Cloud means DevOps - No Cloud without DevOps

I strongly believe that you can't be successful in the Cloud without also adopting DevOps. Here is why.

My latest definition of DevOps is
  • if every person uses the same tool for the same job
  • codified knowledge:
    everybody contributes his part to common automation
  • if all people have the same privileges in their tooling
  • if human error is equally possible for Dev and Ops
  • replacing people interfaces by automated decisions and processes
but most of all DevOps is the result of doing the right thing and not a process, methodology or even tool set of its own.

Looking closely at public cloud vendors and their interfaces I see a close correlation with this DevOps definition. Cloud vendors
  • give every person the same interfaces and tools to work with
  • are API based and make it really simple to code the entire setup
  • give all users the same privileges - that of a customer
  • let all their users make the same mistakes indisccriminately
  • provide most change requests through automation and automated decisions
For example, an engineering team working with an AWS account starts out working DevOps style. As long as all the team members have the same permissions in their AWS account and share the same duties towards their organization this remains the case. DevOps starts breaking only when the organization doesn't trust the team to be fully responsible for their account and imposes restrictions so that the team cannot - for example - create IAM roles.

In such a case it is the customer who introduced a new management process that breaks the DevOps definition given above: Now some engineers have more privileges in their tooling and different engineers use different tools for the same job: The security engineers review, approve and apply IAM roles within AWS while all other developers cannot use the AWS interface to do so but must submit their IAM roles to the security engineers via some process. Even if this is highly or fully automated the developers cannot use AWS with its native tooling like Cloud Formation.

Maybe the company policies require this kind of split responsibility. However, most likely the underlying motivation is not one of preventing DevOps or hindering developers. Typically this split responsibility was the only practical solution available to establish security governance over the AWS account.

Automating such challenges is also the road to achieve or keep true DevOps: Automate all processes and remove the human factor from as many decisions as possible. Let the developers work with the native tooling without introducing abstractions as security gateways. Use these DevOps principles as guidelines to design a good solution that works for all.

A workable solution for the IAM role example given above could be an automated process that checks new IAM roles as soon as they are created. With CloudWatch Events and Lambda functions this is not a big challenge to implement. If a new or modified IAM role violates the company policies simply delete it (or revoke all trusts) and alert the person who created it. They will be thankful for the help in keeping the policies and they will be thankful that they can work with the native tooling.

In turn, the degree to which all people enjoy the same privileges can be also used to actually measure DevOps adoption.

Comments

Post a Comment

Like this content? You could send me something from my Amazon Wishlist. Need commercial support? Contact me for Consulting Services.

Popular posts from this blog

Overriding / Patching Linux System Serial Number

Image
I'm a big fan of test driven development  (TDD) for infrastructure components. I'm currently working on a hardware-related topic where we also use the system serial number as identifier. To create a proper integration test, we need to be able to start a system and set the serial number to a known value. This can easily be done with the help of virtual machines like in VMware or VirtualBox , but I couldn't find a way for changing the system serial number on hardware boxes, cloud VMs (e.g. on Alibaba Cloud) or other Linux system. Problem Analysis I was thinking: Linux is the operating system where I can potentially do everything . So how hard can this be? After some digging around I found out that there are those main sources for the serial number on Linux: /sys/firmware/dmi/tables/DMI contains a binary blob of Desktop Management Interface data provided by the kernel and the dmidecode utility is commonly used to decode
Read more

The Demise of KaiOS - Alcatel 3088X

Image
I was really excited, when Firefox OS became commercially available as KaiOS for "smart" feature phones. Unfortunately the high hopes I had put into this platform have been utterly shattered. I was recently looking for a button phone that had only three requirements : very good battery run time, at least several days or a week of standby without charging easy backup or even synchronization of the contacts VoLTE support to benefit from LTE coverage  In Theory... On paper, KaiOS phones look like the perfect match for those requirements. PhoneCopy for KaiOS is a cloud synchronization service that comes with an app for KaiOS (and many other platforms) to synchronize contacts and other phone content to the cloud (and back). With batteries of 1500 mAh and more , KaiOS phones have the potential to deliver outstanding battery performance. The Alcatel 3088X , for example, boasts "up to 300h standby and more than 7h talk time" with a 1530 mAh battery: Battery specification
Read more

A Login Security Architecture Without Passwords

Image
Following up on Lifting the Curse of Static Credentials and Eliminating the Password of Shared Accounts , I have many discussions about why we would benefit from removing password prompts for website logins. Let's dig deeper into the details and show why removing password prompts leads to a  safer security architecture . Update 11.03.2022: Added more details about business vs. consumer websites and additional security suggestions surrounding WebAuthn Problem Space For context, imagine a website that needs to identify online users via their email address. We assume that the website in question is not the primary email system of a user but some other website, e.g. an e-commerce shop system or a collaborative productivity tool. As a User As a user of that website I want to easily sign up for an account have an easy way to login into the account be sure that my account is protected from others or attacks be able to easily recover access to my account i
Read more