DevSecOps – Why Security is Coming to DevOps

With so many organizations making the move to embrace DevOps practices, we are quickly highlighting what many see as a missing piece to the puzzle: Security. As NV (Network Virtualization) and NFV (Network Function Virtualization) are rapidly growing in adoption, the ability to create programmable, repeatable security management into the development and deployment workflow has become a reality.

Dynamic, abstracted networking features such as those provided by OpenDaylight participants, Cisco ACI, VMware NSX, Nuage Networks and many others, are opening the doors to a new way to enable security to be a part of the application lifecycle management (ALM) pipeline. When we see the phrase Infrastructure-as-Code, this is precisely what is needed. Infrastructure configuration needs to extend beyond the application environment and out to the edge.

NFV: The Gateway to DevSecOps

Network virtualization isn’t the end-goal for DevSecOps. It’s actually only a minor portion. Enabling traffic for L2/L3 networks has been a major step in more agile practices across the data center. Both on-premises and cloud environments are already benefitting from the new ways of managing networks programmatically. Again, we have to remember that data flow is really only a small part of what NV has enabled for us.

Moving further up the stack to layers 4-7 is where NFV comes into play. From a purely operational perspective, NFV has given us the same programmatic, predictable deployment and management that we crave. Using common configuration management tools like Chef, Puppet, and Ansible for our regular data center management is now extensible to the network. This also seems like it is the raison d’être for NFV, but there is much more to the story.

NFV can be a confusing subject because it gets clouded as being L2/L3 management when it is really about managing application gateways, L4-7 firewalls, load balancers, and other such features. NFV enables the virtualization of these features and moving them closer to the workload. Since we know that

NV and NFV are Security Tools, not Networking Tools

When we take a look at NV and NFV, we have to broaden our view to the whole picture. All of the wins that are gained by creating the programmatic deployment and management seem to be mostly targeting the DevOps style of delivery. DevOps is often talked about as a way to speed application development, but when we move to the network and what we often call the DevSecOps methodology, speed and agility are only a part of the picture.

The reality is that NV and NFV are really security tools, not networking tools. Yes, that sounds odd, but let’s think about what it is that NV and NFV are really creating for us.

When we enable the programmatic management of network layers, we also enable some other powerful features which include auditing for both setup and operation of our L2-L7 configurations. Knowing when and how our entire L2-L7 environments have changed is bringing great smiles to the faces of InfoSec folks all over, and with good reason.

East-West is the new Information Superhighway

Well, East-West traffic in the data center or cloud may not be a superhighway, but it will become the most traffic-heavy pathway over the next few years and beyond. As scale-out applications become the more common design pattern, more and more data will be traveling between virtualized components on behind the firewalls on nested, virtual networks.

There are stats and quotes on the amount of actual traffic that will pass in this way, but needless to say it is significant regardless of what prediction you choose to read. This is also an ability that has been accelerated by the use of NV/NFV.

Whatever the reasons we attach to how DevSecOps will become a part of the new data center and cloud practice, it is absolutely coming. The only question is how quickly we can make it part of the standard operating procedures.

Just when you thought you were behind the 8-ball with DevOps, we added a new one for you. Don’t worry, this is all good stuff and it will make sense very soon. Believe me, because I’ll be helping you out along the journey. 🙂




Managed Clouds and Why SMB Customers Don’t Chase Unicorns

If we look at the economy and distribution of wealth, we can see that there are some interesting statistics about what many call the 1%. Stretch a little further into the top 10% and you will find what they refer to as the champagne glass effect. In other words, the top percentile of earners have a disproportionate percentage of the overall wealth. So what does this mean to what I’m talking about here?

Is There a Champagne Glass Effect in IT?

Gartner has a well laid out graph to illustrate the overall spend of technology that is available here: http://www.gartner.com/technology/metrics/

source: http://www.gartner.com/technology/metrics/

source: http://www.gartner.com/technology/metrics/

This is less of the illustration of a champagne glass effect with the graph than it is showing the distribution of spending by industry. As you can imagine, and as could be correlated by other data, there are certain industries and company sizes that spend more on services and IT resources.

What is different about the spending at the “enterprise” level, is that it is often done on hardware, software, and cloud resources, with a strong reliance on internal IT resources to manage those resources. While we often focus on those enterprise success stories with high trust and amplified feedback loops between the IT and business teams, what about the rest of us?

Small to Medium Business: The 99%

In using the economic champagne glass as the example to illustrate the 1% versus the 99%, we can take the same view of technology spending and reliance on internal resources for technology development and management. I don’t want say that everything in the SMB space can be painted with the same broad brush, but there are hundreds upon thousands of businesses ranging in size, and they will consume and provision IT resources much differently than the 1%.

