Maersk is the world’s largest container shipping company, with end-to-end services spanning the entire supply chain. The company’s logistics web uses a robust infrastructure that makes use of a cloud platform. Adequate protection against today’s regular malware and virus attacks is of crucial importance for Maersk’s business continuity. To steer a safe course in combining agile ways of working and cloud-based development with compliance with Maersk’s security and quality standards, Maersk collaborated with Xpirit, and introduced the Unified Delivery Model (UDM). The model uses beacons to signal teams as well as stakeholders of the extent in which they are on course, compliant with standards, and secure against any threats. The beacons even provide functionality for automatic reconciliation, thus repairing IT components from any malfunction. The beacons proved their value in December 2021 when a Log4j vulnerability was signaled in time and any affected component and server could be returned to business as usual, within a minimum of time.
Comprehensive cloud infrastructure
Maersk’s full-service portfolio goes well beyond container shipping, and comprises the complete supply chain, from factory to warehouse and from farm to refrigerator. A robust infrastructure is the backbone of the company’s intricate logistics web, with IT components that are being developed by teams in different locations. The teams use a cloud-based environment, which was introduced in 2018. Bruno Amaro, head of Cloud Compliance for Maersk, describes the journey into the cloud: "Naturally, compliance with our security and quality standards was, and is, of key importance for our business continuity and quality of service. This required extremely thorough analysis while we were designing, developing and implementing the cloud infrastructure, which is why we involved Xpirit’s experienced consultants. They provided great help in getting the infrastructure implemented, but their special value lies in their thorough analysis. They constantly challenge you in your ideating process and tell you when you’re about to deviate from your mindset and intended course. Their typically Dutch directness proved to be a great help and by not leaving a stone unturned."
Compliance with security and quality standards monitored by beacons
Bruno continues: "Naturally, the approach of teams working in all corners of the world working in an agile, DevOps-based manner required constant and through monitoring. Not only in terms of compliance with safety and security, but also operational efficiency. This is why we introduced the Unified Delivery Model (UDM), a framework that allows teams to be responsible for their own value-chain via a self-service portal. A key component of the model consists of beacons that signal teams of the extent to which they are on course, compliant with standards, and secure against any threats. The beacons light up in green to indicate that you’re on the right course without any issues, while they light up in red to indicate any type of risk or non-compliance. For instance, when Microsoft releases a new security patch, the beacons automatically turn red, alerting the teams that an action is required to get back to compliance. Stakeholders also see the beacons, so in addition to keeping the development teams on track, they serve as an efficient communication channel."
Erick Segaar, one of Xpirit’s team of consultants who were involved in the project for years: "One of the great qualities of beacons is that they don’t block anything, unlike many other compliance measures. They signal possible issues in time and ahead of actual problems and notify you when you need to adjust your approach. What’s more, the beacons offer a self-healing mechanism, thus reconciling and remedying issues without any human interaction. While this feature in itself was not super complex to implement, the challenge was to leave the responsibility with the teams without limiting their autonomy."
Bruno adds on a light note: "While the beacons constantly alerted each of our teams, I was caught off guard when I visited the Xpirit team in their office in Hilversum. The day I arrived we did some great team-building, went go-karting, lots of drinks and dinner in the evening. However, that night in my hotel room I got so sick, I saw all colors of the rainbow, and I believe I said yes to everything during the meetings on the second day, not seeing any red beacon."
Immediate and timely measures against log4j vulnerability One remarkable result of using the beacons was our extremely effective response to a log4j vulnerability that occurred in December 2021. Bruno: "The beacons signaled us well in time of the risk that certain servers were affected, and this allowed us to take the required measures well in time, thus preventing any impact on our business. In short, a wonderful confirmation of the security measures we took on our cloud journey, as well as the valuable cooperation with Xpirit."