Unstoppable force meets immovable object
DevOps is a mindset that has changed the way we view, manage and interact with Information Technology teams and systems. At times it can seem like nothing can stop the progression from traditionally segregated development and operations practices to self-determining expert teams.
In larger organisations however we do see more resistance from well-established operations teams that question the validity of decentralised governance and self-managed production environments. Possibly the most "immovable" concerns come from that of the security teams that are tasked with ensuring protection of organisational and customer data.
Governance has long been a cornerstone of Information Security, with a default assumption that all systems are insecure unless proven otherwise. This burden of proof is often enforced by conforming to a checklist of security requirements that is both lengthy and, in an attempt to address all concerns for all systems, often irrelevant or a waste of time in some aspects. More importantly however, conforming to security requirements is often an afterthought that is addressed only after the system has been designed.
To highlight that security principles need to be considered earlier in the design phase a new term of DevSecOps was coined, which signifies a more pro-active approach to security. It is questionable whether a new term is required at all, as a good DevOps practitioner should always have security in mind, however it does signal that DevOps is not just the "wild wild west" that many security experts might assume it to be.
In fact, when designed for security from the start IT systems will be more secure than any governance processes can dictate, as the security controls will be both relevant and targeted specifically to the design of the system, resulting in less waste and greater efficiency in both design and complexity. Most importantly, designing for security keeps the control in the hands of the expert teams that are most qualified to develop, maintain and support modern IT systems.
IT strategy & cloud Transformation
5 年Ben in your view. Cloud agnostic foundation for microservices on IaaS would be good option or PaaS with cloud native foundation with vendor locking ?