DevSecOps Resolving IT Friction In The Cloud

In this post, I’m going to discuss how to solve an age-old problem that still hurts us in The Cloud with DevSecOps: the on-going friction between devs and ops and how the adoption of the cloud is making this worse.

Us Versus Them

Let me say this first: when I worked as a sys admin, I was a “b*st*rd operator from hell”. I locked things down as tight as I could for security and to control supportability. And as you can imagine, I had lots of fans in the development teams – not!

Ops and devs have traditionally disliked each other. Ops build the servers perfectly. Devs write awesome code. But when something goes wrong:

  • Their servers are too slow
  • Their architecture/code is rubbish

Along Came a Cloud

The cloud was meant to change things. And in some ways, it did. In the early days, when AWS was “the cloud”, devs got a credit card from somewhere and started building. The rush of freedom and bottomless resources oxygenated their creativity and they build and deployed like they were locked in a Lego shop for the weekend.

Eventually, the sober-minded Ops, Security, and Compliance folks observed what was happening and decided to pull the reigns back. A “landing zone” was built in The Cloud (now Azure and others are in play) and governance was put in place.

What was delivered in that landing zone? A representation of the on-premises data center that the devs were trying to escape from. Now they are told to work in this locked-down environment and the devs are suddenly slowed down and restricted. Change control, support tickets, and a default answer from Ops of “no” means that agility and innovation die.

But here’s the thing – the technology was a restricting factor when working on-premises: physical hardware means and 100% IaaS means that Ops need to deliver every part of the platform. In the cloud, technology wasn’t the cause of the issue. The Cloud started with self-service, all-you-can-eat capacity, and agility. And then traditional lockdowns were put in place.

Business Dissatisfaction

A good salesperson might have said that there can be cost optimisations but cost savings should not be a primary motivation to go with the cloud. Real rewards come from agility, which leads to innovation. The ability to build fast, see if it works, develop it if it does, dump it if it doesn’t, and not commit huge budgets to failed efforts is huge to a business. When Ops locks down The Cloud, some of the best features of The Cloud are lost. And then the business is unhappy – there were costly migration projects, actual IT spend might have increased, and they didn’t get what they wanted – IT failed again.

By the way, this is something we (me and my colleagues at work) have started to see as a trend with mid-large organisations that have made the move to Azure. The technology isn’t failing them – people and processes are.

People & Processes

Technology has a role to play but we can probably guesstimate that it’s about 20% of the solution. People and processes must evolve to use The Cloud effectively. But those things are overlooked.

Microsoft’s Cloud Adoption Framework (CAF) recognises this – the first half of the CAF is all about the soft side of things:

The CAF starts out by analysing the business wants from The Cloud. You cannot shape anything IT-wise without instruction from above. What does the business want? Do you know who you should not ask? The IT Manager – they want what IT wants. To complete the strategy definition, you need to get to the owners/C-level folks in the business – getting time with them is hard! Once you have a vision from the business you can start looking at how to organise the people and set up the processes.

Organisational Failure

Think about the structure of IT. There is an Ops team/department with a lead. That group of people has pillars of expertise in a mid-large organisation:

  • The Windows team
  • Linux
  • Networking
  • SAN
  • And so on

Even those people don’t work well in collaboration. There is also a Dev department that is made up of many teams (workloads) that may even have their own pillars of expertise – some/many of those are externals. There is no alignment or collaboration between all the parties involved in building, running, and continuously improving a workload.


DevOps is a methodology that brings Ops and Devs together in actual or virtual teams for each workload. For example, let’s say that a workload requires the following skills from many teams/departments:

  • .NET developers
  • Application architect
  • Infrastructure architect
  • Azure operators

That might be skills from 4 teams. But in DevSecOps, the workload defines a virtual or actual team of people that will work on that application and its underlying infrastructure together. The application and infrastructure architects will design together. The devs and ops skills will work together to produce the code that will create the underlying platform (PaaS and/or IaaS) that will be continuously developed/improved/deployed using GitHub/DevOps actions/pipelines.

Agile methodologies will be brought into plan:

  • Work through epics, user stories, features and tasks (backlog)
  • That are scheduled to sprints (kanban board)
  • And are assigned to/pulled by members of the DevOps team (resource planning)

What has been accomplished? Now a team works together. They have a single vision through a united team. They share a plan and communicate through daily standup meetings and modern tooling such as Teams. By working as one, they can produce code fast. And that means they can fail fast:

  • Produce a minimally viable product
  • Test if it works
  • If it does, improve on it in sprints
  • If it doesn’t, tear it down quickly with minimal money lost


In The Cloud, modern workloads are presented to clients over the Internet using TLS. The edge means that there is a security role. And in a good design, micro-segmentation is required, which means an expanded security role. And considering the nature of threats today, the security role should have some developer skills to analyse code and runtimes for security vulnerabilities.

