DevOps, FinOps, DataOps and DevSecOps in the real world

A practical guide to the 4 trending Ops

Why bother with “Ops” anyway? The thing is, you don’t have to, but If you don’t get ahead of them, they’ll get ahead of you.

Who are “they”?

Let’s unpack it.

Key points:

  • What are 4xOps?
  • Why are they important?
  • How to improve your product development?
  • How to make more of your business resources?

4xOps in the real world

I work with a team supporting clients in introducing DevOps and DevSecOps practices. The goal: to improve their internal development processes.

The company needs to deliver features faster to keep up with competition and market demand. They got left a bit behind as a product delivery team. Still using old tools, the process is set back in a different reality. They need to re-organize and re-skill their teams and make sure that the quality and security of their product do not suffer.

Rings a bell?

The goal is to let the business deliver new products faster and keep its software secure. 

Here, “THEY” are the competition.  You can ignore the reality and watch how someone else addresses customer concerns. It might be competition (by overtaking your company) or external teams and vendors (by providing what is needed).

This team decided they want to have a future and they want to act. How? By implementing automated deployment and testing, making the development process faster, with full visibility into progress, issues, and delays.

Sounds like a fairy tale from “The Phoenix project” but it is a reality a lot of companies are facing right now. Almost every week we begin co-operation with a client who starts this process.

Your choice here is:

Do you want to start it on your terms or wait until someone pushes you to do it?

I always prefer doing things on my terms if I can.

4xOps is a trend in the making. It will impact you and your company. This is why every day I’m looking at these practices more closely and I cover them here.

In a nutshell:

  1. DevOps is widely acknowledged (as it was) and drives the demand on the job market. If you haven’t developed skills in it in-house, now you will most likely look for them on the market and pay a premium.
  2. FinOps – who could have predicted that (oh wait, I did) – it’s becoming a star! Companies realize that FinOps is part of engineering practice and are investing heavily in learning and applying it. If you have working practice in DevOps, it should be your next area of focus.
  3. DataOps is making its way into the mainstream. It is the application of DevOps principles to specific types of projects and operations. Companies that are going heavy on data lead the charge here.
  4. DevSecOps gains importance in the wake of recent supply chain attacks and the rise of cyber-incidents in general. Still, a lot of companies are missing out on it due to the lack of maturity in DevOps.

That’s a quick overview for busy people. But there is much more to it. So, here are additional pieces with a bit more specific and actionable information.

DevOps – organization of product delivery

The State of DevOps report is always a good pulse check and reference when it comes to looking at DevOps practices. More and more organizations are advancing their use of it:

At the highest level, businesses are more likely to deploy on-demand, recover faster (even in less than an hour), and have a change failure rate of less than 5%. I mentioned once that fast iterations will be key to business survival. It’s DevOps that makes fast iterations possible.

To read more about fast iterations, check out this report from Leading Edge Forum.

WHAT ARE MOST COMPANIES STRUGGLING WITH?

  • Being stuck with fear of making a move, which is getting noticed by competition. The typical problem is keeping up with market demand.
  • DevOps is considered only through the lens of deployment automation. This means leaving out other elements, such as the organization of product delivery as a whole. DevOps is not an engineering function – it is an approach across the entire company.

ACTIONS FOR YOU:

  • Use your current engineering resources and up-skill them. Outsourcing is hard and expensive. What we hear from our clients is that a typical lead time to hire a DevOps person is 4-6 months. Up-skill your people or you risk others doing it for you.
  • Partner up with managed service providers to fill the short-term gaps and/or speed up up-skilling your team.
  • Build your center of excellence/core team, and make sure they educate other people and ensure new projects are set in the right way from the start.

THE BIGGEST RISK:

  • Not investing in your people and gearing your practices towards DevOps means you’ll get left behind, and attracting talents will be even harder.

FinOps – understanding cloud cost model

FinOps, or cloud financial operations, allow businesses to track the cost of resources, down to a single action, and in a perfect scenario, align it with engineering and development.

As per the State of FinOps Report 2021, the top 3 challenges of FinOps teams are:

  • getting engineers to take action (39%)
  • dealing with shared costs (33%)
  • accurate forecasting (26%).

But we now have an increasing number of tools for cloud cost management, as well as different approaches to coding such as serverless architecture. They allow us to build services that only generate cost when they’re being used. This provides increasingly more options to address the challenges.

5 interesting FinOps facts infographic

Click to view full-size

WHAT ARE MOST COMPANIES STRUGGLING WITH?

  • Understanding the cloud billing model and assigning responsibility for the process and resources bill.
  • Building a skill set needed for FinOps: understanding cloud economy, vendor billing models, and how to apply them to your organization.
  • Embedding FinOps as a role and a process (it is both) into the design. It is often done after the cost occurs, where it should be part of the design process for cloud-based solutions.

ACTIONS FOR YOU:

  • Invest in building FinOps as a skillset within your engineering team (or outside it as a supporting function for your engineering).
  • Build a basic process around finding and picking the low-hanging fruit. Make it a monthly or quarterly process with clear KPIs (or potential savings) to track.
  • Invest in training your architects in awareness of cloud billing models and embed it in your architecture decisions for cloud-based solutions.

THE BIGGEST RISKS:

  • Without FinOps, you will overspend on the cloud, and you will find it hard to identify where and why.
  • Without understanding cloud economy and billing models, it will be hard for you to review and negotiate cloud vendor contracts.
Want more updates like this? Leave your email address to get the latest insights every two weeks. Subscribe

DataOps – generic approach to data projects

Data is the new oil. Have you heard that before? I bet you did. You use oil (or some byproduct) every day. Yes, the world is looking for ways to get rid of it but it will take time.

