DevOps is gaining serious momentum within enterprises as of late. The big business driver is the pursuit of agility and improved reliability and quality. Adopting DevOps can be challenging because it often requires drastic changes in culture, process, and technology. Those companies that have had success with DevOps often discover some hidden benefits that they may not have anticipated when they started their journey.
Hidden DevOps Benefit #1: Governance
Architects have struggled for years to enforce standards and best practices across their organizations. Governance is often enforced through rigid review processes that require scheduled review gates. Notice that the word “gates” is plural. There are code reviews, architectural reviews, change management reviews, and others. What often happens is that there are so many projects to review that either the review process becomes a blind rubber-stamp process or the review processes are skipped because they slow down the projects too much. In companies with mature DevOps processes, governance is often automated within the SDLC (software development lifecycle). Tools like code scanners and security scanners ensure that builds are only allowed after code meets or exceeds the policies and security controls established by the architecture team. Continuous delivery and self-service provisioning ensures that developers are using the latest and greatest approved and patched infrastructure and middleware. The use of automation and data from logging and monitoring tools allows companies to replace manual gates with auto-approval processes. Review gates are no longer bottlenecks that force work stoppages to get approvals, but instead have become postmortem meetings where we ensure that the appropriate auditing artifacts for the latest deployment are in order.
Instead of forcing or begging developers to follow standards, developers are empowered with tools and automation that enable them to deliver faster while ensuring that standards are met. One client I talked to implemented a Hall of Fame and a Hall of Shame. If a developer’s code passed the code and security scanning processes with an exceptionally high score, their name and score was posted on the Hall of Fame. If their code bombed the scans, their name and score was posted on the Hall of Shame. This drove positive behavior without strong-arming developers to code a certain way.
Hidden DevOps Benefit #2: Security and Patching
We live in a world where our systems are under constant attack from outside forces. Just in the last year, we have seen vulnerabilities exploited by named attacks like Poodle, Heartbleed, Shellshock, and many others. When these events occur, we have to stop everything we are working on and immediately patch and restart all of our systems. Companies that have not automated the patching and deployment processes may spend days or even weeks recovering from these vulnerabilities. I have seen companies that were still in the process of addressing one vulnerability when a new vulnerability showed up and they had to start all over. Guess what? The rate at which these events occur is only going to increase in frequency. Mature DevOps shops that have implemented CI and CD and treat infrastructure as an immutable asset can quickly patch and redeploy infrastructure and systems, addressing these vulnerabilities the same day with minimal disruption.
How Ironic Is This?
The groups that resist DevOps the most are usually the security and governance teams. These teams should realize that most of the processes and controls that they depend on to ensure that systems are secure, compliant, and standard can be enforced through automation. Instead of fighting DevOps, they should embrace it. To do this right, security and governance teams need to be engaged up front in the process. When these teams are engaged up front, not only do they get the opportunity to enforce their standards and policies, but they also learn more about how the business works and what changes are coming down the pipe, allowing them to improve collaboration with their peers in the other areas of IT and business. It’s a win-win all the way around.
Of course, this is easier said than done. Most cultures are not wired to work this way. I’ll save the culture stuff for another post on another day. The bottom line is that companies whose teams can work closely together and embrace the DevOps mindset can receive many unexpected benefits beyond speed to market and better quality. I named two benefits. What additional benefits are you seeing?