Come hear our #devops and #microservices journey in #IFSFconf2017!

Very grateful to be invited to speak in the International Forecourt Standards Forum (IFSF) Innovation and Collaboration Conf 2017 in Paris this year 🙂 If you are in town, swing by or hit me up on twitter, and let’s talk #docker #microservices #apis and #devops!

Advertisements

Come hear my rant @ Göteborg on the topic of #GDPR

You know you want to 🙂 Come hang for the rant, but stay for MĂ„rten RĂ„nge‘s session on Property Based Testing.

update 13.04.2017: slide deck avail here: https://github.com/yveshwang/presentations/tree/sthlm/impress.js/gbg

Implementing GDPR & Property Based Testing

Wednesday, Apr 12, 2017, 5:00 PM

Atomize AB
VÀstra Hamngatan 11 Göteborg, SE

25 Members Attending

Onsdagen den 12:e april kl17:00 vĂ€lkomnar Atomize AB tillsammans med SWENUG er till ett event dĂ€r Yves Hwang frĂ„n Circle K kommer prata om hur han implementerade GDPR dĂ€r. GDPR kommer 2018 och ersĂ€tter PUL och berör alla företag och myndigheter som handskas med kĂ€nsligt data som berör EU medborgare. Yves bor i Norge men hĂ€rstammar frĂ„n Australien d…

Check out this Meetup →

#GDPR, #devops, and some honest advice

Here are some free and honest advice on the topic of EU General Data Protection Regulation (GDPR) – because frankly we are a little tired of the corporate jargon.

Being a good custodian of personal data does not have to be scary nor difficult. I happen to think it is quite straight forward, though it can be a fair amount work. Most important piece of the puzzle for the data controllers or processors is that you will require a devops/fullstack team. If you are an old school enterprise, then you should have gone through some kind of I.T. transformation to embrace and put in place principles of devops. This is because during the process of working through the various controls surrounding personal data, chance are things will be missed, particularly if you have a very large portfolio. The only sure thing is that as an organisation, you can work in an iterative, lean and agile, and collaborative manner.

Some unsorted advice in bullet points below.

  • You should have a crew of fullstack devops superheroes for your customer facing application stack.
  • The definition of a customer facing application stack includes the full spectrum of interactions between the consumers and your organisation. This include direct user interactions all the way down to the back office. If you need personal data somewhere along the chain, then it is in scope.
  • As data controller or data processor, or both, you will not sell, distribute or own said data without clearly informing the users and obtaining consent at the very least.
  • You have evaluated if you need a Data Protection Officer (DPO), and if so, you have appointed or sourced one.
  • Customer facing application has clear privacy policies and terms and conditions
    Naturally your system follow and oblige these terms and conditions and privacy policies.
  • You may even have content or communiquĂ© explaining how you have secured your customers’ data.
  • Safe harbour and privacy shield is not settled yet. Avoid storing data in US physical locations to play it safe.
  • Should probably have infra as code (terraform or puppet etc) and be a little lean to be able to move data and applications from various public clouds or onprem setups when required.
  • Encryption matters. Don’t be an idiot. Do it at rest, and do it on transit and don’t use dated.
  • Use bcrypt or scrypt for password hashes, salted of course.
  • Exercising sound ITSec principles are a no brainer.
  • Spread the use of an unique user id across all system as a pseudonymisation effort and standardisation.
  • OAuth2 has a great selection of grant mechanisms that supports different ways of authentication and authorisation towards different systems and user-agents.
  • Build and customise your consent process to that of OAuth2.
  • Nuke data when your users wants out, including the source and integrated systems even with OAuth.

The hard truth is, GDPR is not in anyway shape or form finite or deterministic to warrant an engineering approach or a scientific model as basis for discussion. It is more likely that the process of addressing GDPR will be personalised and unique to each company. Ironically, it is a little like personal data itself. Most importantly, if you do not meet some of these devops requirements, you might want to start there first, and fast.

