Top 5 DevOps best practices for achieving security, scalability and performance
By Jim Romeo
As TheServerSide continues its look into how best to invest DevOps related time and dollars, the focus is now changing in order to relate back some of the various best practices experts in the industry have suggested will help create scalable, secure and high performance deployments. Here are five tips and best practices that have emerged from the hands on experiences of the industry's foremost experts:
- Be vigilant of overall security risk - Reuven
Harrison, CTO and Co-Founder of Tufin emphasizes the
growing complexities of networks. He says that increased adoption of virtualization, cloud, BYOD
and emerging technologies like software defined
networks (SDNs) means that networks are becoming more complex and heterogeneous, and so do the
security risks. "As SDN and network virtualization continues to mature, the only way to manage
these networks with any degree of efficiency and security is to automate key management functions,"
he says. "That is the premise of DevOps,. But DevOps must include security as a key
component because without it, the volume and pace of network change that technologies such as SDN
and virtualization introduce will skyrocket the level of IT risk in the environment." The big
challenge is that to date, security has been considered an afterthought, and security organizations
are considered to be business inhibitors, telling organizations what can't be done, instead of how
to do things securely. It is a cultural issue that requires security, developers, and
operations teams to foster a level of trust and collaboration that does not yet exist. The
only way to do this is incrementally, and with vigilance.
- Watch changes in security risk - Torsten Volk, VP Product Management, Cloud
for ASG Software Solutions says that it is important to think of
DevOps as a collaborative mindset and process that leads developers and IT operations to a faster
and more efficient way of deploying, operating and upgrading applications. "Each new release comes
with the same set of security considerations as it did the time before DevOps," he says. "However,
when new releases are delivered at a much higher cadence, security has to also be an ongoing point
of focus." DevOps tools help in this regard by proactively ensuring consistent configuration of
infrastructure and software components. Even more, these tools can be used to automatically
remediate security concerns by constantly validating the proper application of security best
practices and taking automatic countermeasures. While this latter scenario might sound advanced, it
is the endpoint that every DevOps team should aspire to reach.
- Pay attention to scalability - According to Aaron M. Lee, Managing Principal of DevOps at Pythian, there are two kinds of scalability that DevOps
engineers tend to address: application and organization. "An app's scalability is really a question
of how long it takes and how much it costs to build and operate a system that successfully delivers
a certain level of concurrency; one that matches or exceeds user demand over some time period,"
said Lee. "Estimating answers to these questions is a critical success factor for many companies,
and the ability to do so often goes unrecognized until it's too late." Lee says that scalability is
everyone's problem. Business and technology folks have to agree on the right balance of
functionality, time to market, cost, and risk tolerance. You need the right measurable objectives,
including how many users, and how many concurrent requests over those endpoints for a demand
- Strive for ease of use - DevOps is about automation and repeatability. Dr. Andy Piper, CTO of London based Push Technology says this requires configurable virtual
environments, and lots of them. "To scale, you need to automate," he says. "So, make sure you are
using tools such as Puppet and Chef to automate the building and configuration of VMs. Similarly,
make sure you have the horsepower to back this up either in-house, which is more tricky to
dynamically scale, or in the cloud if your product is amenable to that." At the end of the day,
making a product easy to install, configure and run will make the whole DevOps process much
- Manage your gateways - Susan Sparks, Director, Program Management for InfoZen's Cloud Practice says that while the new goal is to build the best culture between development and operations teams, it is still good to keep some gates between the functions to ensure the production environments remain stable. "Our teams are structured such that we have operations personnel included in development discussions and daily scrums so the operations teams understand what will be changing in the various future releases," she says. "The operations team maintains responsibility for the stability of the production operation. We found that this approach has worked well for us. We recommend using automation in both testing and operations. Our integration testing has allowed us to find issues prior to them reaching production, and our operations automation allows for cost efficiencies and better quality operations. With automation, fewer people touch the production environment, which significantly reduces human errors. This also helps with security posture, as less people have a need to touch the production environments."
"DevOps isn't hard. What is hard is tackling the challenges that arise when an organization is not taking a DevOps approach to integration, development and deployment," says Cameron McKenzie, a software architect and editor of TheServerSide, and it is difficult to argue with such a point. By adopting a DevOps approach, and heeding these five tips, a successful DevOps environment is just an implementation or two away.
What have you found to be the best practices to follow to ensure a successful DevOps environment? Let us know.
07 Sep 2014