Modernising Post Trade Settlements with AWS and Red Hat OpenShift

Many enterprises are struggling to implement Cloud First or Container Native solutions that are flexible and agile and able to meet the needs of the industry. This is particularly true of the Post Trade Settlements where regulatory, security and compliance requirements are an ever-evolving landscape. In this blog, we’d like to take you through our journey at Accenture Technology & Operations for Markets (ATOM) where we’ve done just this.

Taking this utility service to market meant building something fit for the modern age. We required something that could grow as the service grew, could be supported for many years but also flexible enough to modernise as new innovations and FinTech providers come to market. We also needed to be able to respond rapidly to the evolving regulatory landscape.

Considering all aspects led to a cloud native approach using a microservice architecture. Naturally this lends itself to the use of containers as a deployment architecture. Given the nature of the Tier 1 service, with uptime and performance as primary concerns, an enterprise level container orchestrator with robust support was required. Reviewing the various options available, ATOM selected Red Hat OpenShift as the container orchestrator to underpin the service. Not only is the platform fully supported, but OpenShift kept pace with Kubernetes, allowing us to access the latest features on a regular basis. OpenShift also provides security capabilities and Role Based Access Controls (RBAC) features, a simplified approach to deploying the platform, infrastructure monitoring through Prometheus out-of-the-box and centralised policy management.

Containers have become the ATOM standard unit of deployment. Having a well understood deployment architecture that is consistent across all applications allows developers to focus on the applications features that add value and stop worrying about how to get new applications into production. Launching new services and applications is less complex and less risky because it’s already been used repeatedly. Developers can easily integrate new services into the existing ecosystem with greater consistency which lowers maintenance costs.

As part of Accenture’s Cloud First approach, ATOM uses AWS as the primary Cloud Service Provider. We deploy OpenShift to AWS infrastructure directly and leverage AWS native services for non-container concerns, including Direct Connect for private networking with clients, RDS and RedShift for databases, and AWS Glue & QuickSight for analytics. OpenShift on AWS has been a seamless integration between the container platform and the supporting AWS services.

Both AWS and OpenShift scale as our volumes change over time. The ability to grow as the volumes grow and pay only for what’s needed is vital to our ability to invest and manage costs. Given the variability in ATOM workloads across the market day, week and month, elasticity is also key to managing our costs as capacity increases and decreases.

Security is at the heart of our platform. We’ve established several features that work to ensure a secure environment, leveraging OpenShift and AWS together.

• We have implemented a secure cloud landing zone in AWS. This is coupled with secure cloud gateways that interact with the external ecosystem, leveraging AWS Direct Connect to ensure all traffic travels on dedicated networking between ATOM services and our clients.
  We prevent traffic from reaching the internet from AWS using a standard AWS configuration.
• Data residency is a critical control. By using only specific AWS regions to which we deploy OpenShift, we maintain data residency in Europe, helping to ensure data stays within European boundaries.
• We have implemented Data Loss Prevention (DLP) and Access controls which are enforced at the infrastructure level, using Accenture global standards. This includes a variety of vendor solutions and the Accenture global SIEM capability. We couple this with automation for the collation of evidence required for both compliance and audit.
• Tied to the security implemented at the infrastructure, we also bake security features into the application build and deploy process. Developers use standardised secure pipelines to build containers with security vulnerability analysis built into the pipeline, including static code analysis, SAST and DAST, leveraging several tools from the Open-Source ecosystem.
• We also leverage the Red Hat and open source ecosystems to conduct image scanning, with tools like Clair. This process looks for vulnerable images in the image chain and monitors for out-of-date packages and 3rd party dependencies. Through visibility we can understand the security posture of our applications and form and execute patch management to keep applications up-to-date and more secure.
• On the data side, as a service supports multiple clients in a multi-tenant manner. OpenShift enables data isolation per client, with sequestered workloads and dedicated, more secure processing environments being the norm for platform users, even with workloads running on the public cloud infrastructure of AWS.

We have adopted Red Hat Universal Base Images (UBI) as the default base image for our containers. Built on Red Hat Enterprise Linux (RHEL), it’s a platform that is reliable, more secure and functions well. RHEL includes a stream of security updates and patches with quarterly patch releases to the base image. Furthermore, we extensively use application container images from the Red Hat UBI repository. For example, we use the Red Hat UBI OpenJDK Java 8 image, which means we are on a supported version of Java 8, with patches released quarterly.

Due to the ongoing platform changes required to keep pace with regulatory and security changes and new ATOM service introduction, ATOM leverages managed services for core components of the platform. This allows our vendor ecosystem to focus on providing the capability and frees the ATOM team to focus on client services and the application layer. Managed services are a means to continue the journey of reducing costs, simplifying the technology stack, and maintaining and reducing the operability overhead.

For us, this means looking at Red Hat OpenShift Service on AWS (ROSA). With ROSA, we expect to lower costs by moving from the current upfront licensing model to a pay-as-you-use model. Allowing developers the flexibility to run new services for short periods without the constraints of annual licensing unleashes their ability to experiment, learn and quickly create new services.

Running OpenShift in the cloud, we benefit from the combined expertise of both AWS and Red Hat. By leveraging their joint investment in ROSA, we benefit from needing fewer people to run OpenShift, enabling us to redirect people’s focus to solving client challenges and improving the ATOM service. In addition, we can manage and keep OpenShift running, up-to-date and stable, while taking advantage of new features in OpenShift, such as support for Windows containers, as they become available.

At Accenture, our team is ready help you and your clients with secure, reliable, and road-tested solutions built on AWS and Red Hat technologies that deliver a Cloud First transformation.