Vault has completely reshaped our approach to secrets management by eliminating manual key entry and reducing our validation timelines from an hour to just a few seconds. That has a huge impact on our overall productivity and time-to-market for applications that have adopted it.
Erika León-Ravinez, DevSecOps Tribe Leader, BCP
Automation in the Andes
Banking isn’t what it used to be. The days of paper deposit slips, visits to the teller, and writing checks have long passed — for most people. In Peru, there’s still a significant segment of the population without access to modern banking services and solutions, and the Banco de Crédito del Perú (BCP) is undertaking a massive digital transformation in an effort to change that.
The country’s largest bank, a subsidiary of Forbes Global2000 member Credicorp, serves millions of customers domestically and internationally through more than 2,400 ATMs, 7,000 telebanking agents, over 400 physical branches, and its digital channels, including mobile banking and digital wallets. But delivering modern banking services like mobile or internet banking, credit services, and digital mortgage lending that many Peruvians haven’t previously had access to requires an expansive, agile, and high-performance IT infrastructure that the bank had never before committed to building.
“In today’s competitive landscape, delivering new applications and services that customers expect or even demand is a time-sensitive matter,” says Erika León-Ravinez, DevSecOps tribe leader at BCP. “Our legacy infrastructure required so many manual processes — for everything from spinning up new servers to managing secrets for securing systems and sensitive data to testing and deploying new services for internal and external users. We began a massive digital transformation initiative to make it all happen, but realized early on that we needed an efficient, flexible, and secure tech stack to make it a success.”
Manual processes aren’t transformative
Like many financial institutions, BCP’s legacy IT infrastructure had been designed and deployed for a different time and era. The on-premises, mainframe-centered infrastructure was perfect for securely executing financial transactions over the years, but as the bank embraced a DevOps mindset and adopted its best practices to fuel its digital transformation, BCP’s DevOps team — León-Ravinez and lead architect, Edwar Ponte — was under an executive directive to reduce infrastructure delivery and secrets management timelines to support accelerated time-to-market for new customer-facing applications and services.
A significant portion of that effort involved migrating much of its legacy infrastructure to the bank’s primary public cloud platform, along with other on-premises destinations. But deploying hybrid infrastructure in different environments, coordinating and connecting services, and establishing the secrets for every interconnected system proved much more work than anticipated.
“We used to have a mix of mostly manual processes and a smattering of automation across the various tools we used to stand up infrastructure for any new application we wanted to build in the cloud,” says Michael Garcia, owner of BCP’s public cloud platform.. “Each team presented a different technological need, which included infrastructure services, containers, data, and analytics in the cloud, and meant something as essential as provisioning could take days at a time.”
At the same time, secrets management — vital for authenticating access to sensitive cloud workspaces and sensitive customer data — presented even more significant challenges that increased the number of incidents and risk, and frequently put the BCP DevOps teams behind schedule and under pressure.
“Two years ago, we had three different credential management systems and anyone using them had to manually enter keys to authenticate users for the production environment,” says León-Ravinez. “In some instances, we even had to pass production before we could validate the secrets, which created errors and incurred a lot of extra time and labor costs to fix. It could take up to two hours to locate a security analyst who could help troubleshoot the issues, which just added more review cycles for an app and extended the time it wasn’t available for customers.”
Streamlining cloud and hybrid services deployment
Eliminating manual secrets management
Accelerating digital transformation initiatives and delivery of customer-facing digital services
With Terraform, we’re provisioning infrastructure that follows security and operations guidelines from the same corporate marketplace to better control implementation of different cloud instances and workspaces without being locked into a single cloud vendor.
Michael Garcia, Product Owner, Public Cloud Platform, BCP
Momentum, transformation, progress
BCP adopted HashiCorp Terraform and Vault to streamline and accelerate their infrastructure and secrets management operations. After a short proof of concept versus competing tools, the company chose HashiCorp solutions for their simplicity and security, as well as their extensive cross-platform capabilities in support of the bank’s move toward a multi-cloud and hybrid IT environment.
According to Michael Garcia, owner of BCP’s public cloud platform, one of BCP’s primary goals was to standardize its infrastructure provisioning processes across both on-premises and public cloud platforms to enable greater self-service for its development teams.
