I came across a great article from CSO Online that talked about how cloud has created a new movement called DevOps. Normally when you think about how cloud is affecting the way businesses operate from an IT perspective, the usual culprits at the centre are the security folks, and maybe the IT infrastructure guys. What we tend to forget is that these groups aren’t the only ones who are looking at how cloud can make business processes more nimble. The DevOps movement is showing organizations how changing the way they run development can lead to some astounding results.
What organizations like Flickr and Amazon have done is restructure the IT organization into a group called DevOps which encompasses development and operations teams. This term originated in Belgium back in 2009 and has gained huge momentum as a result of it’s impressive results. Think about it, most organizations structure their IT environment into separate entities including development, operations, security, management and QA. These teams aren’t known for working together particularly well, and when they do, the processes are pretty drawn out and costly.
The goal of developers is to create new systems and methods for streamlining business tasks, which usually makes things more complicated for operations and security teams who like things staying status quo. But if you combine the teams, so that security and operations are involved from the ground up in the development cycle, the time to deployment is cut significantly. Amazon claims to conduct more than 1,000 deployments a day! The key benefit here is that security is already in lock-step with the development team, creating what they call “Rugged” DevOps.
While it may not seem like a huge reason for changing the way organizations operate, think about the key goals of the CIO. They want to make sure that the IT development process results in defensible infrastructure, contains operational discipline, situational awareness and countermeasures. Right now developers hate getting security teams involved because they rarely see eye-to-eye and view security as a limiting factor in the development process. So making it a part of the process from an internal perspective (not as a separate group entity) makes these headaches all but disappear.
The advantage of a Rugged DevOps model is that it can help organizations eliminate inefficient legacy systems and infrastructure, while simplifying business processes. This not only results in cost savings from consolidation, but also speeds up the time of development, resulting in less resources and faster time to market (and cost recovery). By streamlining the complexity of the development process, the number of groups involved and process steps can be reduced dramatically, making the IT department, if not the entire organization, immensely more efficient.
From a security standpoint, all the complexities associated with legacy systems are eliminated thus reducing the number of inherent risks and making the entire infrastructure easier to secure. Additionally, if security and QA is involved from the ground up in the development process, the code itself will be more secure because it has already been vetted by all teams which are now part of the development group. It’s no longer a post-development process where the code is tested and secured through application layer security measures.
This is a huge shift from the way organizations designed their IT teams to run, and it’s a result of cloud that has shifted the way we think about all kinds of business processes. If I haven’t said it before, cloud isn’t a trend, it’s really a new way of thinking about how we have done things in the past and figuring out how we can do things more efficiently and securely.
I really recommend taking some time to read the interview over at CSO Online on this amazing topic at http://www.csoonline.com/article/701479/how-security-can-add-value-to-devops