The last few years have given rise to the "DevOps" methodology within many organizations both large and small. While definitions vary somewhat, it boils down to this: breaking down silos between developers and operations.
This seems like a common sense approach to running a business, right?
While many organizations do have a DevOps mindset, I find myself regularly talking to IT staff where there is near zero collaboration between applications teams, network and security. In highly silo-ed organizations these teams can actually work against each other and foster significant animosity. Not my idea of an efficient and agile organization!
Organizations that use a DevOps mindset will deploy applications and capabilities significantly faster and with fewer operational issues from what the industry is reporting. According to Puppet Labs:
High performing organizations deploy code 30 times more often, and 8000 times faster than their peers, deploying multiple times a day, versus an average of once a month.
It is extremely important that applications teams are creating code and applications in a way that can be properly supported, managed and operationalized by the business. Here are some tips to best leverage this type of approach in any organization:
1. It's not (entirely) about tools
Everyone loves to buy new technology and tools. The problem is that often times products are only partially deployed, and capabilities go unused and sit on the shelf. And if you think starting to use some new products and tools will make your organization DevOps enabled, think again.
Building a DevOps culture is much more about taking two parts of the organization whose roots are quite different and bringing them together with a shared vision and goal. Think about it: operations looks at change as the reason the last downtime occurred and App-Dev is constantly trying to evolve and elicit disruptive change. No product or tool is going to make this all happen for you. So start with this in mind.
2. Communication and goals are absolutely critical
This is going to sound really obvious and boring, but if your ops and apps teams are not communicating - not working towards a shared set of goals - everyone is vested if you have a problem.
Defining what the organizational goals are in terms of real concrete objectives that meet the SMART criteria is the right place to start. I'll bet most organizations do not have goals that meet this level of specificity so I'll provide a good and bad example:
- Bad goal: "We want to be the leader in mobile code management"
- Good goal: "We will be the leader in mobile code management by June 30th of 2015 as measured by Garnter's magic quadrant, with revenues exceeding $25m in 2Q 2015"
See the difference? Even the casual observer (who doesn't even know what this fictitious space of mobile code management is) could tell if you met the second goal. Great. Now that we have a real concrete goal the organization can put an action plan in place to achieve those goals.
Communication can be a real challenge when teams have different reporting structures and are in different physical locations. Even if folks are in the same building it's really important for face to face, human interaction. It's certainly easier to send an email or text but nothing beats in-person interaction with a regular cadence. Collaboration tools will certainly come into play as well - likely what you already have in place but there are new DevOps communications tools coming to market as well. But first start with team meetings and breaking down barriers.
3. Practice makes perfect: continuous integration, testing and monitoring
DevOps is about short-circuiting traditional feedback control mechanisms to speed up all aspects of an application roll-out. This means exactly the opposite of what we typically see in many large software programs and has been particularly acute within large government programs, or at least more visible.
Striving for perfection is certainly a worthy goal, but we should really be striving for better. This means along the way risks will need to be taken, failures will happen and course corrections put in place. It is important to realize that this whole DevOps change will be uncomfortable at first, but taking the initial steps and perfecting those steps will help build momentum behind the initiative.
Instead of trying to do every possible piece of DevOps all at once, start with one component such as GIT and learn how to really manage versioning well.Then start working with cookbooks and even use Chef to deploy Jenkins, cool eh?
It's probably also worth noting that training and even hiring new talent could be a key driving factor in how quickly you implement this methodology.
4. Having the right tools helps
Like I said earlier, everyone loves new tools.. I love new tools! Since this whole DevOps movement is quite new you should realize that the marketplace is evolving rapidly. What is hot and useful today could not be what you thought you needed tomorrow.
If you already have strong relationships with certain vendors and VAR partners this would be a great time to leverage their expertise in this area (assuming they have it) to look at where gaps exist and where the quick wins are. If platform automation and consistency of configuration is the right place for the organization to start then going with Chef or Puppet could make sense.
I think the important factors here are:
- What are your requirements?
- What do you have budget do acquire and manage?
- Do you have partners who can help you with requirements and matching up different vendors or service offerings?
Since this could easily turn into a whole series of blog posts on DevOps tools, I'm not going to go through all the different products out there. But if you can quickly answer the questions above, then get moving and don't allow the DevOps journey to stall at this phase.
If it's difficult to figure out exactly what requirements are important or you don't have good partners to work with, then go partner with some of the best out there or copy what they are doing.
5. Security at the pace of DevOps
What about security? Building in security as part of the development process is critical to ensuring fatal flaws do not permeate a development program. Unfortunately, often times this is an afterthought.
Security hasn't kept pace with software development by any metric so taking a fresh look at techniques and tools has to be done.
Static analysis tools and scanners aren't terribly effective anymore (if they were to begin with). According to Contrast Security's CTO and Founder, Jeff Williams, we should be driving towards continuous application security (aka. Rugged DevOps):
“Traditional application security works like waterfall software development – you perform a full security review at each stage before proceeding. That’s just incompatible with modern software development. Continuous application security (also known as Rugged DevOps) is an emerging practice that revolves around using automation and creating tests that verify security in real time as software is built, integrated, and operated. Not only does this eliminate traditional appsec bottlenecks, but it also enables projects to innovate more easily with confidence that they didn’t introduce a devastating vulnerability.” - Jeff Williams
While DevOps is all about streamlining IT and bringing new applications to market faster, if you don't ensure that the application can perform under a realistic load in a way real world users interact, there will be problems.
Likewise if an application is rolled out with security flaws that are overlooked or ignored, it could be game over for not only the business but quite possibly the CEO as well. Just look to Target as a very recent example.
It is clear that an integrated approach to developing applications is valuable to organizations, but if you don't look at the whole picture - operational issues, performance under load and security, you could find out that DevOps was a fast track to disaster. And obviously no one wants that.
This post was written by Peter Cannell. Peter has been a sales and engineering professional in the IT industry for over 15 years. His experience spans multiple disciplines including Networking, Security, Virtualization and Applications. He enjoys writing about technology and offering a practical perspective to new technologies and how they can be deployed. Follow Peter on his blog or connect with him on Linkedin.