Introduction and Background

Rainer Stropek

• Passionate software developers for 25+ years
• Microsoft MVP, Regional Director
• Trainer, Teacher, Mentor
• 💕 community

https://rainerstropek.me

Focus on
DevOps Tools

DevOps Tools

• DevOps is primarily a way of working
  • Change organizational structures
  • Change processes
  • Change culture and mindset
• DevOps definitely requires new skills
  • Make better use of existing tools
• DevOps might require new tools
  • Cloud computing is an enabler
  • Details will follow later

Make DevOps The Responsibility of a Newly Founded DevOps Team

DevOps Teams

• The whole point of DevOps is to integrate
  • ​Not to separate or isolate
  • "DevOps" just a new name for Ops?
• A DevOps support/consulting team might be useful
  • Helps teams to get started
  • Servant leaders

Foster Kingdoms and Silos

My fiefdom is building web apps, so I don't worry
about operational stuff like API gateways, telemetry,
auto-scaling. That's the job of our admins.

👍 People know how to delegate

👍 Clear separation of concerns

👍 Specialization leads to quality and efficiency

👍 Don't reinvent the wheel

My fiefdom is Active Directory, so I am super restrictive on what
people can do with it.

👍 Principle of least privilege

👍 Security in the hand of specialists

👍 Guarantee security through
      centrally enforced policies

Missing
Trust

Conway's Law

DevOps

Underestimate Complexity

Standing on the shoulders of giants

• Public Cloud solves this problem!
  • PaaS
  • Serverless
  • SaaS
  • Low code
• Ready-made services for cross-cutting concerns

Ignore Fears and Reservations

Deal With Fears

• Fear of losing power and influence
  • No more fiefdoms​
• Fear of taking ownership
  • Fear of failures
  • Feeling of lacking abilities
  • Fear of overwhelming responsibilities
• Fear of losing control​
  • Decentralized​​
  • Built on trust
• ​Work on company culture

Forget Security

View of
Developers

DevOps

"You build it, you run it"

DevSecOps

• Operations and security are no longer the responsibility of specific, isolated teams
• It becomes a shared responsibility
  • Take responsibility for the entire software solution
  • Team has overall picture 👉 better security and SLA
• DevSecOps needs cultural change
• DevSecOps needs organizational change

Success Factors

• Ensure management support
  • Understanding for overall goals
  • Change organizational structure and processes
  • Clear communication regarding changes
  • Accept limits (10x developer myth)
• Simplify
  • Consider professional cloud providers
    • Surrender some amount of control
    • Benefit from limited responsibility
    • Economy of scale, economy of scope
  • Use PaaS and Serverless instead of IaaS
  • Avoid over-engineering
  • Zero Trust Networking

Success Factors

• Educate
  • Repeat the basics (e.g. networking, encryption)
  • Know your platforms (e.g. cloud, frameworks)
  • Knowledge transfer between teams
  • Well educated people are able to take ownership and responsibility
• ​T-shaped skills
  • Deep expertise in a single field
  • Ability to collaborate across disciplines and apply knowledge in other areas of expertise​
• Value long-term stability and success
  • Redefine legacy

Success Factors

• Support
  • Internal/external consulting teams
  • Blueprints, patterns, practices
  • Allow autonomy
• Embrace Infrastructure as Code (IaC)
  • Repeatable, shareable
  • Cooperative code reviews with consultants and/or custodians
• Embrace open source development style
  • Learn from OSS
  • Works internally, too
  • Share, exchange, learn from others

Success Factors

• Step-by-step approach
  • Iterative improvement outdoes perfectionism
  • Technical debt is part of backlog
• Custodians
  • Servant leadership
  • Make suggestions, listen, not just say "no"
  • Supported by automated policy checks
    • Verify practices and guidelines automatically
  • Work with teams, understand the consequences of decisions

How Can Azure Help?

• PaaS and Serverless
  • No more patching of base software infrastructure
• Encryption of data in transit out of the box
  • Certificate management (free managed certs)
  • Key Vault secure storage for certs and secrets
• Azure AD for authentication and authorization
  • Users and services
  • Managed identities for M2M communication
• Private Endpoints
  • PaaS/Serverless in locked-down network segments
• Logging, monitoring, and telemetry
  • Application Insights

Avoid...

• ...secrets
  • Use AAD instead
  • E.g. AAD admin for Azure SQL
  • (if not avoidable) ...storing secrets outside Key Vault
• ...putting old, legacy apps on the internet
• ..applying traditional perimeter-focused policies on cloud-native apps
  • Make no sense with PaaS/Serverless cloud services
• ...forget logging/monitoring/telemetry
• ...underestimating the importance of AAD
• ...manually manage certificates and secrets
• ...inventing your own security protocols and services

Summary

• DevOps and DevSecOps are necessary
  • Become more productive
  • Build real solutions for real people
  • Master complexity
• Work on technology and organization
  • How much time do we spend on technology decisions?
  • How much time do we spend working on org/culture?
• Cloud computing is an enabler
  • Focus on your core responsibility
  • Infrastructure-as-code
  • Let people develop T-shaped skills

Q&A

Thank you for attending