By: Rakesh Kumar, Program Director

While IT service management (ITSM) has been the backbone of IT-enabled services and infrastructure, it has always had its share of conflicts with the application development world. This can be attributed to the pace of action that takes place and is anticipated by businesses for application development and releases. Hence, there has always been a need for a consistent framework and methodology that serves the need of the application development world in new-age, high-velocity environments. This is where DevOps comes in.

DevOps helps streamline the process of application development and release management. Its toolsets and principles clearly cut through the perceived red tape that allegedly slows down the speed and efficiency of ITSM. Later, there was a need to make security a part of development cycles, and ‘Sec’ from security found its place in the jigsaw of DevOps, making it DeVSecOps.

However, does DevSecOps completely address the needs of both the ‘services’ and ‘development’ world? This question often causes a lot of confusion for designers, architects, sales professionals, and delivery managers.

While Information Technology Infrastructure Library (ITIL®) has arguably remained the bible for ITSM, its lack of agility had always been in question till version 3-2011. Its change and release management, though comprehensive, does not provide the right directions for fast-paced IT and application releases. This created further confusion in the minds of enterprise architects who were tasked to create operating models.

Given that the challenge was real, in 2014, Gartner coined the term ‘BiModal IT,’ which essentially meant creating two layers of IT, working in two different modes. Mode One is traditional and sequential, emphasizing safety and accuracy, in areas that are predictable and well understood, while Mode Two is more exploratory, emphasizing agility and speed for solving emerging problems. However, managing this structure was still a challenge, as it needed duplication of efforts and redundant investments for two different sets of modes. It’s still prescribed and followed, explicitly or implicitly, hence the need to reimagine it.

The challenge is further amplified with the advent of cloud. The existing ITSM and concepts of configuration management are questioned in terms of efficiency when multiple cloud vendors provide components leading to rapid changes. The development activities through containers and microservices need special provisions for management and control.

ITIL 4 ®, the latest release, attempts to address this by introducing High Velocity IT (HVIT) to its publications. The publications prescribe several focus areas that aim at bringing agility and security to the hitherto vanilla ITSM. These include:

• Valuable Investments
• Fast Deployment
• Resilient Operations
• Co-created Value
• Assured Conformance

However, the guidance remains at a high level and is of referential nature only. There is a need to develop a model that is more inclusive and repeatable for businesses that are digital and high velocity in nature. At a high level, this model should comprise:

• A unified service management toolset/platform with strong DevOps, security information and event management (SIEM), and governance components, which are seamlessly connected
• Integrated cross functional composition of operations teams with
  • Incident operations comprising of security, application, and infra events and incidents (no separate teams)
  • Change and release operations, with provisions for gatekeeping only for qualified changes, while all other low impact releases are to be allowed through DevSecOps cycles, thereby mandatorily leaving an audit trail in the centralized ITSM system
  • Configuration management, with modern discovery techniques to cover for cloud, containers, etc., in an automated manner, with minimal human intervention. Automated drift analysis and update of Configuration Management Data Base (CMDB) to facilitate frequent audits and compliance.
• Governance, enabled by integrated dashboards across security, ITSM, and release management
  • Two (minimum) levels of governance
    • Operational
      • Enabled by automation, decision support systems, auto-heal/zero touch operations, and reporting, besides proactive threat, vulnerability, and risk management
    • Strategic
      • Enabled by smart dashboards, business-aligned service levels, strategy validation, and OCM (organizational change management)

Even though this is simple to iterate, there are changes that need to be made at various levels for implementation. These may include:

• Felling of the wall between the apps and infra worlds when it comes to structuring organizations
• Establish Common team to drive both DevSecOps and ITSM, hence putting the two disciplines under the same umbrella of Service Management
• Sales and presales support for popularizing and adopting new modes of operations amongst the customers
• Setting up a modern delivery organization with zero touch operations and staff skilled in automation and deploying changes as codes
• Investments in tools and platforms for developing unified ITSM-DevSecOps tools

Conclusion:

Having looked at the relevance of DevSecOps and the reliability of ITSM principles, there can be no way of avoiding them in modern businesses that are driven by IT services, The only way forward lies in marrying the two and reaping the benefits of both worlds. This is achievable only through finding common grounds between these two vast aspects, instead of looking at and treating them as separate entities.