“DevOps is the automation of testing software,” said Jeffrey Kok, technical director for the region at CyberArk, a vendor of cyber-security management tools.
Combining the words development and operations, DevOps is a management technique for promoting collaboration among different I.T. teams within an organization. It integrates product management, operations and software professionals.
The buzzword has come to represent the expansion of agile development throughout the operational lifecycle of an application – in other words, DevOps is how organizations, not just I.T. teams, become agile. (See our profile of Deutsche Bank’s COO, who discusses implementing DevOps workflows.)
According to Kok, the origins of DevOps is in containerization, a means of running many disposable, short-lived applications, that function on a common operating system but are otherwise independent.
An example in financial services would be a digital promotion or a new online product launch, which has a limited shelf life – a targeted consumer loan, for example.
Contain the app
When an I.T. team is asked to build such a product, they save memory storage space and money by creating an app that is in a ‘container’, a shared operating system. Containers (which can run multiple apps) don’t interact with one another, so they are easy to plug in, or remove.
Think of a customer considering a personalized loan offer. The customer would be unaware of a thousand other people considering variants of the same thing. But they all share an I.T. infrastructure behind the scenes at the bank, which is housed in a ‘container’, isolated from other bank products or operations.
I.T. teams do things this way in order to respond to customers. If the product is a dud, it can be quickly erased without affecting other systems. If it proves popular, it can be rolled out quickly. “This makes it easier to scale and take an operation onto the cloud,” Kok said.
Moreover, such transitory apps are more difficult to hack; permanent or persistent ones become a target, over time. And they are cost-effective, as a bank or other firm does not need to create a separate operating system – or hire a new programmer – for every new app. “I.T. departments can now fully automate their virtual machines, meaning there’s no need for extra back-office support,” Kok said. “They can set up a brand new service without adding people.”
(A virtual machine, or VM, is an isolated duplicate of a real computer; because it has no hardware, it is a safe place to test software, like a sandbox; VMs can also be used to run parallel programs a company might want to keep separate from its other systems.)
Although the concept of containerization has been around only since 2008, it has gone mainstream among tech leaders, thanks to their embrace of open-source programming: every week, Google now runs over 2 billion containers – including components, APIs, and microservices; a statistic repeated on multiple technology websites. After tech firms, financial institutions are enthusiastic if recent adopters of containerization, Kok says.
But this comes with its own complexities. People in operations, product development, testing, audit and compliance have different goals. These teams operate in their own silos, which slows down the process of getting an idea from white board to market. If they don’t align throughout the lifecycle of an app, the company will have to patch a lot of rips and tears.
DevOps is the process of getting different functions to work together, from coding and testing, to deployment and monitoring. It is not a tool per se, although there are open-source web hosts and integration products such as GitHub or Jenkins that programmers use to automate what is essentially a management technique.
A newer addition to the lexicology is DevSecOps, which is integrating cyber-security into the process, says Kok.
“Coders need passwords and credentials,” he said. Traditionally, they would bundle passwords into the app itself, which worked well enough until programmers began relying on open-sourced services such as GitHub and Jenkins. That put passwords at risk, resulting in thefts: earlier this year, such a security bug allowed hackers to access passwords and private messages from the likes of Uber.
“DevSecOps builds security into the design,” Kok said, adding that more I.T. teams are adopting this approach as companies build new apps, rather than as wholesale replacements of mainframes or other existing infrastructure. One way to do this is to deploy ephemeral secrets, passwords and logins that are transient, such as one-time private keys.
However, Kok says there is not yet an industry standard for how to do this: commercial vendors such as CyberArk use methods that may vary from those found in the open-source world. That can be a challenge for developers at banks and other users, who need to decide on security approaches.
A second challenge is that teams involved in cyber-security come in silos of their own. Big organizations will have 10 to 20 types of technology on their platform, each of which has its own security measures. For financial institutions’ ops, I.T. and compliance teams, the lack of consistency is expensive and exhausting to audit. So far, no one has come up with policies for ephemeral passwords, at least not publicly.
“It’s ultimately a management decision,” Kok said. Some companies will want to tear down silos, and apply DevOps to cyber-security as well; others will decide the silos are an acceptable cost.