Moving Bureaucracies Toward Modern Cloud Practice
Hi. Everyone, yeah as involved. At nine o'clock I'm going to ATF to Peterborough and I'll, be through, the agenda taste, of addiction it was talking to me, that's. Unless you don't have a quick. There. