Here are some of the key points from the interview:
- Etsy deploy to production 25-50 times a day;
- They built a new, segmented PCI-DSS compliant environment for their
payment systems – “we built a whole separate Etsy, essentially”;
- Segregation of duties doesn’t mean people can’t talk to each other.
In fact, collaboration is an essential element of effective risk
management. So everybody in the PCI environment still follows devops
principles – there’s no physical separation of the teams, and Etsy have
hired more people into the various roles (dev, sysadmin, dba, manager,
networking) to facilitate collaboration;
- In the payments environment they “still have to follow the rules: a
developer still doesn’t have access to a production database”, but
they’ll have dbas working alongside them who they can ask for help, and
graphs showing metrics from the database;
- They use a similar deployment process in their PCI environment to
their non-PCI environment, but it includes much more logging on who did
what when, and they have roles for QA pusher and production pusher;
- Developers can run most of the test framework in their PCI
development environment, and they have access to production logs via
Splunk in read only mode;
- They have a ticketing system that all changes have to go through,
but they can push out a change from dev to production in less than an
hour if necessary with their normal, non-emergency change management
process;
- Final words of advice: “Make sure that the team is on board and realizes that yes, there’s going to be some constraints, but … if you all work together you’re going to be able to continuously deliver the product that you want even into a secure environment.”
{{ parent.title || parent.header.title}}
{{ parent.tldr }}
{{ parent.linkDescription }}
{{ parent.urlSource.name }}