Your company isn’t small, and it isn’t simple. But that doesn’t mean that you don’t want things to go smoothly. And they should. After all, your people all know what they should be doing, and the best way to handle security and compliance issues.
The reality is that once your company gets beyond a certain size, ensuring that development and deployment are handled properly can be a challenge at best, and a nightmare at worst. Even if you’ve taken the next step into CI/CD, you still have to standardize your process, which for most companies means an amalgam of scripts and processes that are all over the place. You can hope things will work out, but hope is not a strategy.
We’ve been thinking a lot about that here at Mirantis, where we’ve been working on our cloud-native continuous delivery platform based on Netflix’s Spinnaker and aimed at helping companies achieve cloud ROI at scale. You see, we know that building software and releasing it to production can be complicated; we hear it from our clients every day.
So how do you ensure that your developers aren’t unknowingly setting you up for a catastrophe — without getting in their way?
Of primary concern for most companies today is the issue of security. While it’s easy to think about security as protecting yourself from bad actors on the outside — as in cyberattacks — it’s unfortunately not that simple.
Even developers with the best intentions can end up exposing your systems — and therefore your company — to enormous risk. One study of over 6000 container images in Docker Hub showed that official Docker images had an average of 16 vulnerabilities each, including those as old and well-known as Heartbleed and Shellshock. These older vulnerabilities are particularly dangerous because they’re well-known and exploits are readily available. Community images were even less secure, averaging 40 vulnerabilities each.
That’s not to say that all images are vulnerable, of course, but even when starting with a clean and non-vulnerable state, there’s still the issue of configuration. Developers aren’t trained in hardening IT systems — nor should they necessarily be, as long as it gets taken care of.
You can solve this problem with standard operating procedures, of course, and even with scripts that perform the necessary tasks. But how do you ensure that everyone is following those steps, or even that they’re able to?
One way is through the use of golden images, which include standard software and are preloaded with security fixes and pre-configured appropriately. For example, part of our platform includes determining what images you need, baking them, and making them available to development teams.
That leads to the next challenge: compliance.
Even if an application is functioning perfectly and has no security issues, it can still get you into trouble — especially these days. You’re probably aware of Europe’s General Data Protection Regulation (GDPR), which comes into effect on May 25 and affects any company that has data on any European citizen — no matter where that company exists. But it’s not as though that’s the first regulation to affect a company’s operations. Long before GDPR there was the Sarbanes Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA) and plenty of other regulations that require a company to keep careful control of its data.
The problem with many of these regulations is that even if your developers want to follow all of the rules, they might not even know what they are, much less how to ensure that what they do isn’t going to have regulators breathing down your neck.
In order to prevent problems, you need to be able to ensure that you have control over:
- What is running? Is it approved software, without vulnerabilities, configured properly?
- Where is it running? Are there geographic restrictions on what you’re doing? Are you exporting personal data between countries? Is your technology subject to export limitations regarding specific countries?
- Who approved it to run? If there’s a step in your process that requires human verification, do you know who did that verification? What specifics were they verifying?
Again, hoping that everything is working as planned and that everyone is following procedure is not a viable way of doing business.
Instead, you need specific, approved pipelines that provide guardrails enabling your developers to do their jobs while still knowing they’re not going to accidentally put your company in legal jeopardy. For example, we provide both templated pipelines and best practices appropriate to your individual situation.
Even with these safeguards in place, however, there’s still one more thing to take into account: your actual business objectives.
Now that we’ve made sure that your application is running properly and isn’t going to expose you to any legal jeopardy, you don’t have anything to worry about, right? Well, sure — if you don’t care whether the application is actually accomplishing anything
You’re probably already aware that you need to ensure that your applications are aligned with your business goals, but what about their deployment and maintenance? You need to answer many of the same questions there, as well:
- Who needs this application, and who’s affected by it? In other words, who do you need to involve in any potentially manual approvals? What about automatic notifications?
- What does the application need to do, and are you sure it’s doing it? Are you monitoring it? Do you have any automatic monitoring in place that can take steps if there’s a problem?
- Where does it need to run? This is partly a compliance question, as we discussed earlier, and partly a performance question. Do you need to move the application closer to the data? Or vice-versa?
- When do you need to involve a human for verification, and how often? What kind of ongoing monitoring do you need?
- How does all of this get done? And how do you know it’s getting done that way?
But all of this is to get to the most important question, which so often gets glossed over: why are you doing all this? Everything you do must be tied to some business objective, or it’s just so much noise.
That’s why coordination is so important. It’s not enough to understand your business, or to understand continuous integration and continuous delivery. It’s crucial to create a situation considering both together, so that your application development pipelines truly work with your business. For example, our platform includes services that help analyze your business needs and ensure that your pipelines and procedures are set up properly, and consistently, so that you can scale effectively.
All of this comes down to the same thing: you need to ensure that you’re considering security, compliance, and coordination in a very complicated environment. Make sure that you are not leaving it to chance. Remember: hope is not a strategy!