Many leaders have heard the terms "DevOps" or "DevSecOps", but may not be sure how to get there from a traditional development and operations culture. In this session we'll explore approaches to move from a siloed environment, possibly using waterfall processes and monolithic architectures to a collaborative agile environment with modern software architectures.
2. The term “DevOps” typically refers to the emerging
professional movement that advocates a collaborative
working relationship between development and IT
operations, resulting in the fast flow of planned work (i.e.,
high deploy rates), while simultaneously increasing the
reliability, stability, resilience, and security of the production
environment.
—Gene Kim, author of The Phoenix Project
What is DevOps
3. Through Security as Code, we have and will learn that
there is simply a better way for security practitioners, like
us, to operate and contribute value with less friction. We
know we must adapt our ways quickly and foster innovation
to ensure data security and privacy issues are not left
behind because we were too slow to change.
—DevSecOps Manifesto
DevSecOps
4. Why does DevOps matter?
• High-performing IT organizations deploy 30x more
frequently with 200x shorter lead times; they have 60x
fewer failures and recover 168x faster.
• Lean management and continuous delivery practices
create the conditions for delivering value faster,
sustainably.
• High performance is achievable whether your apps are
greenfield, brownfield, or legacy.
(source: puppet labs 2015 State of Devops Report)
https://puppetlabs.com/sites/default/files/2015-state-of-devops-report.pdf
5. How do we transition to DevSecOps culture?
People/Process Technical
Reorganization: cross-discipline team Continuous integration
Reorganization by vTeams Continuous delivery
Documented release process Continuous deployment
Documented testing processes Automated testing
Cross-discipline training Automated monitoring and log analysis
Cross-discipline social events Configuration management
Rotation programs
6. Conway’s Law:
Any organization that designs a system (defined broadly)
will produce a design whose structure is a copy of the
organization's communication structure.
Melvyn Conway, 1967
http://www.melconway.com/Home/Conways_Law.html
Inverse Conway Maneuver:
In what could be termed an “inverse Conway maneuver,”
you may want to begin by breaking down silos that
constrain the team’s ability to collaborate effectively.
Jonny Leroy/Matt Simons, 2010
http://jonnyleroy.com/2011/02/03/dealing-with-creaky-legacy-platforms/
8. DevSecOps maturity model
Commit Accept Capacity Exploratory Production
Commit Accept Capacity Exploratory Production
Commit Accept Capacity Exploratory Production
Commit Accept Capacity Exploratory Production
Commit Accept Capacity Exploratory Production
DevSecOps maturity Deployment pipelines
Level5Level3Level4Level2Level1
Revision Control System
Convergence (Configuration Management) System
Infrastructure Provisioning System
Artifact Management System
Build & Continuous Integration System
Feedback System
9. Strategies for migration from level 1–level 5
• Greenfield: Start full pipeline on pilot projects
• Roll processes/tools to all new projects once verified
• Brownfield: Gradually apply DevSecOps principles
• Large organizations usually implement a combination
• Pilot project/center of excellence
• ”Back port” lessons onto existing code base
11. PROJECT MANAGEMENT
SERVER
1. PICK
TASKS
2. SUBMIT
CODE
3. BUILD
DEVELOPER
4. DEPLOY TO TEST
5. DOCUMENT DEPLOYMENT
OPERATIONS
7. DEPLOY TO PROD
TEST SERVER PRODUCTION SERVER
QA
6. TEST
8. TEST
SOURCE CODE
REPOSITORY
12. SOURCE CODE
REPOSITORY
PROJECT MANAGEMENT
SERVER1. PICK
TASKS
2. SUBMIT
CODE
4. BUILD
DEVELOPER
5. DEPLOY TO TEST
6. DOCUMENT DEPLOYMENT
OPERATIONS
8. DEPLOY TO PROD
CONTINUOUS
INTEGRATION SERVER
3. CHANGE
NOTIFICATION
TEST SERVER PRODUCTION SERVER
QA
7. TEST
9. TEST
13. SOURCE CODE
REPOSITORY
PROJECT MANAGEMENT
SERVER1. PICK
TASKS
2. SUBMIT
CODE
4. BUILD
DEVELOPER
5. DEPLOY TO TEST
TEST SERVER
OPERATIONS
PRODUCTION SERVER
7. DEPLOY TO PROD
QA
6. TEST
8. TEST
CONTINUOUS
INTEGRATION SERVER
3. CHANGE
NOTIFICATION
18. AWS and DevSecOps
Opportunity AWS Services
Marketplace offerings and Competency Partners
AWS
CloudFormation
AWS
CodeDeploy
AWS
OpsWorks
AWS Elastic
Beanstalk
• IT shops fully embracing DevSecOps, can be orders of magnitude more
productive than those that don’t.
