Software Consultancy And The Devops Burden

Workplace

Are you a software consultancy agency, firm or company that are burdened with deploying the application on the cloud?

A typical software consultancy has skills in software development. The focus is on building quality software that meets or exceeds client expectations. The developers are often proficient in some programming languages such as JavaScript, Python, PHP, Java, Ruby, etc. They stay on top of industry trends such as tools and frameworks associated with chosen technology stack.

Some examples of technology stacks:

  • Node.js, ReactJS, Next.js, PostgreSQL
  • Python, Django, PostgreSQL, ReactJS
  • PHP, Laravel, MySQL
  • MongoDB, Express, ReactJS, Node.js

There are various combinations of such stacks in practice. It is commonly observed that such companies do not have in-house expertise in operations. Not all such consultancies invest in sysops and devops. From time to time, these consultancies are asked to deploy the application on the cloud. They inevitably encounter issues.

Some Examples Of Rookie Cloud Mistakes

Rookie Mistake

Security

  • Opening up access to servers and storage to public
  • Not encrypting data at rest and in transit
  • Not implementing many levels of security. Missing few or all of below security best practices:

    Network

    • Placing instances on private subnets
    • Using bastion hosts
    • VPN
    • Firewall
    • NAT gateway

    Server

    • SELinux/App Armor
    • Failing to update software: OS, databases, application dependencies etc
    • Enabling weak authentication mechanisms
  • Incorrect IAM policies and roles. Principle of least privilege is often not implemented. For example providing full access to object storage to a user and embedding the user’s credentials in the application configuration.
  • No mechanism to rotate keys.

Cloud Economy

  • Over-scaled instances and storage volumes
  • Unused instance and services.
  • Incorrect storage class choices.
  • No optimizing based on monitoring data
  • Not investing in reservations and long term commitments

Operational And Architectural Issues

  • Not choosing the right technology and service to deploy the application. It can be endlessly debated what is the best technology for a given project. Knowing the options and evaluating them is something that should be considered for all projects. For example, you can deploy a web application on virtual machines, container management services such as Kubernetes, serverless offerings etc. What is best for one company and project may differ for another project and company. When the project is in early stages, it helps to think of these available choices and optimize the application for whatever technology is chosen. Switching to a different DevOps technology results in lot of time and energy burn for the involved teams.
  • Pipelines and automation. Doing development chores such as running tests, generating build artifacts and deploying is tiresome and time consuming for developers. They are distractions and best managed by letting computers do the work. Setting up a CI/CD pipeline can be daunting at first and once the team gets used to it, they won’t go back to manual processes again
  • Monitoring. Performance metrics and error aggregation is often not implemented on day one. Finding errors and fixing them before it leads to bad user experience results in improving the quality of the application fast.
  • Backups. Not generating backups. Not verifying backups by restoring them.
The list goes on and on. The point is that, there are many pitfalls and you don't want to victimize yourself and your client unknowingly. Obviously, nobody wants to be in this burdensome position. The beginner mistakes can sometimes cost dearly. Here are some solutions you should consider to mitigate the security and cost risks.

Solutions

  • Invest in sysops and devops. Provide training to employees and help them develop the in-demand skills. You could start with subscribing to training services such as A Cloud Guru or Udemy. The next step is to gain experience by putting the training into practice. Modernising and deploying internal applications to the cloud will help. The team could then start performing some devops work in collaboration with experts or mentors. The journey is interesting and results in building some key skills in today's cloud industry.
  • Partner with devops companies. Just like software consultancies focus on software development, devops companies focus on sysops and devops. Engage in such partnerships early on when the software architecture is still being developed. Devops teams can help developers navigate the cloud by formulating frameworks specific to the application. The devops consultants often help choose the right tools and practices to deploy the applications in the cloud. Deployment is just one part of the process. Managing it is another. Management includes cloud economy, security, scalability and performance optimization. These types of jobs are best suited for sysops specialists.
  • Say no to sysops and devops. Although the idea has negative connotations, it is best to avoid issues later in the project. You could simply ask the client to manage the cloud and deployment themselves or find a devops company themselves.