If we don’t change how the security role is done then it can undo everything that DevOps accomplishes – all of a sudden a default “no” appears, halting all the progress towards agility and innovation.

DevSecOps adds the security role to DevOps. Now security personnel is a part of the workload’s team. They will be a part of the design process. They will be the ones that either implement in code and/or review firewall rules in the pull request. Elements of security are moved from a central location out to the repos for the workloads – the result is that the what and who don’t change; all that changes is the where.


Introducing the sort of changes that DevSecOps will require is not going to be easy or quick. We can do the tech pieces in Azure pretty easily, actually, but the people might resist and the processes won’t exist in the organising. Introducing change will be hard and it will be resisted. That’s why the process must be lead from the C-level.

Got Something To Add?

What do you think? Please comment below.

Video–Azure File Sync

I’ve produced and shared a short video (12:33 minutes) to explain what Azure File Sync is, what it will do for you, and there’s a quick demo at the end. If you want to:

  • Synchronise file shares between offices
  • Fix problems with full file servers by using tiered storage in the cloud
  • Use online backup
  • Get a DR solution for file servers, e.g. small business or branch office

… then Azure File Sync is for you!

Was This Post Useful?

If you found this information useful, then imagine what 2 days of training might mean to you. I’m delivering a 2-day course in Amsterdam on April 19-20, teaching newbies and experienced Azure admins about Azure Infrastructure. There’ll be lots of in-depth information, covering the foundations, best practices, troubleshooting, and advanced configurations. You can learn more here.

My Appearance on Windows Weekly

If you don’t know it, Windows Weekly on the TWiT podcast network, is one of the (if not the) biggest Microsoft news podcast around. I’ve been a listener for a long time, and enjoy the news & conversations between the hosts, with news coming from Mary Jo Foley and Paul Thurrott. Because of my writing on, a sister site of Paul’s site, I’ve gotten to meet Paul a few times. Mary Jo and I have talked a few times and met at conferences over the years – she gave me a massive opportunity a few years ago by inviting me to do a guest article on her site while she was on vacation. Both are real journalists using the blogging platform, and they’re the sort of people I respect in the media … and they’re nice people too.

I first met them in person at the TechEd in New Orleans when I was given a press pass. I was sitting out in the press room, and the two megastars of Microsoft news sat across the table from me. I kind of nerded out Smile

Anyway … I’m here at the Ignite conference and Mary Jo and Paul were doing a live recording of Windows Weekly in a studio that Microsoft had set up to do various live community podcasts throughout the week. I’d always thought that I’d love to visit the studio in California when Windows Weekly was on but never had the chance. This was an opportunity to sit in and enjoy the show live instead of in my car while commuting to/from work. I sat in, and it was enjoyable. As usual, the two had some background news and information from interviews with senior Microsoft staff that filled out knowledge that I had.

Often at recording at events, the show opens up an audience mic for Q&A. I think at one point Paul said something about “why is there no Cortana in my country”. After a series of questions where Windows Phone came up, I decided to walk up and offer up something different. It starts at the 1:25:49 mark.

It was very cool to appear, even in a tiny way, on a show that has informed me so much over the news. Thanks Paul & Mary Jo, and to the TWiT network for the opportunity!

My Experience at Cloud & Datacenter Conference Germany

Last week I was in Munich for the Cloud & Datacenter Germany conference. I landed in Munich on Wednesday for a pre-conference Hyper-V community event, and 2 hours later I was talking to a packed room of over 100 people about implementing Azure Site Recovery with Windows Server 2016 Hyper-V. This talk was very different to my usual “When Disaster Strikes” talk; I wanted to do something different so instead of an hour of PowerPoint, I had 11 slides, half of which were the usual title, who I am, etc, slides. Most of my time was spent doing live demos and whiteboarding using Windows 10 Ink on my Surface Book.


Photo credit: Carsten Rachfahl (@hypervserver)

On Friday I took the stage to do my piece for the conference, and I presented my Hidden Treasures in Windows Server 2016 Hyper-V talk. This was slightly evolved from what I did last month in Amsterdam – I chopped out lots of redundant PowerPoint and spent more time on live demos. As usual with this talk, which I’d previously done on WS2012 R2 for TechEd Europe 2014 and Ignite 2015, I ran all of my demos using PowerShell scripts.

Media preview

Photo credit: Benedikt Gasch (@BenediktGasch)


One of the great things about attending these events is that I get to meet up with some of my Hyper-V MVPs friends. It was great to sit down for dinner with them, and a few of us were still around for a quieter dinner on the Friday night. Below you can see me hanging out with Tudy Damian, Carsten Rachfahl, Ben Armstrong (Virtual PC Guy), and Didier Van Hoye.

