does16 london - gareth rushgrove - communication between tribes: a story of silos, devops and...
TRANSCRIPT
(without introducing more risk)
Communication between Tribes
PuppetGareth Rushgrove
A story of silos, Devops and Government
(without introducing more risk)
@garethr
(without introducing more risk)
Gareth Rushgrove
(without introducing more risk)Backstory
The very abridged version
Gareth Rushgrove
GDSGovernment Digital Service
Gareth Rushgrove
Gareth Rushgrove
Gareth RushgroveTechnical ArchitectGovernment Digital Service@garethr
I’m no longer a civil servant.Thank you to everyone who is.
Gareth Rushgrove
I learned the importance of communication first hand;from successes, failuresand relentless observation
Gareth Rushgrove
- Stories from Government- The importance of language- The power of stereotypes- A few
Gareth Rushgrove
Tips
(without introducing more risk)
Different Languages
One for each silo
Gareth Rushgrove
Appreciating you’re a silo
Agile, lean, scrum, containers, iteration, stack, hypervisor, nosql, serverless, cloud, velocity…
Gareth Rushgrove
Agile, lean, scrum, containers, iteration, stack, hypervisor, nosql, serverless, cloud, velocity…
Gareth Rushgrove
Developer silo
Incident, event, problem, COBIT, configuration management, capacity management, CAB…
Gareth Rushgrove
Incident, event, problem, COBIT, configuration management, capacity management, CAB…
Gareth Rushgrove
IT silo
APT, threat model, risk, cyber,mitigation, control, kill chain,threat intelligence, opsec
Gareth Rushgrove
APT, assume compromise, threat model, risk, mitigation, control
Gareth Rushgrove
Security silo
SPAD, MCO, GPG, CESG,CERT, GDS, IDP, DTO, 18F, USDS, IL3, OCTO, EUD
Gareth Rushgrove
SPAD, MCO, GPG, CESG, CERT, GDS, IDP, DTO, 18F, USDS
Gareth Rushgrove
Government silo
the language and speech, especially the jargon, slang or argot, of a particular field, groupor individual
Gareth Rushgrove
lingonounplural noun: lingoes
Language acts as a barrier to entry to different communities
Gareth Rushgrove
Language differences reinforce organisational silos
Gareth Rushgrove
Gareth Rushgrove
Identify words in your organisation that are only in use in certain groups or teams
Tip
(without introducing more risk)
The New Service Management
Talking ITIL and agile
At GDS we talked a lot about Design, User Research, Agile and Open Source because they were fairly new to Government
Gareth Rushgrove
Gareth Rushgrove
We talked a lot about discovery and alpha because people started there
Gareth Rushgrove
We hired a lot of software developers becauseGovernment had very few
Gareth Rushgrove
We didn’t talk enough about operations
We didn’t talk enough about operations (to begin with because we weren’t running anything)
Gareth Rushgrove
Gareth Rushgrove
Don’t take things for granted, communicate about everything you care about
Tip
Gareth Rushgrove
Words often carry the weight of past experiences and other organisations
Tip
Will the release really work?
Gareth Rushgrove
Paraphrasing one of my colleagues from 2012”
“
Yes. We’ve done it more than1000 times. I’m confident itworks now
Gareth Rushgrove
Paraphrasing me
”
“
Early members of GDS were mainly from media, startup and technology backgrounds
Gareth Rushgrove
The formal language ofService Management* wasunfamiliar to most
Gareth Rushgrove
*Ironically, ITIL was a creation of CCTA, a UK Government agency
But practices like automation,developers on-call, configuration management, continuous deployment, and automatedtesting were second nature
Gareth Rushgrove
Gareth Rushgrove
Transformation often meansnew types of people. They will bring their own languageand assumptions
Tip
We cancelled one configuration management effort because we couldn’t keep the spreadsheetup to date
Gareth Rushgrove
Remembering one conversation with an Government department”
“
The recommendation was to move from quarterly releases to one release every 6 months
Gareth Rushgrove
Remembering one conversation with an Government department”
“
Oh, we use an open source configuration management tool which reports state every30 minutes for every device
Gareth Rushgrove
Remembering one conversation with an Government department”
“
Overlapping words from different tribes are often a great place to start collaborating
Gareth Rushgrove
Tip
(without introducing more risk)Stereotypes
Understanding what people think of you
A lack of personal relationships, sometimes caused by theinability to communicate,leads to stereotypes
Gareth Rushgrove
a widely held but fixed and oversimplified image or idea of a particular type of person or thing.
Gareth Rushgrove
stereotypenounplural noun: stereotypes
No
Gareth Rushgrove
Shiny new technology!
