NAB uses CAST to keep its cloud apps in check

NAB has revealed more on the automated governance and change management techniques it uses to move and tweak code in the cloud at scale.

NAB's Steve Day.

The bank used a recent AWS executive forum in Sydney to disclose the workings of Cloud Adoption Standards and Techniques or CAST.

CAST allows the bank to “programmatically define how we run our workloads in the cloud”, executive general manager of infrastructure, cloud and workplace, Steve Day said.

“Traditionally, in such a complex environment, the way we handled governance and security was to develop a culture of no - ‘I want to do something new’. ‘Well, the default position is no, until you've jumped through 100 hoops to prove what you're doing is safe and secure for our customers’,” Day said

“That doesn't work in the digital world. What we needed to do was to create a governance regime that worked really well inside a digital world, and that's where we developed CAST.

“CAST has given us an opportunity to uplift the governance of our applications significantly so we know before we make any decision on what we're going to do, whether it will or will not comply [with our security requirements].

“We can remove that culture of the default answer being no. The default question now is, ‘Does it comply with CAST?’”

Day - and other NAB staff - have previously hinted at CAST’s existence but have not previously revealed the extent that it is enabling the bank to move into the cloud at pace.

Day told a US AWS event at the end of last year that application teams would bump into otherwise invisible guardrails if something they did exceeded a threshold or breached an internal policy.

He confirmed at the Australian executive forum that CAST’s checks were almost entirely automated.

“We've been able to take most of the controls within CAST and automate them,” Day said.

“We call it invisible compliance. Why? Because our developers don't need to actually run through every one of the compliance checks that we do in a manual way anymore”.

The act of an application team “firing up a new instance” triggered a Lambda function to “have a look at what that developer's doing and work out whether they're doing it in a safe way and whether they're developing things in compliance with our controls,” Day said.

“It'll even look at their code and look for vulnerabilities and malicious intent within that code,” he explained.

“It'll look for things like whether or not we've tagged the environment for what it is, what it's supposed to be doing, who it belongs to, whether it's running all of the right antivirus, whether there's security controls in place, whether our DevOps principles are being met, whether there's business continuity in place, is it running over multiple availability zones, and multiple clouds - all of that is checked and ticked off without the developer having to look at it.”

Day said that the automated checks under CAST were also tiered according to the type of workload.

“If you're experimenting with something, we don't force particular controls on you, they gradually tier up,” he said. 

“For instance, if you're creating an environment to do an experiment, it still has to be tagged - we still have to know what it's for, we still have to know that it's actually not there doing some bad thing, and that it's part of a formal experiment. 

“But we don't do things like ensure that you're running in multiple availability zones, for instance. That's not required for an experiment. 

“And as we go through the different stages of development, those controls gradually ratchet up. So by the time you're going into production, 100 percent of the controls are checked and in place.”

Track changes

NAB recently revealed its two-speed approach to cloud migration, with paths to cloud either through AWS Managed Services (AMS) or a “migration factory” powered by Infosys and DXC resources.

Apps pushed into the cloud - and changes to those apps - made via AMS are almost entirely automated.

“AMS allows us to put packaged apps in an environment and run them in a tight governance model, but to do it at pace, and the reason we can do it at pace is because AMS is triggered via APIs,” Day said.

“All of the operations that you typically want to do in a workload is done via an API. So if you want to do a change, there's no form to fill in, there's no change board. 

“There are approvals that need to go through ... but they are all automated.”

All activities performed by AMS are logged in NAB’s IT service management platform, ServiceNow.

“We can see everything in our ITSM that Amazon is doing on our behalf, and most of what they're doing on our behalf is automated anyway,” Day said.

One of the advantages of this has been greater visibility of just how many minor code changes and tweaks are made to NAB’s applications on a monthly basis.

“[In April], we ran 5000 changes across 120 applications that we have running in AMS,” Day said.

“I was surprised - how can that be? These are packaged apps, we're not going in and doing major changes on them.

“When I dug into it, it turned out that those changes were always happening, we just weren't recording them. 

“They were things like tiny tweaks on this or a move here or a change in parameter on this that never used to be recorded. 

“People would just go in and do them because that was deemed as operations or part of an incident or whatever.”

Day said that NAB is now able to see who made a change and when - and for this to be recorded in the bank’s configuration management database (CMDB).

“Now we have 100 percent of everything that's happening in our environment logged in ServiceNow and the reporting that that generates,” he said.

“We have a service mapping, so because our infrastructure is code, ServiceNow can actually go out and explore what our services look like and they can bring back in the entire service map of what our services look like.

“We can now see the hundreds of servers and features and capabilities within the cloud and within our data centres that make up a service. 

“That's now logged in our CMDB, and every night that same CMDB is updated, so we don't have that problem anymore of 'What does this server do? Let's turn it off and see what breaks'. 

“We know now exactly what will break.”