In the IT industry, you’ll hear “I’ll sell you a DevOps; how much is it worth?” But the joke’s on you because you can’t sell (or buy) DevOps, as it is, in fact, an intangible entity. It’s a business process combining software development (Dev) and IT management processes (Ops) with the aim of helping teams understand what goes into making and maintaining applications and business processes. All this happens while working as a team to improve the overall performance and stability of said apps and processes rather than “chucking it over the fence” once your department’s piece of the puzzle is finished.
DevOps is often referred to as a journey, and you probably need to pass several milestones before you could consider your company a DevOps house. Several of the major milestones stem from the idea of adopting a blue/green method of deployment, in which you deploy a new version of your code (blue) running alongside the current version (green) and slowly move production traffic over to the new blue deployment while monitoring the application to see if improvements have been made. Once all the traffic is running on the blue version, you can stage the next change on the green environment. If the blue deployment is a detriment to the application, it’s backed out and all traffic reverts to the current green version.
A key part of the above blue/green deployment is a methodology of continuous integration and continuous deployment (CI/CD), whereby minor improvements are always being undertaken with the goal of optimizing the software and the hardware it runs on. To get to this point you need to make sure you have a system in place to continuously deploy to production, as well as a platform for continual testing. Your QA processes need to tackle everything from user integration to vulnerability testing and change management, and since you don’t want to have to be hunting around finding IP addresses or resource pools to run it on, automation is going to be key.
As you move towards CI/CD adoption rather than separate coding and testing phases, you begin to test as the code is being written. In turn, you’ll start to automate this testing and eventual movement into production, which is referred to as a deployment pipeline. Finally, you’ll also need a more detailed way of performance monitoring, hardware monitoring, software monitoring, and logging. With performance monitoring, it’s no longer good enough to look at network latency—you need to have a way to understand the performance process, including the IO to an application stack, the amount of code commits and bugs identified, the vulnerabilities being handled, and the environment’s health status. With so many moving parts, you’ll also need something to ingest the logs and give you greater insights and analysis to your environment.
But for all this to be undertaken, the first and possibly most major hurdle you’ll have to clear is the cultural shift within the organization. Willingness to cooperate truthfully and honestly as well as making failure less expensive is at the core of this shift. This cultural move must be led from the top down within the company. Making IT ops, software development, and security stop pointing the finger at each other and understand they all have a shared responsibility in the other departments’ undertaking can be a challenge, but if they’re properly incentivized and understand the overall goal, this shift can be a smoother process for an organization.
This building of the correct foundation as per the above milestones allows you thus to move from getting started into the five stages of DevOps evolution: Normalization, Standardization, Expansion, Automated Infrastructure Delivery, and Self-Service. Companies moving into the Normalization stage adhere to true agile methods, and the speed at which they invoke changes begins to increase, so with time they’re no longer hanging around like a loris, taking days or weeks to patch critical vulnerabilities, but move and adapt with the speed of a peregrine falcon.
In the recent Puppet 2019 State of DevOps report, they try to raise the idea of improving your security stance by moving through the five stages of evolution so you can adapt quickly to vulnerabilities. For instance, about 7% of those surveyed can respond within an hour. Those organizations with fully integrated security practices have the highest levels of DevOps evolution. This evolution, in turn, will let you soar through the clouds.