Many organizations follow devops principles and want to transform into devops cultures. Some of the key practices include version control, continuous integration and delivery (CI/CD), infrastructure as code (IaC), applying machine learning in operations (AIops), and continuous testing. More advanced teams also focus on continuous planning, architecting cloud-native applications, developing microservices, controlling code with feature flags, promoting shift-left security practices, establishing service-level objectives, managing error budgets, and becoming more data driven.
These practices help transform two primary IT functions of a devops organization: development (building new applications and releasing quality enhancements frequently) and operations (ensuring the reliability and performance of business systems, databases, and applications).
Many organizations extend devops to devsecops and include security as an equal partner. With devsecops, the three primary IT practices must balance the speed, agility, and innovation businesses need to compete today with the reliability, security, and performance required for business operations.
Devops collaboration requires agile and ITSM tool integrations
Devsecops practices alone don’t cement the collaboration required to bring development, operations, and security functions together to meet these objectives. It requires implementing, tracking, and measuring workflows that span these functions.
For many organizations, these workflows bring together agile methodologies used by development teams, including scrum and kanban, with IT service management (ITSM) practices managed by ops, including request management, incident management, problem management, change management, and maintaining a configuration management database (CMDB).
Yet, many IT organizations fail to integrate their agile and ITSM tools.
The development teams might be using Azure DevOps, Digital.ai, Jira Software, or another agile tool to manage backlogs of user stories, sprints, and releases in the development process. Independently, ops may be using BMC, Cherwell, Ivanti, Jira Service Management, Micro Focus, ServiceNow, or another ITSM tool to manage tickets, track systems, and oversee change management.
Automation and integration can help connect the workflows supported by these agile and ITSM tools, but sadly, more often than not, it’s a mix of emails, meetings, Slacks, Zooms, and other manual processes to connect these functions into end-to-end workflows.
That’s certainly not a devsecops best practice.
If you’re wondering why connecting these tools and workflows is important, consider the following three common integration points required in devsecops to support fast delivery, security, and stable operations.
Accelerate deployment of low-risk changes
Many larger IT organizations or ones working in regulated industries establish a change advisory board to review the compliance and risks in deploying changes to production environments. These boards often require devops teams to submit documentation, demonstrate testing compliance, review security risks, and share dependencies before scheduling and executing production deployments.
This approach may be necessary for orchestrating the most complex deployments that involve many teams, system dependencies, or business operational risks. Many devops practices already aim to minimize these problems. For example, microservices wrapped with robust continuous testing and CI/CD enable devops teams to deploy small, lower-risk changes. Other lower-risk changes may include UX components deployed to serverless architectures, embedded analytics dashboard changes, low-code app enhancements, or small dataops configuration changes.
If these are truly small, low-risk changes, can IT automate the change approvals by connecting CI/CD triggered from agile tools with change management workflows managed in ITSM tools?
Of course, business, dev, security, and ops must agree on what constitutes “low risk” and “small.” Additionally, CI/CD pipelines must support rollbacks, and ideally, incident managers must be able to trigger them if changes result in unforeseen issues.
With more devops teams looking to deploy more frequently while reducing the size, scale, and dependencies of software components, automating change approval should be one of the key integrations between agile and ITSM tools.
Prioritize and resolve production defects
Are your test automation and continuous testing practices robust enough to guarantee that you can deploy zero-defect production releases consistently?
When ops or site reliability engineers perform root-cause analysis on production issues, or users report application issues to the service desk, these onboarded problems should appear on the agile development team’s backlog as defects. When agile development teams prioritize a review and, ideally, resolve these defects, then the incidents or other ticket types captured in ITSM tools should reflect the current status.
The mapping isn’t trivial to implement because teams must map workflow statuses between defects in agile tools and tickets in ITSM. Also, some tickets may result in multiple defects, or several tickets may be tied to a single defect. There are also likely to be other exceptions in these workflows—for example, when the service desk maps a request ticket to a defect, but the development team says the user is actually requesting a new feature.
Still, leaving a moat that separates user requests and incidents reported through the service desk from the agile development team’s backlog is highly problematic. It may mean that operational issues and user needs aren’t being reviewed and prioritized by agile development teams.
That’s certainly not an agile best practice for teams that should be sensitive to customer and operational issues. The best practice is to connect these two workflows and develop policies for defect prioritization.
Connect deployments with monitoring and AIops platforms
When production incidents happen, one of the key performance indicators for the service desk is to resolve them as quickly and efficiently as possible. Many ITSM teams track the mean time to resolution (MTTR) of their production incidents and increase the number of monitors and alerts to identify issues faster.
IT organizations with multicloud architectures or many different monitoring tools can now use AIops platforms to centralize monitoring and observability data. Once the data is centralized, the AIops platforms apply machine learning to help correlate multiple system alerts into a single, manageable incident. But one often ignored practice is to integrate dev changes with these monitoring and AIops tools.
Does the network operation center or security operations center have complete knowledge of all the observability data, deployments, feature flag changes, or other configuration changes? If I am in the network operations center and a database fires an alert, I don’t want to chase down who did what, when, and where in agile, ITSM, version control, feature flagging, or other tools.
Furthermore, when dev teams are truly committed to SRE practices and measuring error budgets, they should be receiving consolidating analytics from production on the performance and reliability of their apps, services, databases, and underlying infrastructure.
These integrations might be the holy grail to support end-to-end devops practices, but they require connecting data across multiple systems:
- Agile development, version control, feature flagging, test automation, and CI/CD tools used by dev teams
- ITSM tools for capturing incidents, requests, and changes managed by the service desk
- The CMDB and dependency and discovery mapping tools that capture accurate states of the infrastructure
- Monitoring and AIOps tools used by network operations centers and security operations centers
- Value stream mapping and other product management tools to provide transparency and controls to business leaders
Management tools for AIops, observability, and service-level objectives include BigPanda, Broadcom, DataDog, Devo, Digitate, Dynatrace, Elastic, Micro Focus, Moogsoft, New Relic, Nobl9, OpsRamp, Resolve, ScienceLogic, Splunk, and others. They compete on integrations, analytics, workflow, automations, and other capabilities that support tracking and resolving operational issues.
The key for IT teams is recognizing that becoming more devops-focused requires integrating and modernizing dev, ops, and security workflows.
Copyright © 2021 IDG Communications, Inc.