There can be absolutely no question anymore that DevOps isn't just a fad—it's here to stay, it's a big deal, and it's coming to the enterprise. Speakers from relatively new companies like SurveyMonkey and Docker took the stage at the 2015 DevOps Enterprise Summit in San Francisco alongside old standards like IBM and General Electric to prove that the transition to a DevOps culture in established enterprises is not only possible, but probably inevitable.
While a specific definition of DevOps (or lack thereof) remains one of the elephants in the room, the lessons and anecdotes shared by experts bolstered the movement with another year's worth of credibility. Overall at the event, many good talks were given by the right people.
But technologically speaking, has anything really changed in DevOps this year? Aside from a few acquisitions by larger companies, it feels like not a whole lot. But that might be a good thing in a way—encouraging lumbering enterprises to aim for a moving target wouldn't make a lot of sense.
Anecdotally, we at UpGuard speak to a lot of people interested in DevOps, both in-person and online. And it does feel like some of those traditionally (and rightfully) paranoid industries such as banking, healthcare, retail, and high finance are becoming more comfortable talking about DevOps. The types of execs and directors who 18 months ago would've laughed in your face the moment you mentioned moving to the cloud or automation are starting to dip their toes in little by little. Definitely a step in the right direction on their part.
But these slower organizations can only thrive when they're compliant. Tossing a slew of new technologies and methodologies at them may just be trading one set of problems for another.
Looking at the movement from UpGuard's point of view, enthusiasts now see the need for proper continuous configuration monitoring more than ever. People we encounter tend to understand the need for it right away. This likely has a great deal to do with high-profile data breaches occurring nearly every week. It's now estimated that the average data breach costs an organization upwards of $3 million. And for larger companies it's even more dire—Target's losses alone after their massive breach are now in the B-word range. It's simply not enough to have configuration management via Puppet, Chef, or Ansible. Independent, continuous, and policy-based validation of device configurations—on every server, network device, cloud service, and endpoint—is necessary.
Once the high of achieving continuous delivery begins to wear off, CIOs and other C-levels may feel as if they're strapped to a rocket. For them, perhaps all they can really do is cross their fingers and hope no breaches happen on their watch amidst all the constant change. The last decade's configuration validation/compliance solutions they've accumulated are based on old tech that can't keep up with the new way. This, we find, has been a tough hurdle for larger enterprises to overcome. (In full disclosure, we know one product that pulls continuous security monitoring into the 21st century, but we're biased.)
Another thing keeping CIOs and risk officers up at night are IoT devices. The Internet of Things combined with DevOps can mean a future of rapidly changing devices in disparate locations, many of them attached to PLCs and physically moving parts. Just as the likelihood of innovation and market success increases with IoT, so does risk. And it's not an unreasonable fear, either—The US Government is already using that very concept against its enemies. Similar to the way governments pioneered space and the corporations and citizens came later, it may only be a matter of time before privately created worms and/or ransomware hold a Fortune 500's manufacturing capability hostage. If you can't scan the configurations of your IoT devices or the machines they're hooked up to, that can be a very thick fog of war for the CIOs and CROs of an organization to contend with.
The writing is on the wall: Continuous security and continuous compliance are the next big things in DevOps. They have to be, otherwise the movement will have no real lasting foundation underneath and be seen as an unsustainable flash in the pan. The glitz and glamour of automation and continuous delivery can only do so much. Without comprehensive and continuous security an enterprise can rely on, a push for DevOps within an organization may not mean much in the long term.
While we had a blast at the DevOps Enterprise Summit and several other conferences this year, it feels like it's time to take a good hard look at the ecosystem and its future. We can all admire the stories of a hundred deploys a day, enjoy the broken walls between silos, and take away a new way of doing things at our blameless post-mortems. But the salad days of DevOps are over—can we now make it sustainable for the enterprise?
All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Blog >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Blog >