<rant>
I have been racking my brains trying not to sound like a giant multi level marketing douche on the topic of EU General Data Protection Regulation (GDPR). This is my nth attempt at drafting this blog post and literally the writing has gone from selling fear and greed to regurgitating some hallelujah self-help Secret-esque scheme that regurgitated the same old concepts like “consent”, “transparency”, “pseudonymisation”, that is suppose to concretely address “privacy by design”, “obligation of data controllers”, or “data subject rights” etc. Well, at least I will portrait an image of misguided confidence whilst oozing a ton of leadership if I may say so myself. Nevertheless, I personally feel some simple, down-to-earth steer is needed on the subject matter and I have decided to put it out to the universe.
</rant>

Thank you #devoxxpl! – Oh and today I saw the Donald Drumpf of devops: make devops great again?!

#Devoxx and #devoxxpl, what a fantastic experience in a wonderfully geeky city that is Krakow. The conference was a massive eye opener, from talks on the bleeding edge to discussion not far from the old school governance and architecture (yes, people still care about these discussions apparently). Indeed I felt very grateful to have presented my talk in #devoxx this year, mostly sharing our fun enterprise transformation journey and repping the Avengers (shout out to Warsaw yo!). I found my session to be very enjoyable particularly thanks to a very receptive audience. Thank you from the bottom of my heart 🙂 You all rocked!

One speaker that did stand out for me today was a talk about development culture, particularly about the lack of business sense developers had, and that these nerd are considered cost centers because they only wished to essentially waste funding to try out new tech. Seriously dude… you are the Donald Drumpf of devops and I am sub blogging you (I guess this is a thing now). It’s not like business side can’t be a cost center either and it is pure naivete to put them up on an undeserved pedestal.

I hope that particular message was not taken to heart by the audience, but instead I would say this. To my fellow devops and developers and admins alike. Thirst for knowledge. There is nothing wrong with chasing bleeding edge. This is the core of innovation and startup mentality.

Disruptive tech and business models like Bitcoins, Uber and AirBnB should be evidence enough that you do not need antiquated F.U.D. and this strange fixation on so called “business sense”. Grow as technologists and blossom into creative innovators. Give back to tech and your open source communities. Do not listen to the Donald Drumpf of devops and his spiel based on self doubts and guilt trips. Chase knowledge.

Devops is culture.

What #WoW has taught me about building a better #devops team in an enterprise

One does not need to look any further than World of Warcraft (WoW) to appreciate the beautifully enacted artistry that is teamwork. And it is exactly what an enterprise I.T. needs. Picture a cross functional and multidisciplinary team of rockstars working towards the same goal. This blog is about drawing a comparison between staffing up a devops team for product development in the same manner as running a team through an instance in WoW, dispelling any F.U.D. along the way, and getting that epic win for the enterprise.

Why gamers, why WoW?

Suffice to say as a developer, one spends countless hours in front of the PC. It is fair to say that some of us would at times play games together, or WoW to be exact. As Jane McGonigal @ TED 2010 spelled it out for us, that gamers are people whom has picked up the skill of solving extremely difficult problems in an collaborative and multidisciplinary setting. They are self motivated and extremely committed. The rationale can be mapped to the addictive feeling of an epic win. Achieving the insurmountable or being constantly on verge of an epic win is something quite familiar in the context of software development. I would argue that a typical software craftsman share a number of qualities with a successful WoW player:

  • continuous learning
  • application and adaptation of the knowledge they have gained throughout the years
  • mastery of the tools they use
  • deep understanding of the ecosystem they are working with
  • pride in their work and being extremely mindful towards quality

Why software craftsman matters? Because quite frankly, most business are going to be software houses. Digitisation is about doing things right by I.T. and your nerds are now your core business.

