Leveraging Cloud Transformation to

Build a DevOps Culture

Emil Lerch, Sr Consultant,
AWS Professional Services

J.R. Storment, Chief Customer Officer, Cloudability

June 20, 2016

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is DevOps

The term “DevOps” typically refers to the emerging

professional movement that advocates a collaborative
working relationship between development and IT
operations, resulting in the fast flow of planned work (i.e.,
high deploy rates), while simultaneously increasing the
reliability, stability, resilience, and security of the production
environment.

—Gene Kim, author of The Phoenix Project

DevSecOps

Through Security as Code, we have and will learn that

there is simply a better way for security practitioners, like
us, to operate and contribute value with less friction. We
know we must adapt our ways quickly and foster innovation
to ensure data security and privacy issues are not left
behind because we were too slow to change.

—DevSecOps Manifesto
Why does DevOps matter?

• High-performing IT organizations deploy 30x more

frequently with 200x shorter lead times; they have 60x
fewer failures and recover 168x faster.
• Lean management and continuous delivery practices
create the conditions for delivering value faster,
sustainably.
• High performance is achievable whether your apps are
greenfield, brownfield, or legacy.

(source: puppet labs 2015 State of Devops Report)

https://puppetlabs.com/sites/default/files/2015-state-of-devops-report.pdf
How do we transition to DevSecOps culture?

People/Process
Reorganization: cross-discipline team
Reorganization by vTeams
Documented release process
Documented testing processes
Cross-discipline training
Cross-discipline social events
Rotation programs
Technical
Continuous integration
Continuous delivery
Continuous deployment
Automated testing
Automated monitoring and log analysis
Configuration management
Conway’s Law:
Any organization that designs a system (defined broadly)
will produce a design whose structure is a copy of the
organization's communication structure.
Melvyn Conway, 1967
http://www.melconway.com/Home/Conways_Law.html

Inverse Conway Maneuver:

In what could be termed an “inverse Conway maneuver,”
you may want to begin by breaking down silos that
constrain the team’s ability to collaborate effectively.
Jonny Leroy/Matt Simons, 2010
http://jonnyleroy.com/2011/02/03/dealing-with-creaky-legacy-platforms/
Two-pizza teams

Full ownership

Full accountability

Aligned incentives
DevSecOps maturity model
DevSecOps maturity Deployment pipelines
Level 1

Revision Control System Commit Accept Capacity Exploratory Production

Convergence (Configuration Management) System
Level 2

Infrastructure Provisioning System Commit Accept Capacity Exploratory Production

Level 3

Artifact Management System Commit Accept Capacity Exploratory Production

Level 4

Build & Continuous Integration System Commit Accept Capacity Exploratory Production
Level 5

Feedback System Commit Accept Capacity Exploratory Production

Strategies for migration from level 1–level 5

• Greenfield: Start full pipeline on pilot projects

• Roll processes/tools to all new projects once verified
• Brownfield: Gradually apply DevSecOps principles
• Large organizations usually implement a combination
• Pilot project/center of excellence
• ”Back port” lessons onto existing code base
Sample strategy: existing applications

1. Setup CI/CD server

2. Development automates builds
3. Development/Operations automate deployments
4. QA automates tests
5. Operations automate infrastructure build/teardown
 SOURCE CODE
REPOSITORY

