Compliance as a Feature, not Friction
So why is it that we often hear a collective groan whenever we talk about compliance?
The Cost of Compliance
Compliance teams have a difficult job. They must ensure that their organization is following its agreed-upon processes regarding internal strategy or policy, as well as any laws, regulations, and contractual obligations that might affect their industry. It’s impossible for them to watch everyone all the time, so the burden is often put upon developers to produce documentation or other artifacts that show they’ve followed the rules. Meanwhile, development teams are under pressure to work more efficiently, delivering new capabilities to customers as quickly as possible. A recent Gartner report, Innovation Insight for Internal Developer Portals, highlights this delicate balance between enforcing policy and enabling innovation.
Defined processes exist in all organizations and can act as a mechanism to balance speed against risk. Done well, a process should enable simplicity, streamline workflow, and eliminate waste. We don’t often think positively of process or compliance, and we tend to take the benefits of good compliance for granted. For example, I may occasionally grumble about two-factor authentication on my mobile banking app, but I wouldn’t use mobile banking without it. I sometimes wish that my bank would release new features more regularly, but then I also enjoy that I can rely upon the app to not make mistakes with my money. Compliance is a vital feature of our applications; it’s how we build a trusting relationship with our users.
So why is it that we often hear a collective groan whenever we talk about compliance?
Although many teams regularly review and improve individual steps of a process, all too often, there is limited review or ownership of an entire end-to-end process. Over time, an established process might expand with new steps without anyone looking at what can be removed, or how the interaction between steps and teams can be improved. When steps in a process aren’t useful, we experience friction. Just like in traditional engineering, when there is friction, things slow down and, if left unmanaged, this friction can damage an organization's critical component: its people. Developers want to be impactful, not wasting hours on administrative chores or carrying out manual, repetitive work that delivers little value and provides no mental challenge.
If you don’t pay attention to where your developers are losing cycles, you’ll soon find you’re losing good developers.
Compliance in a cloud native world
But enough doom and gloom! Let’s look at how modern application tools and processes can help optimize processes, remove developer friction, and leverage technology to improve software quality and security to exceed your compliance goals.
In a cloud native world, making extensive use of version control and automated tooling can remove manual effort (and human error) from the equation. There are a few ways to do this:
Everything that happens to an application, or its configuration, is stored in a version control system with a clear record of any changes. All proposed modifications are programmatically tested and, ideally, peer reviewed before making their way toward production. There’s no need for emails or spreadsheets; you have instant live access to all your past and current configurations, letting you effortlessly compare states, identify how and when a change was introduced, and produce dashboards and other useful reports.
Continuous integration tools like Cartographer and Supply Chain Choreographer for VMware Tanzu enable teams to create pre-approved, paved paths to production that integrate automated code style checking, vulnerability scanning, functional testing, container image building, and deploying new application versions safely through dev, stage, and production clusters.
Tools like Ansible and Kubernetes operate on the principle of a “desired state,” whereby the tool continuously compares current configuration to a desired state and will automatically reconfigure the infrastructure to enforce that state. In other words, any unauthorized configuration changes will be detected and automatically rolled backed. For large companies, VMware Tanzu Mission Control provides a unified policy engine to ensure a consistent state for Kubernetes clusters across cloud providers.
Taking that concept further, teams can remove much of the repeated “plumbing” involved in running applications by adopting a platform engineering approach. Rather than each development team spending time designing their own operating environment, an application-aware developer platform like VMware Tanzu Application Platform can automatically detect what your application needs and build a secure, consistent container image and deploy to a centrally managed hosting environment—both on-premises and in the public cloud. Immediately, compliance teams then have less variation and an ability to test and build confidence in the platform, rather than a thousand individual environments.
In a cloud native world, not only do we maintain a complete audit of all change, but we’re also able to show what has not changed in an environment. Compare this to a traditional enterprise in which there is so much fear around change that fewer release windows are available, driving developers to squeeze more and more features into each window, and, counterproductively, leading to more risk and perpetuating the cycle. The VMware Tanzu team has observed that our most forward-looking customers use modern tooling and practices to be more targeted in their audit controls, have smaller, more frequent change windows, shorter developer and audit cycles, and most importantly, end up with better software.
Operations-led growth
Optimizing processes and thinking of compliance as a product feature can have a dramatic effect on the ability of your business to meet customer demand and adapt quickly to changing markets. This not only results in smoother day-to-day operation, but as a potential lever to turbo-charge business growth. In a recent article, Mike Hayes, senior vice president and chief digital transformation officer at VMware, makes the case for operations-led growth as the “next frontier in customer value” and calls it a “gold mine for non-linear growth.” For a business to grow, it must become systematic in its approach so that it may scale exponentially without a similar growth in cost (i.e., people). Analysis in VMware's own business has shown that for every day we can give back to the sales force to focus on their core responsibilities, we can add $2.5 million to $3.5 million to VMware’s annual revenue. Hayes’s argument is simple: “Good process frees people’s time from administrative bloat, making them happier and more productive, encouraging them to stay at your organization longer, grow their skills, and cultivate stronger talent behind them.”
Three takeaways
Hopefully I’ve convinced you that compliance is an important feature of modern applications and have given you an idea of the kinds of tools available today that give organizations the capability to bake compliance into their daily practices, rather than turning into a “stop the bus” event the day before a big release.
If you’d like to spend more time delivering value and accelerating business growth, here are my top three recommendations for optimizing process, reducing friction, and improving the quality of your software:
Bring teams in your organization together to talk about what they need from your path to production, what’s working well, and where you can feel friction. Listen carefully to what your compliance team needs, then find smarter ways to deliver that.
Adopt version control and automation in every aspect of your development cycle, giving compliance teams ready access to past and current configuration data. Be patient with your compliance team; help them learn and develop dashboards that surface the information they need.
Learn more about a modular, application-aware platform such as Tanzu Application Platform that provides a rich set of developer tooling and a pre-paved path to production to help you build and deploy software quickly and securely on any compliant public cloud or on-premises Kubernetes cluster.
(an adapted version of this article also appeared on the VMware Tanzu Blog)