Gamers always believe that an epic win is possible, and that it’s always worth trying, and trying now. Gamers don’t sit around. Gamers are virtuosos at weaving a tight social fabric.
Jane McGonigal, Feb 2010 @ TED

Epic wins

The trick here is to make our daily work meaningful and as important as any other world saving quests. Provided time is not spent in meetings or corporate risk management theatre, I would argue most of what we do conjures up the same feeling of achievement. For example:

  • finding that extremely annoying bug and fixing it
  • putting together a super slick build automation pipeline
  • creating that killer UI, designing that awesome architecture then building it
  • ChatOps
  • deploying something automagically 20 to 50 times a day, and etc

These activities are all mini epic wins for me personally. We are your hipster superheroes after all.

This is a load of piss take. How about PCI-DSS, SOX, ITIL or COBIT?

If you are distracted by PCI-DSS, SOX and the like, start writing some code and run a few instances in WoW. Experience the magic first hand. And don’t forget to read this and this during your down time. Get over the smoke screens and get back on track with the epic wins.

“And this argument – that collaboration between silos, or even cross-functional teams, is forbidden by regulation or “best practice” – is an example of what we in the consulting industry call a bullshit smokescreen.”
Jez Humble, 19 October 2012

OK I’m onboard! Let’s go!

Assuming you are being innovative and building things from scratch, typically in WoW you need 1x tank, 1x healer, 3x DPS (Damage per second). Translating to software terms, you will need 1x tech lead, 3x fullstack devs, and 1x sysadmin. A 5-persons multidisciplinary team goes a long way. Let me break this down.

Tank/Tech lead: In WoW terms, your role is to take all direct damage for the team and be the leader of the pact. You draw and keep the attention of the epic boss to youself. You shield the team from a complete wipe. In software terms, you are a SCRUM master or the spiritual tech leader of the team. You take the unnecessary meetings and shield the team away from distractions. You might code a little or contribute to testing and test automation, or you might be a UX specialist. One of your main task is to free up time and space to enable your rockstar coders to code; aka DPS down that epic boss.

DPS/Rockstar coders: In WoW terms, you deal damage, hard and fast and consistently over a period of time. You are much more squishier than the tanks and you should not pull aggro to yourselves and burden the healer. In software terms, you are the rockstar coder with minimal meetings booked in your calendar. You churn out code, good quality code of course. Any rubbish spaghetti code is considered “drawing aggro” and will probably piss off your resident healer and tank. I would naturally recommend fullstack developers for all 3 roles with specific focus/spec on API/backend, frontend/UI, and automation.

Healer/Sysadmin: In WoW terms, you heal the team members, but mostly the tank. You do little damage yourself but are fully capable of keeping the entire team alive throughout the instance. In software terms, you are the sysadmin. You deal with the technical debt directly produced by the team members. You try to ship their work even at times knowing that they are produced way passed their Ballmer’s peak. You try to tune and configure the software to keep it alive. You care about performance and high availability. A healer is arguably the most critical role in the team. You must be more devops than the rest of the devops boys and girls, if you get my drift.

But an enterprise is more like a 40-men Onyxia raid back in vanilla days?!

This is absolutely true. Depending on the goal at hand, coming up with a functional governance model to work with 40 rockstars will be difficult. At a much larger scale, it is more about culture than anything else in my opinion. Your guild and guild master will be important, as their insight and coordination plays a critical role in the success. However, the fundamentals are the same. You still need small agile individual tribes or teams to perform certain tasks.

In summary: teamwork

It is fairly obvious to see that you absolutely require a diverse and cross functional team. No single role alone can build a winning product, or get that epic win, even for Linus Torvald.

“I can’t do UI to save my life. I mean if I was stranded on an island and the only way to get off that island was to make a pretty UI, I’d die there.”
Linux Torvald, 13 April 2016 @ TED

At the end of the day, working together is the essence of devops. In the meantime, I had a great time writing this post 😀 Big it up to the Avengers, our residence craftsman guild.

❀ Cap-A