Media preview

As expected, CDC Germany was an awesome event with lots of great speakers sharing knowledge over 2 days. Plans have already started for the next event, so if you speak German and want to stay up to speed with Hyper-V, private & public cloud in the Microsoft world, then make sure you follow the news on

Satya Nadella & Brad Smith Speaking at Microsoft Ireland Tech Gathering

I attended today’s Microsoft Ireland Tech Gathering, a surprising event for Microsoft Ireland – they do very little in the public anymore. What’s even more surprising is that Microsoft CEO, Satya Nadella, is in town to speak (here, an earlier CEO breakfast, and a later education event by Dublin City University). Nadella is doing the keynote. I’m in the 7th row, and I have a heavy camera to swing/throw if he talks about Cortana – which only works in 10 countries, and Ireland is not one of the ten Open-mouthed smile (just kidding, big security dudes!).

All photos in this post are the property of Aidan Finn and may not be used without my permission – just ask, it’s easy!

Claire Dillon

The group lead of the local DX (Developer Experience) team takes the stage. She explains what DX is, a team now focused on development (technical architects) and business (account managers) in in the cloud, no longer the mix of devs and IT pros that DPE once was.

There’s a quick reminder of the last Microsoft year. And open source is highlighted.


The world is changing very rapidly. Mobile, cloud, data growth, machine learning, AI, augmented reality …me: these aren’t endpoints, they are the start of a journey. Industries are changing, and cloud/mobile has set an expectation that goods/services are delivered immediately.

There’s an opportunity for start-up small-in the cloud companies – they are flexible and can be disruptive to the larger incumbents. Microsoft Encarta killed Encyclopaedia Britannia’s 244 year old published product. But EB is more profitable than ever! They adapted and transformed to embrace the Internet for delivering their product. WIkipedia is a newer threat to EB. EB focused on a quality and fact checked product, and customers that required that: education, for example.

IT pros and developers are in for an exciting time. Things are changing, and resistance is futile. Some facts:

  • million active users.
  • Office on 340 million mobile devices.
  • Skype users using 3 billion minutes of calls. Sky Translator doing real time comms in 8 languages.
  • 40% of Azure income coming from small business and start ups. 1 in 3 Azure VM are Linux. The data centres consume less than 50% of the power of traditional data centres. 80% of large enterprises using MSFT cloud.

Today will be all about the digital transformation.

  • Satya Nadella, Brad Smith, and Irish MD will evangelize.
  • Then customers will talk about their journey, including some open source.


Cathriona Hallahan

MD of MS Ireland. Large breath of people here, partners, bloggers, media, small customers and large.

Microsoft has transformed under Satya Nadella.


Satya Nadella

CEO of Microsoft.

Vision: to empower every person on the planet to do more. Every product that they make is shaped by this vision. People build institutions to outlast them, including software.


It’s not about MS tech, it’s about what happens with that technology when it’s in customers hands, and how they can transform.

Mobility is not about a device, it’s about our mobility across all the devices in our life. Seamless movement is only possible in the cloud. This is why cloud first, mobile first are happening at the same time. Cloud computing is not a single destination – it’s a distributed computing service.

Digital transformation that customers will achieve through this technology is what is important. Microsoft is building this out through a hyper scale global cloud. 6 regions in Europe. The North Europe region (Dublin) is expanding – there are planning applications/decisions in the local news every now and then.

Azure is being built out as the first AI super computer (SkyNet).

Every compute node in Azure has FPGA’s now. You can distribute your AI across this fabric. N-Series NVIDIA chipsets provide great processing for AI too. But raw infrastructure is not enough. The magic is in software. Microsoft is state-of-the-art in speech and object recognition. Doing stuff with deep neural nets.

The Bot framework was launched 6 months ago. 4500 developers are building new kinds of apps on this framework. Graph gets a nod. Dynamics 365 is brought up – how can we think about business process as a continuum of productivity and comms, instead of putting it into a silo? Every company is becoming a digital company. You want to be able to empower every employee in your company with data, information, and analytics. Predictive and analysis power will be the new strength of a business – can you do it better and faster than your competitor and jump on opportunities. Can you predict service failures and proactively remediate? For example, factory can shift from focusing on the thing they make to the service they offer.

He refers to a digital feedback loop – data coming in and coming back out as intelligence.

How is all this going to diffuse through the world? In Europe, they see a broad spectrum of uses in Europe, and by European companies around the world. Access to the technology is critical. A Swiss company called Temenos has democratized access to banking s/w in Asia. They use the public cloud – there’s a video.


Some local Irish examples. He met with AIB and talked about their strategies. They are using the cloud and their data centers to transform customer banking. Office 365 is being rolled out to empower employees. Cubic Telecom is working with Automative Industry – to connect every car to a mobile phone network – s/w allows a car to move to any region and have network support without changing hardware. eHealth Ireland is connecting patients with doctors, providing information in patients’ most vulnerable moments.