Have you spent even 5 seconds thinking how the fuel you are pumping to your car was delivered there? It takes oil rigs, pipes, tankers, refineries, storage, rail and road transport, pump gas infrastructure… (phew, I got tired just by typing it).

Nope? You got the point – if Data is the new oil (I don’t like this statement), then DataOps is what you need to deliver results from it to your users, as easy as it is to fill your gas tank.

image of an oil rig

Data Operations (DataOps) is about getting value from your data and making it easy to gather, store, process and deliver. Deploying a Data Lake will not do anything by itself. You need a pipeline to process, extract, and transform data. In this pipeline you need to make sure that with every change you still get the same (or desired) result.

Why is it important?

Poor data is a liability.

Slow access to data is a liability.

Lengthy deployment process is dragging you down. Every mistake in data after deployment makes people trust less and less in its quality.

Every year organizations lose to it an average of around $13 million. Going forward, data will only become more important, as it needs to be ready not just for human but also automated analysis.

Here are some insights on it, courtesy of Krzysztof and Arkadiusz from our Data team:

WHAT ARE MOST COMPANIES STRUGGLING WITH?

  • Global companies have heterogeneous IT environments, often with different systems in each country, implemented in different ways.
  • It makes data integration really hard and time-consuming. This is especially clear in data warehousing / Business Intelligence projects. Organizations have to first invest in standardizing their solution development, testing, and deployment process.
  • Current IT systems produce massive amounts of records. Disk space is not a problem anymore, even though data is often kept forever and the number of attributes/measures tracked grows. Organizations use more and more insights based on that data and time-to-market is the key factor.
  • Current data solutions need proper frameworks and automation that can speed up processing, deployment and delivery to the end data customer.
  • Many companies are lacking experts that can extract the data, model it, and provide it in a visual form that is easy to understand.

Want to have a data “gas station”? Invest in data “extraction”, pipelines, and transport to make it fast and reliable. It is what DataOps is about and why it matters.

ACTIONS FOR YOU:

  • Invest in up-skilling your people. You need people who know the business and at the same time, know how to change data into information and predictions. They need to be technical experts who can utilize new tools/technologies and get information from modern data sources (cloud systems, social, unstructured data).
  • Learn and re-use existing frameworks, automation, code generation to simplify your development, testing, and deployment process, which will help you focus on business requirements. Partner up with someone who knows it (yes, it is a shameless plug, we have invested in a Data Domain Framework, heavily to make it easier for you).
  • Align with business processes before implementing new global IT solutions. Before going for “Data Lakes”, ask: “what do we want to get as an outcome? Is it realistic and possible based on where we are now?”
  • Use Master Data Management solutions to maintain your global data definitions (e.g. a Product Catalog).
  • Leverage data in the cloud. It improves performance and is cost-effective. What’s important – tech in the cloud is ready to be implemented in a full pipeline of data processing. Take advantage of it.

THE BIGGEST RISK:

  • Without a generic approach to the data projects, companies will end up with project cost issues, a very long time-to-market, and most probably, poor data quality.

Get more advice from our video:

DevSecOps – everyone is responsible for security

Recent supply chain attacks and ransomware outbreaks left people around the world in a state of stupor. Some organizations I work with want to mitigate all the risks and review everything. Not feasible and not practical. It’s impossible, expensive, and the moment you’ve done auditing your supply chain, the results are already outdated. 

Some still act as if nothing had happened and assume it will not happen to them. 

Wrong. It will. 

The scope and timeline are unknown, but it will. 

In the security circles (mostly among vendors) you can hear a lot about Zero Trust with a focus on endpoint security. Now we need to talk about the Zero Trust approach for applications: securing the code at the point of origin.

Shift your security to the left!

No, it is not me who said that but Google ->  check out their whitepaper on shifting security left. It is worth reading and handing it over to your application teams and product owners.

How to do it?

Verify dependencies and vulnerabilities in them. Connect your development and integration process with your security process. Azure DevOps and GitHub already provide frameworks for it, and it is time to put them into practice.

Shifting security to the left introduces a security feedback loop in the development process.

DevSecOps architecture, using Microsoft Azure

DevSecOps architecture, using Microsoft Azure (source)

WHAT ARE MOST COMPANIES STRUGGLING WITH?

  • Embedding security into development, integration, and deployment process to enforce minimum requirements and compliance with standards and policies 
  • Lack of knowledge and demand for people, especially developers with security skills, and understanding. 
  • Division of security and product delivery in development teams. Those functions are not integrated and are often seen as obstacles for each other (“Oh, we need to pass those security requirements again”). 

ACTIONS FOR YOU:

  • Introduce security engineers into your development team and give basic app sec training and resources to your developers 
  • Train your security personnel on the cloud security model. It is different and they need to understand it. 
  • Embed security controls into your CI/CD process. Make it an integral part and treat it as part of the security feedback loop. Integrate your CI/CD toolkit with security solutions like Azure Sentinel, native to the cloud. 

THE BIGGEST RISK:

  • Compromising company security through exposed cloud application endpoints will lead to significant incidents and losses.

What’s next?

4xOps are here to stay, so you need to know how to work with them. Over the next posts, I’ll share some practical advice for you on how to get started. Got any questions or topics you’d like me to cover? Let me know, and I’ll include the answer in the coming weeks.

Key takeaways:

  1. DevOps is not about automating deployment pipelines, it’s about the practice of working together in a measurable and repeatable way.
  2. FinOps is about understanding what you’re paying for in the cloud. Without it, the overspends are almost guaranteed.
  3. DataOps is a framework, which allows getting more out of an organization’s data, delivering transparency into the analytics development.
  4. DevSecOps job is to enforce the security measures across the entire development and deployment cycle.