We need bimodal IT
What grade are you?
No
Gareth Rushgrove
Shiny new technology!
We need bimodal IT
What grade are you?
Developer
No
Gareth Rushgrove
Shiny new technology!
We need bimodal IT
What grade are you?
Government
No
Gareth Rushgrove
Shiny new technology!
We need bimodal IT
What grade are you?
IT
No
Gareth Rushgrove
Shiny new technology!
We need bimodal IT
What grade are you?
Security
Some silos are organisational
Gareth Rushgrove
Many silos are personal
Gareth Rushgrove
a fictional rogue systems administrator who takes out his anger on users and others who pester him with computer problems
Gareth Rushgrove
BOFHBastard Operator from Hell
Subverting stereotypes as a wayto build relationships
Gareth Rushgrove
Tip
(without introducing more risk)Security Says No?Experts, intermediaries and end users
Gareth Rushgrove
Scaling finite expertise is often done with stacks of paper policy
Gareth Rushgrove
Making use of stacks of paper policy often involves middlemen
Gareth Rushgrove
Having direct access to real domain experts* is awesome
Gareth Rushgrove
*Unfairly in my case that mean
I think you’ll find you can’t do that because of my interpretation of this wording in GPG13
Gareth Rushgrove
Unfairly paraphrasing countless conversations with intermediaries”
“
Let’s just ring Richard fromGCHQ and see what he thinks
Gareth Rushgrove
”“
Unfairly paraphrasing countless conversations with intermediaries
…!
Gareth Rushgrove
Paraphrasing countless conversations with intermediaries
”“
Don’t let scarcity of expertise leadto unapproachable stereotypes
Gareth Rushgrove
Tip
(without introducing more risk)
Code as a Communication Medium
Bridging policy and practice
The dreaded incident severity conversation
Gareth Rushgrove
Critical, Major, Minor, P1, Sev2
Gareth Rushgrove
Stage 1Everyone thinkseverything is critical
Gareth Rushgrove
Stage 2Everyone thinks all incidents for there own service are critical
Gareth Rushgrove
(without introducing more risk)
Feature: Search
@high Scenario: check search results on unified search Given I am testing through the full stack And I force a varnish cache miss When I search for "tax" using unified search Then I should see some search results
@normal Scenario: check organisation filtering on unified search Given I am testing through the full stack And I force a varnish cache miss When I search for "policy" using unified search Then I should see organisations in the unified organisation filter
@normal Scenario: check sitemap Given I am testing through the full stack And I force a varnish cache miss When I get the sitemap index Then It should contain a link to at least one sitemap file And I should be able to get all the referenced sitemap files
GOV.UK Smoke Tests
(without introducing more risk)
Feature: Search
@high Scenario: check search results on unified search Given I am testing through the full stack And I force a varnish cache miss When I search for "tax" using unified search Then I should see some search results
The ambiguous nature of thewritten word
Gareth Rushgrove
Lots of opportunities forpolicy as code
Gareth Rushgrove
(without introducing more risk)
// Should cache responses for the period defined in a `Cache-Control:// max-age=n` response header.func TestCacheCacheControlMaxAge(t *testing.T) {
ResetBackends(backendsByPriority)
const cacheDuration = time.Duration(5 * time.Second)headerValue := fmt.Sprintf("max-age=%.0f", cacheDuration.Seconds())
handler := func(w http.ResponseWriter) {w.Header().Set("Cache-Control", headerValue)
}
req := NewUniqueEdgeGET(t)testRequestsCachedDuration(t, req, handler, cacheDuration)
}
CDN Acceptance Tests
(without introducing more risk)
Scenario: The application should not contain SQL injection vulnerabilitiesMeta: @id scan_sql_injection @cwe-89Given a scanner with all policies disabledAnd the SQL-Injection policy is enabledAnd the attack strength is set to HighAnd the alert threshold is set to LowWhen the scanner is runAnd the XML report is written to the file sql_injection.xmlThen no Medium or higher risk vulnerabilities should be present
BDD Security
(without introducing more risk)package { 'openssh': ensure => latest}
Puppet
Where possible combine policy with implementation
Gareth Rushgrove
Tip
(without introducing more risk)ConclusionsIf all you remember is…
Share language as muchas possible
Gareth Rushgrove
Because sharing language makes shared tooling and process easier
Gareth Rushgrove
And learning the language ofanother tribe is a fantastic wayof breaking down silos
Gareth Rushgrove
(without introducing more risk)
What I Don’t Know How to DoDevops Enterprise Ask
What macro organisational structures limit theemergence of silos?
Gareth Rushgrove
(without introducing more risk)Thanks
Ask me questions later