• AWS offers an array of powerful services to enable DevSecOps.
• Using AWS CloudFormation to repeatedly and quickly deploy dev/test
environments, and then shut them down immediately when tests
complete, is helping customers:
Save money and time
Increase quality
Increase agility
AWS
CodeCommit
AWS
CodePipeline
19. DevSecOps, self service, and cost management
Automation empowers individuals; however:
Individuals spending OPM can spend too much
AWS services can help:
AWS Identity and Access Management
(IAM) restrictions
Cost Explorer
Detailed billing reports
Budgets
Cost and usage reports
Billing alerts
AWS Partners can provide more analytics and assist in cost control
20. Bridging the gap from DevOps
to finance
J.R. Storment, Chief Customer Officer at Cloudability
jr@cloudability.com
21. What DevSecOps brings to the table
Breaking down silos
Collaboration between cross-disciplinary teams
Move faster in refreshing your infrastructure
Constant adjustment to change
Automated monitoring and alerting
Effect—cost goes up and with a more complex financial
audit trail
26. Finance a part of the process now
DevOps Finance
measurebuy
align learn
delivery pipeline
feedback loop
Cloud efficiency lifecycle
27. What is DevSecOps?
developers customers
releasetestbuild
plan monitor
delivery pipeline
feedback loop
Software development lifecycle
28. The term “FinOps” typically refers to the emerging
professional movement that advocates a collaborative
working relationship between DevOps and Finance,
resulting in an iterative data-driven management of
infrastructure spending (i.e., lowering the unit economics of
cloud), while simultaneously increasing the cost efficiency
and ultimately profitability of the cloud environment.
What is FinOps?
—J.R. Storment, chief customer officer at Cloudability
29. FinOps czar (n) A person or team focused on looking at the
AWS billing data each month to identify opportunities to save
money (e.g., with Reserved Instance coverage)
FinOps/RI czar
Why appoint one?
Proper purchasing of RIs can save 30–60% on your AWS bill
Assuming a $1 M/yr spend, there’s a potential savings of $300
K+ year.
Usually is a technically minded person in finance, procurement,
or vendor management
30. How do you build a FinOps culture?
Put data in the hands of the people
Enact policies and evangelize best practices
Cross-train teams on shared knowledge and reporting tools
32. Tips for cost visibility
Get each stakeholder the spending fundamentals daily
Let each team see other teams’ spending habits
Create broadly available dashboards
35. • Tags are highly flexible, but 100% coverage is difficult due to compliance
• Linked accounts offer clean chargeback but limit reporting options
Consolidation of accounts to achieve volume
discounts driving centralized management of
finance optimization
36. Pro tips: allocating costs
Get consensus on the taxonomy (but let Finance drive)
Define 2–3 mandatory tags like “project” or “environment”
Consider a “tag or terminate” rule to enforce compliance
38. Don’t run the cloud like a data center:
65% of the hours in a month are
nights and weekends
39. Tips for encouraging efficient behavior
1. Automate weekly waste reporting for each team
2. Gamify cleanup by creating a visible leaderboard
3. Do a monthly, company-wide waste review
43. Focus on reducing unit cost, even at total cost grows
0
30
60
90
120
150
Unit cost Total cost
44. Thank you!
Emil Lerch, Senior Cloud Architect at Amazon Web Services,
emilerch@amazon.com
J.R. Storment, Chief Customer Officer at Cloudability
jr@cloudability.com
Editor's Notes
Of course there are many situations where this may not be realistic, but remember that Conway’s Law talks of the “communication structures” of an organization rather than reporting structures. There are often opportunities to improve communication pathways in lightweight ways without having to grapple with thornier organizational issues.
Forrester writes that AWS is the best fit for the DevOps pro segment
Nowadays, there are lots of little decisions made every day by many different people that affect your bill. You may have 150 developers each with the power to provision a server. The good news here is that everyone can get the resources they need in order to move more quickly and you don’t have to buy ahead of demand. The challenge is that the spending power is now decentralized and there’s less control over who can spend money.
The tools for efficiency need to be from the right era.
In an older car you had the ability to record your mileage, then look at how much gas you put in and calculate your miles per gallon then try to improve your driving efficiency . The problem is nobody did it because it took too much time and the gap between actions and results was too wide. So most of us just drove and didn’t think about it.