QA 8. TEST
2. SUBMIT
CODE 6. TEST

TEST SERVER PRODUCTION SERVER

3. BUILD
4. DEPLOY TO TEST

DEVELOPER
5. DOCUMENT DEPLOYMENT
PROJECT MANAGEMENT
SERVER
1. PICK
TASKS
7. DEPLOY TO PROD

OPERATIONS
 SOURCE CODE
REPOSITORY
3. CHANGE
NOTIFICATION

QA 9. TEST
2. SUBMIT
CODE 7. TEST

CONTINUOUS TEST SERVER PRODUCTION SERVER

INTEGRATION SERVER
4. BUILD
5. DEPLOY TO TEST

DEVELOPER
6. DOCUMENT DEPLOYMENT
PROJECT MANAGEMENT
1. PICK SERVER
TASKS
8. DEPLOY TO PROD

OPERATIONS
 SOURCE CODE
REPOSITORY

QA 8. TEST
2. SUBMIT
CODE 6. TEST
3. CHANGE
NOTIFICATION
TEST SERVER PRODUCTION SERVER

4. BUILD

5. DEPLOY TO TEST
CONTINUOUS
DEVELOPER INTEGRATION SERVER

PROJECT MANAGEMENT
1. PICK SERVER
TASKS
7. DEPLOY TO PROD

OPERATIONS
 SOURCE CODE
REPOSITORY

QA
2. SUBMIT
CODE 6. TEST
3. CHANGE
NOTIFICATION
APPLICATION SERVER

4. BUILD

5. DEPLOY
CONTINUOUS
DEVELOPER INTEGRATION SERVER

PROJECT MANAGEMENT
1. PICK SERVER
TASKS
 SOURCE CODE
REPOSITORY

2. SUBMIT
CODE
3. CHANGE
NOTIFICATION
APPLICATION SERVER

4. BUILD/TEST

5. DEPLOY
CONTINUOUS
DEVELOPER INTEGRATION SERVER

PROJECT MANAGEMENT
1. PICK SERVER
TASKS
 SOURCE CODE
REPOSITORY

2. SUBMIT
CODE
3. CHANGE
NOTIFICATION
4. BUILD/ APPLICATION SERVER
CREATE ENVIRONMENT/
TEST/TEARDOWN

5. DEPLOY
CONTINUOUS
DEVELOPER INTEGRATION SERVER

PROJECT MANAGEMENT
1. PICK SERVER
TASKS
Cloud software development lifecycle

Code Build Test Deploy Provision Monitor

AWS Elastic Beanstalk

AWS AWS AWS OpsWorks

CodeCommit CodePipeline

AWS AWS Amazon

CodeDeploy CloudFormation CloudWatch
AWS and DevSecOps
Opportunity AWS Services

• IT shops fully embracing DevSecOps, can be orders of magnitude more

productive than those that don’t.
• AWS offers an array of powerful services to enable DevSecOps.
• Using AWS CloudFormation to repeatedly and quickly deploy dev/test AWS AWS AWS
CodeCommit CodePipeline CodeDeploy
environments, and then shut them down immediately when tests
complete, is helping customers:
 Save money and time
 Increase quality
 Increase agility AWS AWS AWS Elastic
CloudFormation OpsWorks Beanstalk

Marketplace offerings and Competency Partners

DevSecOps, self service, and cost management
Automation empowers individuals; however:
Individuals spending OPM can spend too much

AWS services can help:

 AWS Identity and Access Management
(IAM) restrictions
 Cost Explorer
 Detailed billing reports
 Budgets
 Cost and usage reports
 Billing alerts

AWS Partners can provide more analytics and assist in cost control
Bridging the gap from DevOps
to finance
J.R. Storment, Chief Customer Officer at Cloudability
jr@cloudability.com
What DevSecOps brings to the table

Breaking down silos

Collaboration between cross-disciplinary teams
Move faster in refreshing your infrastructure
Constant adjustment to change
Automated monitoring and alerting

Effect—cost goes up and with a more complex financial

audit trail
Explosion of SKUs and metadata increasing
reporting complexity

AWS AWS AWS Amazon

CodeCommit CodeDeploy CodePipeline CloudWatch
IAM AWS KMS

AWS AWS AWS

AWS Certificate AWS Amazon Service Catalog CloudFormation OpsWorks
Manager CloudHSM SQS

Amazon AWS Amazon AWS Elastic Amazon ECR

Redshift Mobile Hub SNS Beanstalk

Amazon AWS Amazon Amazon Amazon ECS AWS

Elasticsearch Service Device Farm S3 EC2 Lambda
DevOps has decentralized deployment of resources to more
engineers and involved finance in the planning decisions
CI/CD shortening feedback loops and creating opportunities
to refresh infrastructure and improve efficiency
Cross-discipline teams (dev+ops+finance) now
jointly responsible for bill…

Engineers Finance Operations Capacity Execs

Finance a part of the process now
Cloud efficiency lifecycle
delivery pipeline

buy measure

align learn
DevOps Finance
feedback loop
What is DevSecOps?
Software development lifecycle
delivery pipeline

build test release

plan monitor
developers customers
feedback loop
What is FinOps?

The term “FinOps” typically refers to the emerging

professional movement that advocates a collaborative
working relationship between DevOps and Finance,
resulting in an iterative data-driven management of
infrastructure spending (i.e., lowering the unit economics of
cloud), while simultaneously increasing the cost efficiency
and ultimately profitability of the cloud environment.

—J.R. Storment, chief customer officer at Cloudability

FinOps/RI czar
FinOps czar (n) A person or team focused on looking at the
AWS billing data each month to identify opportunities to save
money (e.g., with Reserved Instance coverage)

Why appoint one?

Proper purchasing of RIs can save 30–60% on your AWS bill

Assuming a $1 M/yr spend, there’s a potential savings of $300

K+ year.

Usually is a technically minded person in finance, procurement,

or vendor management
How do you build a FinOps culture?

Put data in the hands of the people

Enact policies and evangelize best practices

Cross-train teams on shared knowledge and reporting tools

 Allocation Efficiency

I. Cost visibility
Visibility Savings

Unit cost
Tips for cost visibility

Get each stakeholder the spending fundamentals daily

Let each team see other teams’ spending habits

Create broadly available dashboards

 Allocation Efficiency

II. Allocation
Visibility Savings

Unit cost
Consolidation of accounts to achieve volume
discounts driving centralized management of
finance optimization

• Tags are highly flexible, but 100% coverage is difficult due to compliance
• Linked accounts offer clean chargeback but limit reporting options
Pro tips: allocating costs

Get consensus on the taxonomy (but let Finance drive)

Define 2–3 mandatory tags like “project” or “environment”

Consider a “tag or terminate” rule to enforce compliance

 Allocation Efficiency

III. Efficiency
Visibility Savings

Unit cost
Don’t run the cloud like a data center:
65% of the hours in a month are
nights and weekends
Tips for encouraging efficient behavior

1. Automate weekly waste reporting for each team

2. Gamify cleanup by creating a visible leaderboard

3. Do a monthly, company-wide waste review

 Allocation Efficiency

IV. Savings
Visibility Savings

Unit cost
Rapid infrastructure changes driving need for iterative price optimization
 Allocation Efficiency

V. Unit cost
Visibility Savings

Unit cost
Focus on reducing unit cost, even at total cost grows

150

120

90 Unit cost Total cost

60

30

0
 Thank you!
Emil Lerch, Senior Cloud Architect at Amazon Web Services,
emilerch@amazon.com

J.R. Storment, Chief Customer Officer at Cloudability

jr@cloudability.com