In the future, this infinite cloud infrastructure and new types of devices (AR, VR, IoT) is what will transform every life and every industry. HoloLens is an infinite display – mixing realities. Another video.

When you change the way you see the world, you change the world you see.

It is incumbent on technology pros and government to ask if a tech is going to help everyone on the planet. MSFT launching a book called a cloud for global good.


Brad Smith

Chief legal man in Microsoft.

Started his career in MS France. Talks about the history of MS in Ireland – from manufacturing CDs, to eventually be involved in a global cloud issue. Their data center in Ireland lead to litigation in the USA about the FBI demanding access to a mailbox in Dublin – Microsoft won, in case you didn’t know. It was good news for Microsoft, and great news for the cloud. Microsoft touring Europe this week to talk about the globality of the cloud.

He reckons that the cloud is a new industrial revolution – a recap of what he presented at WPC earlier this year.

The cloud is powering all of the current digital transformations. How do we ensure that this cloud serves everyone and not just the lucky few. We need to act with shared responsibility. The new book as 72 recommendations to ensure a cloud for global good.


We need a new set of cyber security rules. We need personal rights for data crossing borders.

We more than just trust. We need a cloud that is responsible, and respects human rights and public safety.

We need to advance sustainability. MS data centers already consuming the same power as a small US state. This is escalating. MS committed to get better every year on use of renewable energy and to be transparent. By 2018, it’s to hit 50% or better, and 60% in the next decade … but they need help with supply.

We need laws to enable AI, but laws to control ethics.

The cloud needs to be more inclusive for people around the world. Form access to digital literacy, developing skills for the next generations.

To build a digital economy, you need to build a learning economy. We need to connect rural communities – the cloud can reduce distances. We need to think about people with disabilities – 300 million are visually impaired. Over 1 billion those with some kind of disability. They have potential to do great, but face obstacles to adopt and achieve.

Podcast – Talking Azure Backup with MVP Carsten Rachfahl

I had the pleasure of recording a podcast with my CDM (Hyper-V) MVP colleague and friend, Carsten Rachfahl, a few weeks ago. We talked about a few things, but the focus of the talk was cloud or hybrid backups using Azure Backup. You can watch the recording here.


Azure In-Place VM Migration Eliminates Reboots During Host Maintenance

Microsoft is finally making updates to Azure to reduce downtime to virtual machines when a host is rebooted.

Microsoft sent out the following announcement via the regular pricing and features update email to customers last night:


That sounds like Quick Migration. So Azure has caught up with Windows Server 2008 Hyper-V. Winking smile And it sounds like later in 2016, we’ll get Live Migration … yay … Windows Server 2008 R2 Hyper-V Smile with tongue out

Seriously, though, Azure was never designed for the kinds of high availability that we put into an on-premises Hyper-V cluster. Azure is cloud scale, with over 1 million physical hosts. A cluster has around 1000 hosts! When you build at that scale, HA is done in a different way. You encourage customers to design for an army of ants … lots of small deployments where HA is done using software design leveraging cloud fabric features, rather than by hardware. But, when you have customers (from small to huge) who have lots of legacy applications (e.g. file server) that cannot be clustered in Azure without redesign/re-deployment/expense, then you start losing customers.

So Microsoft needed to make changes that acknowledged that many customer workloads are not cloud ready … and to be honest, most of the prospects I’ve encountered where code was being written, the developers weren’t cloud ready either – they are sticking to the one DB server and one web server model that has plagued businesses since the 1990s.

These improvements are great news … and they’re just the tip of last night’s very big and busy iceberg.

Webinar: Defending Today’s Threats With Tomorrow’s Security By Microsoft

I am presenting another webinar on July 21st at 2PM Irish/UK time, 3PM CET, 9AM Eastern, hosted by my employer, MicroWarehouse. The focus of this webinar will be security solutions … and I’m not talking old style stuff like AV scanning or proxy/firewalls. No, I’m talking about modern security solutions that are designed to deal with the sorts of threats that your yellow box scanners and Cisco/SonicWall firewalls are letting right through to trash your business.


You can register here.

Cloud & Datacenter Management 2016 Videos

I recently spoke at the excellent Cloud and Datacenter Management conference in Dusseldorf, Germany. There was 5 tracks full of expert speakers from around Europe, and a few Microsoft US people, talking Windows Server 2016, Azure, System Center, Office 365 and more. Most of the sessions were in German, but many of the speakers (like me, Ben Armstrong, Matt McSpirit, Damian Flynn, Didier Van Hoye and more) were international and presented in English.


You can find my session, Azure Backup – Microsoft’s Best Kept Secret, and all of the other videos on Channel 9.

Note: Azure Backup Server does have a cost for local backup that is not sent to Azure. You are charged for the instance being protected, but there is no storage charge if you don’t send anything to Azure.