently ESMA Level 2 validations in November 2015 requiring trade repositories to strictly enforce them and reject any submissions made by firms that did not comply with these. Hence, firms need to continuously monitor any changes to the regulations and subsequent impact on the message submission specifications provided by the trade repositories to remain complaint.

Regulators and their enforcement arms regularly perform audits to measure compliance with these regulations, and are most interested in seeing evidence that firms are in control of their trade reporting operations. Firms that can prove that they can retrieve historical reports with little effort and have mechanisms to ensure the quality, accuracy, and completeness of their reports will fare better than firms that can’t. Those that are found to be remiss or to have inaccurately reported their trades to a repository have been both fined millions of dollars and exposed in the media.

Our Solution

Our client, a large Global Bank that is a Swaps Dealer, was being audited by one of the enforcement arms of a regulator. The bank engaged Risk Focus to perform Regulatory Health Check to identify gaps in its reporting obligations to CFTC and ESMA for their Interest Rates, Foreign Exchange and Commodities businesses. Within 6 weeks the Risk Focus team was able to perform a detailed review of the current workflow for various products and trade life cycle events as well as analysed several samples of the firm’s submissions to the trade repositories. Accomplishing this in such a compressed time frame was made possible by leveraging the regulatory reporting controls from RegTek Solutions, the software firm spun out of Risk Focus in 2017.  The team identified gaps in the firm’s current reporting workflow and data quality issues with the submissions. At the end of the engagement, the team provided high-level recommendations to the client on how to address deficiencies like under-reporting and over-reporting of certain events and erroneous/missing/incorrect reporting of certain fields to the regulators.

The high-level approach followed during the engagement is as follows:

– Review of current reporting workflow for various asset classes and products

– Identification of trade life cycle event reporting scenarios for each of the asset classes and products in scope

– Comprehensive analysis of a sample subset of the firm’s submissions to the trade repository by performing a manual  three-way comparison between the firm’s submissions, trade repository specifications and the regulations as well as using RegTek’s industry acclaimed tool Validate.Trade

– Documentation of gaps and issues identified during the analysis and providing recommendations to the client to effectively address the shortcomings


Based on the high-level recommendations provided by the Risk Focus team at the end of the regulatory health check engagement, the client is embarking on a remediation program that follows our suggestions, which includes putting in place a new layer of controls alongside their transaction reporting platform, essentially future-proofing them from changes in regulations going forward by implementing a foundational control framework.

The remediation program based on the Health check findings will include the following:

– Implementing a control framework (from RegTek Solutions) for daily reconciliation of trading activity against trade repository reporting activity, as well as monitoring errors in real time

– Addressing the gaps in existing reporting workflows

– Back-reporting of any under reported/mis-reported trades


“Tour of Cloud Computing” – In Depth Interview

The August 23 Jaxenter interview of Peter Meulbroek, Head of DevOps and Cloud Solutions at Risk Focus by journalist Gabriela Motroc entitled “A Tour of Cloud Computing” dives deeply into several key topics.

The interview is organized around the following themes:

Security – Discusses the new paradigm.

Benefits – Discusses key benefits like automation and the self-service nature of the cloud.

Preferred Tools and Technologies – Describes the various technologies that Risk Focus prefers for Configuration    Management, Orchestration, Packaging and Distribution, Data Masking, Containerization, and Monitoring.

The limitations of a Cloud-Neutral approach.

The article gives Meulbroek the platform to share the approach that Risk Focus brings to clients grappling with a Cloud Strategy. For instance, regarding Cloud-Neutral strategies, Meulbroek states “Cloud-neutral adds a large amount of complexity and risk to a migration, without really solving the issue”.

Regarding Security, he states “the old, obsolete paradigm for security — the perimeter defense — has gone the way of the curtain wall and needs to be replaced with defense in depth.  Nor is it enough to manage data security between applications. Data, at rest or in flight, needs to be protected at all levels within an application, and managing security for an application is largely managing access to decrypt narrowly-focused cohorts of data”

Read The Full Article Here