How New Oriental Built a Scalable DevOps Platform to Cut Costs and Boost Security

01 DevOps Platform Establishment

New Oriental, a 30‑year‑old education group founded by Yu Minhong, only recently increased IT investment. Early challenges included silo effects and data islands as each business unit built its own platform, leading to duplication, waste, and organizational entropy.

The initial integration platform defined seven tasks: resource request → information retrieval → workflow operation → service launch → cost control → data security.

Resources from public and private clouds are managed through data governance and allocated to business lines via a service tree that links functions (cloud resources, release, PaaS management, data platform, security center) to users, enabling fine‑grained authorization and action or data control.

02 DevOps and Data Platform

Many companies have data R&D teams handling DB operations and data‑level development. The goal is to design a platform that connects the whole process. The real‑time computation platform lets users create and select tasks (e.g., Flink) and write results to a real‑time warehouse or offline data lake.

It comprises seven functional modules—job development, management, monitoring, system management, resource management, and template management—covering 14 feature points.

The task creation flow starts with an administrator (senior developer) who evaluates the initial job, configures Yarn queue settings, and then users can request source table queries or create JAR/SQL jobs.

03 DevOps and Security

Security is paramount for enterprise data assets. New Oriental’s security construction focuses on six aspects.

Red‑Blue Exercise

A recent ransomware incident at other companies prompted a red‑blue exercise: phishing and perimeter intrusion, privilege escalation to production, and extraction of core data. Lessons led to cutting many dedicated lines between branches and headquarters, using VPN and dual‑speed links for secure connectivity.

Penetration Testing

Third‑party penetration testing identified three vulnerability types: SQL injection, XSS/CSV injection, and vertical privilege escalation. Since the platform is built on Django REST framework, SQL injection is not an issue, but some minor interfaces required privilege fixes.

Sensitive Data Monitoring

Following a zero‑tolerance principle, different business databases have distinct identification rules and task templates; periodic scanning tasks detect sensitive assets.

Security Center

The security center handles management compliance and vulnerability events.

App Compliance Loop

App releases lacked security audits; a “security left‑shift” approach provides a security score before launch, iteratively hardening applications to achieve higher assessment scores.

CA Certification & KMS

CA servers provide internal authentication, while a third‑party KMS stores critical keys and ensures encrypted transmission.

Experience Summary

Key takeaways on cost reduction and efficiency improvement are illustrated in the following diagrams.