Since its debut, development and operations, otherwise known as “DevOps”, has gained momentum in various industry sectors as a mainstream strategy. It empowers organizations to keep abreast of the rapid changes that customers demand by combining people, processes, culture, tools, and methodologies to break down the silos between teams.
DevOps builds on agile principles, allowing for the rapid release of software changes and includes other elements of the software delivery process such as security, quality assurance (QA), testing, and release management. Given the pace of change, the need for quality software is more important than ever.
In comparison to a plan driven approach, DevOps proposes ongoing collaboration and communication between teams, breaking down large processes into smaller, more manageable deployments that can be easily orchestrated and moved from one group to the next, optimizing quality and lowering risk of interruption.
Despite the substantial benefits and attractiveness of DevOps, understanding some key considerations for adoption success is important, as discussed below:
- Strategic Plan – Transformation of development and operational methodologies can result in fear, uncertainty, and doubt. Clear communication and collaboration can improve success factors by enabling a strong partnership with the business and demonstrating how DevOps adds value.
- Technology & Tools – Effective use of tools is essential to a successful DevOps environment that meets businesses’ needs. For example, in a development context, versioning and source control tools (e.g., Git, Subversion, BitBucket) provide the ability to track code level changes. Likewise, automation and orchestration tools (e.g., TeamCity, Travis) allow for changes to be made to the environment from a central source. Regardless of the tool(s) selected, steps should be taken to ensure adherence to existing security policies and procedures, support for strong and centralized authentication, auditing, as well as the ability to scale at the speed of the business.
- Automation – Central to the DevOps cause and key to adoption success is the ability to automate processes that are or have the potential to become the Achilles heel for the business. These are the processes that traditionally take the most time, error-prone, or require the most human involvement. Once identified, revisiting the business requirements to ensure compliance, security, and assurance needs are appropriately integrated and accounted for is vital.
- Security and Assurance – After a process is automated, it is not uncommon for it to be forgotten or for the responsibility of ongoing maintenance to be assumed by the development or operations group. This however, could directly impact several aspects of security:
- Separation of Duties – In this context, a violation would result in a developer being able to commit code changes directly to production. Therefore, controls should be implemented to maintain proper separation with the appropriate security measures in place.
- Application Security – Depending on program maturity, deploying appropriate countermeasures and tools such as static and dynamic analysis throughout the software development lifecycle (SDLC) is often customary. This can be done on the developer’s desktop via the integrated development environment (IDE) or at the build level. With DevOps in play, it is important to verify that these and other security measures are not easily circumvented in new or existing software developments.
- Governance – The ability to collect meaningful metrics such as service uptime, policy enforcement, and performance management goals, gives insight to the business when making key strategic decisions. Therefore, keeping an ongoing and open dialog with the risk management team is essential.
- It’s Ongoing – Following the decision to adopt DevOps, pacing yourself is important. You should understand that this will not be a one-time process and will therefore require commitment at all levels of the organization. Changes will be incremental and vary in length and scope, but should be directly influenced by the needs of the business.
- Business Continuity – The ability to operate during and after a crisis is important for any business. Therefore, keeping the business continuity plan (BCP) up to date ensures consistency in preparation and testing based on the current operational needs.
DevOps is transformative and can yield tremendous results in terms of remaining competitive. Therefore, start by determining why it matters to your organization and how improvements to existing processes could impact the business. Furthermore, be sure to have a clear understanding of the governance, risk, security, and compliance needs surrounding each improvement using a strategic lens.