Now you’ve got dashboards like this one that tell you—as you drive—how the weight of your foot affects your MPG. If you’ve ever driven a Prius, it’s amazing how you automatically start making changes to your driving style. Not just to save money on gas but it becomes a game to see how efficient you can be.
Efficiency becomes a habit over time. Take that power of one person having this power, then multiply it out across everyone in your organization.
That is a culture of cost management.
It’s no longer one person’s responsibility. There are now a lot of players making decisions about what to buy and needing visibility into spending. But they need tools to do this.
secure innovation at speed and scale
secure innovation at speed and scale
They also added a new person. Someone dubbed the RI Czar.
This is a person or team focused on looking at the AWS billing data each month to identify opportunities to increase Reserved Instance coverage. In small companies this is a single person, in larger ones it can be a small team.
This person acts as an unbiased 3rd party liaison between the various stakeholders in the company to ensure the right data is being analyzed, the right conversations are being had and ultimately the right purchases and modifications are being made.
They made this someone’s job. The person was measured on the results and ran the process we just laid.
Is this person full-time? They can be. Usually not, but the numbers actually support dedicating a material amount of an FTE’s time to the process.
- Proper purchasing can save 30-60% of your EC2 !!! Bill.
- Assuming a $1M spend on EC2, that’s a lot of savings…enough to pay for some committing someone’s time to the process
Interestingly, this person generally doesn’t sit in the technology organization. We’ve seen it be a technically minded person in the finance, procurement or vendor management organizations.
Remember Ris are a billing construct (like a coupon) that is applied after the technology decision is made.
So…how do you build the culture.
Put data in the hands of the people (not once a monthly or whenever there’s a problem) but every day.
Enact policies and evangelize best practices (remember that running at scale on cloud is new to most companies and they simply don’t know where to start)
Incentivize good behavior (in fact, the most effective companies gamily and openly share how each group is doing)
The first stage “Cost Visibility” can be summed up as “What gets measured gets improved.
Tips in Stage I:
Get each stakeholder the spending fundamentals daily. Specifically get them visibility into their portion of the bill so that they can become accountably for daily changes.
Let each team see other’s spending habits. This helps create social pressure and incentivizes good behavior.
Create broadly available dashboards. Share them widely and put them up in shared workspaces.
Cloudability offers some powerful ways to deliver cost visibility to everyone. There’s a completely widgetized dashboard system that lets you view your spending in any way you want…look at costs by tag overlaid with usage data, monitor RI utilization compared to instance counts, whatever you like in a system that can be configured to work for execs as well as engineers. This type of visibility is the first step toward creating your culture.
OK let’s talk about the next stage, allocation is all about using the appropriate tools to split out the bill to answer the question of where did the dollars go?
These are your tools.
Here’s a structure we’ve seen work well.
Tags are highly flexible but 100% coverage is difficult due to compliance and the fact that not all charges can be tagged.
Linked accounts offer clean chargeback but limit reporting options.
Most commonly we see eng/ops folks push for tag-based solutions while finance folks tend to prefer account-based divisions due to the clean reporting lines they create.
Solution: Use Both with linked account splitting out most important divisions
—-
Linked accounts to split financial data
Tags to split operational data
Tips for allocating costs:
- Get consensus on the taxonomy. But we’ve found it works best for Finance to drive the conversation.
- Define 2-3 mandatory tags that must be applied before resources are deployed
Tagging on deployment is key, we’ve seen far too many post-deployment tagging automation schemes not work.
- Consider adding a Tag or Terminate rule to enforce tagging.
Efficiency. This Stage is all about turning off waste, resizing and rightsizing instances.
Here’s what’s important to cover in this stage.
Make sure each team is getting weekly reports on their underutilized instances, you can schedule this in Cloudability.
Gamify clean-up by creating a custom leaderboard that everyone can see. Again, check out our new dash boarding features for this.
Do a monthly whole company waste review. Work with your cost management provider, AWS and internal thought leaders to do a monthly review of where you could do better.
Everyone’s favorite stage - Savings through lowering hourly costs.
You reservations and infrastructure function as two sides of the same coin.Your infrastructure is fluid and elastic as such you need to keep modifying and adjusting your reserved instance portfolio to match.
Sunk cost + on-demand
Ok, now we get into the nirvana stage of cloud cost management. Unit Cost.
You should be watching unit cost and it’s affect on margin and managing your business to that number.
If you’re successful, your bill may always go up.
Focusing on unit cost will give you visibility into how that ties into the business—and get your management team off your back.