We can even expand to the 90%/10% range really and still capture a lot of environments which are still heavily invested in the traditional IT model.

SMB Doesn’t Chase Unicorns

The elusive unicorn of IT is that internal IT staffer, or contractor, or even an entire team of people who are working magic in the technology backing the organization. That magic, is really not magical at all. But the ability to attain that seamless end-to-end success in providing IT resources to meet business needs is just as elusive as a unicorn when you aren’t staffed to be able to handle the tasks.

Cloud is often touted as the answer. It isn’t. Cloud is an enabling technology and methodology to deploy business applications into, but requires the ability to create, deploy, and manage these applications into that cloud environment. With many companies (especially SMB) this is as elusive as the fabled unicorn that so many seem to hold in high regard. So, what is the SMB customer supposed to do when they aren’t prepared to staff up with internal resources in hopes of building these environments?

Managed Cloud

To many cloud pundits and DevOps advocates, this is the antithesis of cloud. That being said, I’m a cloud advocate, but I also have the view of being inside the SMB market through experience and through my exposure in social networks, conferences, and various community organizations.

If managed cloud is often frowned upon by many leaders in the cloud industry, the question is why?

As a fan and customer of Rackspace, I have really loved their choice to heavily leverage the managed cloud as a key offering. For many SMB customers, this is precisely what we need. Some regard it as training wheels to get into the cloud, and if that is the case then I don’t think that is such a bad thing.

I’ve made a note of the great article by John Engates, CTO of Rackspace, here at VirtualizationSoftware.com and through conversations with other Rackers like Cody Bunch and Ken Hui (recently moved to EMC), you can see that the presence at VMUG conferences is really highlighting their plan to show their distinct capability to run big VMware and OpenStack clouds for their customers.

cody-vmug

Mike Kavis at Cloud Technology Partners wrote an article on the move by Rackspace here that talks about the concept and the shift towards more managed provisioning versus the panacea of self-provisioned IaaS.

More companies are rising up with the approach of bringing managed services as an offering to differentiate themselves from the big IaaS (Infrastructure-as-a-Service) providers like cloud juggernaut Amazon, as well as Google and Microsoft who are climbing the market share charts quickly behind them. It isn’t that IaaS isn’t good, but the point is that the market for IaaS business is shrouded by these three major players.

SMB + High Touch = High Trust

The path to adoption of more cloud resources and DevOps practices in the SMB market place is one that will be paved by the managed cloud route in my opinion. Organizations which have not got the resources nor the experience to create and consume services in cloud environments will find that the managed cloud path is one that leads to comfort with the new ways in cloud IT.

Is this a guaranteed path? No. Is this right for every company? No. That’s right, I said it. At this point in time and for a long time to come, public and private cloud environments, managed or self-provisioned, are not going to be appropriate for many organizations.

In a year or two we can reassess the landscape a bit and make a judgement on things then. For now, I like that managed cloud feeling. It’s nice when someone else is on pager duty for you 🙂

 




Cheeseburger cheese: How customer awareness is shaping the IT and cloud marketplace

Recently I attended a SQL User Group here in Toronto and one of the fun parts of the event is that everyone was asked to speak. I opted for a lightning talk which was five minutes, and my presentation was created to chat about change, virtualization, SQL servers, and the new ways of IT. I put this presentation together as a quick set of slides to chat on how virtualization admins need to change in order to answer the needs of SQL administrators in order to find the balance and deliver the best performance.

One of the slides I put together was this one:

cheeseburgercheese

So you are probably wondering what exactly this means, and what this post is about. Here it goes!

Cheeseburger cheese versus Quarter Pounder Cheese

When I used to go to McDonald’s I noticed at one point that there was an oddity on the menu. A Cheeseburger was 10 cents more than a Hamburer, but a Quarter Pounder with cheese was 25 cents more than a Quarter Pounder. So, I used to twist things up all the time when I would order and I would ask for a Quarter Pounder with cheese, but I wanted “Cheeseburger cheese” instead of “Quarter Pounder cheese” because it was 15 cents cheaper. Yes, this is nutty, but it was done out of fun more than anything.

In a world where we are surrounded by “secret menus” at restaurants, and custom orders at different shops in every variety. What I realized with this is that consumers have learned that they can order In-N-Out burgers “Animal Style”, so why wouldn’t they expect the same sort of secret menu from every other service they can purchase?

Shadow IT for the right reasons

We hear about the pains of dealing with Shadow IT where people in an organization shop out public cloud options and SaaS applications outside of their accepted IT practices. What is interesting about this is why it happens. It isn’t because of a deep desire to go outside of the boundaries. This practice takes place because customers, even those within big enterprise organizations, have figured out that they can get their IT with Cheeseburger cheese to save money.