“With Terraform, we’re provisioning infrastructure that follows security and operations guidelines from the same corporate marketplace to better control implementation of different cloud instances and workspaces without being locked into a single cloud vendor,” says Michael Garcia, owner of BCP’s public cloud platform. “More importantly, it empowers every developer to deploy their own infrastructure, complete with the credentials and certificates for provisioning secrets all from the same place. What used to take two or three days, now takes less than an hour.”
Now, teams assigned to any top-level project — from digital wallets to remote agent chat platforms — can work independently, with greater speed and agility to advance the company’s projects aggressively forward. But the gains in infrastructure speed and simplicity aren’t the only benefits BCP is enjoying with their use of HashiCorp tools. Upgrading to the Vault Enterprise edition for a group of applications using the tools has virtually eliminated the complexities of secrets management that had previously plagued the team and added weeks to deploying customer-ready apps and services.
With Vault, the team found appropriate security controls for encrypting all secrets, a strong authentication mechanism, as well as providing a disaster recovery process. These are all fundamental pillars of security operations at BCP, and using Vault drastically improves their security posture.
“Vault has completely reshaped our approach to secrets management by eliminating manual key entry and reducing our validation timelines from an hour to just a few seconds. That has a huge impact on our overall productivity and time-to-market for applications that have adopted it,” León-Ravinez states. “It’s also key to protecting super-sensitive customer data wherever it lives. That helps us meet our compliance requirements, which is always a top priority.”
Though the bank is still in the early stages of its long-term transformation process, both León-Ravinez and Garcia — along with colleague Bryan León Aristando, cloud engineer on the public cloud platform team — are encouraged by the velocity of change and improvement that teams across the organization have experienced since adopting Terraform and Vault. “HashiCorp tools have helped us slash the time to deploy new services to production, the number of errors we’ve had to deal with, and the costs of fixing them,” Garcia says. “Every day we’re gaining momentum, moving closer to a fully digital and modern IT environment, and able to provide Peruvians across the country with the digital banking services they demand and deserve.”
96% reduction in cloud infrastructure deployment times from 2 or 3 days to hours
Automated secrets management, cutting validation times from 1 hour to seconds
Eliminated costly and time consuming errors due to manual data management
Accelerated time to market of high priority customer services
Banco de Crédito del Perú (BCP) is using HashiCorp Terraform and Vault to accelerate cloud infrastructure deployment and protect sensitive data as part of a transformation effort designed to extend digital banking solutions to underserved markets that have traditionally not had access to modern banking services.
Erika León-Ravinez DevSecOps tribe leader BCP
Erika has over 16 years of experience in IT. As the DevSecops tribe leader at BCP she is responsible for leading the charge of all implementations of process, tools, change management and development related to DevSecOps at BCP. She is passionate about technology and finding disruptive ways to bring DevSecOps to the entire organization in a high quality and secure manner.
Edwar Ponte Lead architect, DevOps BCP
Edwar is a DevSecOps architect at BCP and responsible for their CI/CD platform. With 15 years of IT experience, he has deepened knowledge of software engineering, solutions architecture, and open source solutions. Edwar is passionate about continuously searching for the best practices and tools to provide the best experience for the developers who use their platform.
Michael Garcia Product owner, public cloud platform BCP
Michael Garcia is the product owner of BCP’s public cloud platform where he has been leading the cloud strategy and adoption efforts for the past four years. With 10 years of prior experience as a cloud engineer, Michael has led public cloud transformation projects with BCP and the technology industry.
Bryan León Aristondo Cloud engineer, public cloud platform BCP
Bryan has been with BCP for almost two years helping with the adoption of the public cloud platform. He brings 5 years of previous experience as an IT consultant driving digital transformation in several companies, leading more than 50 technology solution implementation projects. He is currently responsible for handling several initiatives of operational stability, provisioning, and improvements of the public cloud infrastructure.
- Microsoft Azure, on-premises, mainframe
- Workload type:
- Linux (80%), Windows(20%)
- Container Runtime:
- Azure AKS, Red Hat OpenShift
- XL Release, Jenkins
- Version Control:
- HashiCorp Terraform, IBM Cloud Orchestrator, manual
- Security management:
- Azure Key Vault, HashiCorp Vault