Continuous Deployment and PCI-DSS at Etsy
Join the DZone community and get the full member experience.
Join For FreeAt DevOpsDays Mountain View I was lucky enough to get some time with Michael Rembetsy, Director of Engineering and Operations at Etsy, which manages to be PCI-DSS compliant while practicing continuous deployment. In this short interview, he describes how they do it.
Here are some of the key points from the interview:
- Etsy deploy to production 25-50 times a day;
- They built a new, segmented PCI-DSS compliant environment for their
payment systems – “we built a whole separate Etsy, essentially”;
- Segregation of duties doesn’t mean people can’t talk to each other.
In fact, collaboration is an essential element of effective risk
management. So everybody in the PCI environment still follows devops
principles – there’s no physical separation of the teams, and Etsy have
hired more people into the various roles (dev, sysadmin, dba, manager,
networking) to facilitate collaboration;
- In the payments environment they “still have to follow the rules: a
developer still doesn’t have access to a production database”, but
they’ll have dbas working alongside them who they can ask for help, and
graphs showing metrics from the database;
- They use a similar deployment process in their PCI environment to
their non-PCI environment, but it includes much more logging on who did
what when, and they have roles for QA pusher and production pusher;
- Developers can run most of the test framework in their PCI
development environment, and they have access to production logs via
Splunk in read only mode;
- They have a ticketing system that all changes have to go through,
but they can push out a change from dev to production in less than an
hour if necessary with their normal, non-emergency change management
process;
- Final words of advice: “Make sure that the team is on board and realizes that yes, there’s going to be some constraints, but … if you all work together you’re going to be able to continuously deliver the product that you want even into a secure environment.”
Continuous Integration/Deployment
Published at DZone with permission of Jez Humble. See the original article here.
Opinions expressed by DZone contributors are their own.
Trending
-
How To Manage Vulnerabilities in Modern Cloud-Native Applications
-
How To Integrate Microsoft Team With Cypress Cloud
-
Getting Started With the YugabyteDB Managed REST API
-
Micro Frontends on Monorepo With Remote State Management
Comments