With an acute awareness of real capital service cost, the customer is now able to assess their own best-of-breed combination of IT services to use to achieve their business needs. Now is where we come into the picture.

cheeseburger-overlordsThis is a good thing. Now let’s get ahead of it!

As administrators, architects and designers, we have a requirement to answer to the business needs of our customers. That can be internal business customers, or external consumers of our products or services. The theme that we are seeing here is that the reason that consumers are going outside the lines on buying IT services is that we have missed the mark on providing what they require.

These are exciting times when we have an engaged consumer who is willing to be active in the planning of their technology portfolio in the same way that they manage their other resources. If anything, this is a positive move towards a more DevOps method of managing IT services, and we need to embrace it as IT staffers and promote this as a part of our overall planning.

Many traditional IT organizations are deeply embedded in ITIL and legacy change management practices, and there is often a misunderstanding of the value that is gotten from enabling cloud-based service consumption in the enterprise. This does not necessarily need to be all public cloud resources, and I am a firm believer in private and hybrid cloud deployments as an effective way to provide the best service to our business partners.

Become your organization’s Shadow IT

As the saying goes: “If you can’t beat ’em, join ’em!”

Take a look at your IT practices, and despite any trepidation that you may have about the effectiveness of cloud services (public or private) on how you deliver to your business consumers, you can find surprisingly simple steps to increase your customer value. If you read the news on public cloud services, you will see that the race to lowest cost is truly on (http://venturebeat.com/2014/03/26/amazon-goes-on-a-price-slashing-spree-maxing-out-at-a-61-cut/).

Regardless of the platform or product you host on, the key will be taking a transformative approach. If you need help along your journey, feel free to reach out and either myself, or a pool of great community cloud advocates will be able to coach you through some winning steps to get you on the road to being a better IT organization.

There is a reason that I send so many people to read about Gene Kim’s post on The Three Ways (http://itrevolution.com/the-three-ways-principles-underpinning-devops/) and that is because the customer and solution focus will drive you towards great efficiencies and happier business consumers!

Then you can proudly say that you serve all your burgers with Cheeseburger cheese 😉




The DiscoPosse New Year’s Phoenix Project Giveaway: 3 Ways to efficiency, 20 ways to win!

phoenixbook

UPDATE: Congratulations to all the winners! It has been great to be able to see your ideas and be sure to share any feedback on The Phoenix Project!

Coming hot off the heels of the very popular 2013 giveaway, I am super excited to be able to bring you this amazing chance for to win a spectacular book thanks to Gene Kim, Kevin Behr and George Spafford, the authors of The Phoenix Project.

The 3 Ways

Before we get to the goodies, I want to bring your attention to the very heart of what makes The Phoenix Project, and the DevOps methodology turn the corner from traditional IT practices. It’s something called the 3 ways.

Truthfully, there is no better way to explain it than how Gene Kim does, so you have a quick field trip to take over to Gene’s site at http://itrevolution.com/the-three-ways-principles-underpinning-devops/ and read a succinct description of what has become the core of successful DevOps practices.

No, Seriously, read the article and come back…

Now that you’re back, let’s get to the really fun stuff. Gene and the crew have kindly given me 20, yes, 20 copies of The Phoenix Project in Kindle format.

I’ve been evangelizing this book since the moment that I learned of it from a VMUG session with Nick Weaver last year. I have read the book a few times since, and the content rings true to me in many ways. It is a great tool to take the concepts of DevOps and see how they can be practically applied to a real business situation.

How do you win a copy of the book?

winningLet’s get interactive here 🙂 I will be selecting 20 random winners from the pool of entries. In order to enter to win this contest, you need to write a comment on this post with an answer to these simple, but fun questions:

  1. Quickly describe a process that you can automate/orchestrate that you do manually today
  2. What tools do you use today, or plan to use to introduce more DevOps and orchestration practice to your organization?

The entries will be accepted until January 15th so make sure you get in there early to add your comment for a chance to win!

Spread the word, tell a friend. The more we raise awareness, the more we all learn together!

New Year’s Evolution, not Resolution

Make this the year that you take action. This is a great time of year when we often find ourselves making resolutions about things that we wish we could improve about ourselves. I encourage you to choose some realistic goals that you work towards by picking processes, activities, tasks and manual workflows that you have in place today. Write them out quickly and define the steps. Now you have a solid base to orchestrate that process by attacking each step directly.

My motto is that a complex task is really composed of a series of simple tasks. There really are very few processes that cannot be effectively orchestrated using a system, and even if the process is not fully automated, you will enjoy the time gained by the manual steps that you can eliminate.

I’m looking forward to some exciting entries, and I want to thank Gene, Kevin and George once again for creating this great book and for sharing it generously with us here!

winnerisyou