From DevOps to DevSecOps – embracing cultural change in a new era of cloud

James Harvey, CTO Advisor EMEA, Cisco AppDynamics,
What is a Brand Discovery ?
Linkedin
tablet

Across all sectors, organizations are ramping up their adoption of cloud native technologies to achieve their digital transformation goals. By re-imagining their applications in a multi-cloud or hybrid environment, they can embed greater flexibility and freedom in their application development processes and, ultimately, deliver innovation at unprecedented scale and speed.

But for DevOps teams, the transition to modern application environments is creating monumental challenges. Managing availability and performance across cloud native applications, landscapes and architectures is incredibly complex. IT teams are being bombarded by huge volumes of data coming at them from these highly dynamic environments, and they simply don’t have the right tools, insights and processes to get to grips with this challenge.

DevOps teams need to act decisively to ensure they are able to operate effectively and continue to drive their organizations’ cloud migration strategies forward. And this will require cultural change –  embracing new approaches, structures and processes – as well as new tools and technologies – to optimize application performance in multi-cloud and hybrid environments and prioritize their actions based on business impact.

DevOps requires unified visibility to optimize application availability and performance

For three years now, DevOps teams have been adapting on the hoof as organizations have accelerated digital transformation and, in particular, increased their adoption of cloud-native technologies. DevOps teams have done a phenomenal job, supporting and facilitating rapid release velocity while managing and optimizing application availability and performance. This has been central to the ability of organizations to react quickly to changing market conditions, and to meet heightened customer expectations for brilliant, seamless digital experiences at all times.

DevOps teams have been instrumental in combining code, application maintenance and application management, to enable organizations to deliver innovative but robust and resilient applications at speed.

But as anybody that has worked within or alongside DevOps engineers in recent times knows, the last few years have seen DevOps teams operating under intense and unrelenting pressure. And much of this pressure has been caused by the shift to cloud native technologies, with DevOps teams having limited visibility and insights into multi-cloud and hybrid environments.

In many cases, organizations are still relying on multiple monitoring tools to manage performance across their IT estate. But traditional monitoring solutions are unable to cope with the dynamic and volatile nature of cloud-native environments. These highly distributed systems rely on thousands of containers and produce a massive volume of metrics, events, logs and traces (MELT) every second. IT teams don’t have a way to cut through this data noise when troubleshooting application performance problems caused by infrastructure-related issues that span across multi-cloud or hybrid environments. And they don’t have unified visibility across what is increasingly a sprawling and fragmented IT estate.

In response to this spiraling complexity, technologists need visibility across the application level, into the supporting digital services (such as Kubernetes), and into the underlying infrastructure-as-code (IaC) services (such as compute, server, database, network) that they’re leveraging from their cloud providers. This is essential for DevOps engineers to truly understand how their applications are performing.

DevOps teams therefore need a platform that allows them to observe distributed and dynamic cloud native applications at scale; a solution that embraces open standards, particularly Open Telemetry; and that leverages AIOps and business intelligence to speed up identification and resolution of issues. Crucially, DevOps engineers need to be able to correlate IT performance data with business metrics to prioritize actions based on business outcomes and to validate their organizations’ investments in cloud native technologies.

DevOps must embrace cultural change and progress to a DevSecOps approach in order to succeed in cloud-native environments

The shift to cloud native technologies is ruthlessly exposing the need for greater collaboration within the IT department. Despite the progress delivered by DevOps methodologies over recent years, many IT departments continue to be held back by siloed teams, processes and data.

Significantly, the move to cloud native technologies is necessitating that security teams can no longer operate in a silo within the IT department; security needs to be integrated into the application lifecycle from the very outset.

This is because, as organizations have shifted to modern application stacks, they have seen a sudden expansion in attack surfaces. Widespread adoption of multi-cloud and hybrid environments means that application components are now running on a mix of platforms and on-premise databases, and this is exposing visibility gaps and heightening the risk of a security event. IT departments need to act quickly in order to shore up their application security and avoid a calamitous security breach.

In the latest research from Cisco AppDynamics, The shift to a security approach for the full application stack, only 24% of technologists claimed that collaboration between ITOps and security teams currently takes place on an ongoing basis. Many DevOps and security teams operate entirely separately. Developers often don’t seek out input from security colleagues because they fear it will slow release velocity. They only collaborate when a potential issue is identified – which is often too late to prevent it impacting end users.

The onus now is for DevOps  to use their skills in team empowerment, communication and collaboration to tackle this challenge and bring about closer alignment between development, operations and security teams.

DevSecOps brings together ITOps and SecOps teams so that application security and compliance testing are incorporated into every stage of the application lifecycle, from planning through to shipping. By taking this approach, developers can embed robust security into every line of code, resulting in more secure applications and easier security management, before, during and after release.

IT departments can avoid the current situation where security vulnerabilities are only addressed at the last minute before launch or identified after the application has already been released. By incorporating security testing from the outset of the development process, security teams can analyze and assess security risks and priorities during planning phases to lay the foundation for smooth development.

Encouragingly, rather than being resistant to this change, most DevOps engineers acknowledge that a DevSecOps approach is now essential for organizations to effectively protect against a multi-staged security attack on the full application stack.

What’s more, at a personal level, DevOps engineers recognize that the move to DevSecOps providers them with the opportunity to expand their skills and knowledge and to become more rounded IT professionals. Ultimately, technologists are tired of silos and suspicion within the IT department – 58% report that tensions between application and security teams would make them consider moving jobs.

For DevOps, the shift to DevSecOps is the natural progression from the incredible work that they have been doing over the past three years. The key now is to ensure they have the right tools, insights and skills to seamlessly make the transition.