The evolution of work in a DevSecOps world
Compared to just a few long years ago (that is to say, pre-pandemic) dev teams have grown irreversibly distributed, remote, and cloud-native. In addition, teams have become more empowered and independent. These developments have caused sea changes in the way organizations manage access to source code and cloud resources. Classic models for IT simply don’t apply to teams that are globally dispersed and continuously integrating; nor do they apply to systems and data that live entirely outside the organization’s domain. Classically trained IT staff also have difficulty re-training to support cloud platforms, causing delays and frustration for teams that are tasked with continuous delivery.
As a result, many of the duties normally undertaken by IT now fall on the shoulders of DevSecOps teams. Born of necessity, this approach has more or less worked, but no one believes (least of all the dev teams themselves) that the overhead of a full “shadow IT” approach is sustainable. Developers want to focus on creating new and interesting features and not on providing part-time IT or helpdesk support. Case in point: one dev manager said he was getting database access requests every 15 minutes, so the team finally spent 6 months developing a tool that IT could use to manage access requests. Another example: a CISO we work with found that his team had become the bottleneck for access requests from the sales team.
These types of chores are devastating for the productivity of dev teams. Interruptions of this kind are costly. Active State found in a survey in 2019 that developers typically spend half of their day on tasks other than coding and that real coding time was shrinking year-over-year. From the survey:
Respondents were asked how many hours they spent programming, on a typical day. Out of 1,250 responses, the biggest portion of surveyed respondents, 38.8%, spend only 2-4 hours a day programming. This is similar to 2018 results which found 37% of respondents spend 2-4 hours a day programming. In contrast only 27.92% of respondents spent 5-7 hrs a day programming unlike 2018 results which found 31% of respondents spent 5-7hrs a day programming. Most notably, ActiveState’s 2019 Developer Survey results illustrate that as many as 61.52% of respondents now spend 4hrs or less programming, while in 2018 only 51% of respondents spent 4hrs or less programming. This is an approximate 20% decrease in time spent programming. And only 10.56% of respondents spend 8 or more hours programming in contrast to 2018’s 19%, a decrease of almost half
In reaction to these market forces, a lot of voices are calling for a more distributed approach to IT. Renee Mckenzie of OpenText wrote a thoughtful piece on the current transformation of IT. Speaking in favor of citizen development, she writes:
Today, I’m seeing a different approach, one in which IT can partner with different departments as opposed to policing them. Citizen development provides an opportunity to engage with the workforce to develop a sense of shared ownership of IT systems. This approach allows for the development of departmental-specific applications, based on a core IT stack. It also ensures there’s a personal stake across all departments (and not simply within the technology team) for the ongoing advancement and delivery of the systems, tools, and services that really drive an organization’s productivity.
This trend toward “citizen development” is also causing upheaval in the market for Identity and Access Management (IAM) products (and particularly for provisioning products), because existing IAM products enshrine the role of a central IT for administration and security. Just this week, Andre Durand illustrated how Identity Management is becoming more decentralized during his keynote at Identiverse 2022. But in a DevSecOps world, the teams-based design is best suited—and even mandatory—for today’s work environment. A team-centric approach means that resource owners can be almost anyone in the org; it means that owners control access according to their own particular needs; it means that access approvers are usually managers. Of course, SecOps and IT need to have visibility into permissions and oversight of all access activity.
At Trustle, we believe that the future of work is teams-based, so we built our product to support distributed teams, but also allow for more centralized management. It’s even in our mission statement to accomplish this goal.
"Trustle’s mission is to evolve your company’s access management to today’s distributed reality easily, securely, and safely."
The IAM industry will look very different in the coming few years. A whole slate of new vendors and products will come on the scene and deliver services to DevSecOps teams that established IAM vendors aren’t positioned to provide. These products will make their way into organizations through departments outside of IT and will establish the basis for IT partnerships with other departments in the organization. Teams implementing these products will establish innovative practices to better support their work, maintain security, and govern cloud assets. With all these changes already in progress, IT departments should decisively move to begin partnering with DevSecOps teams and other departments to evolve to the new paradigm.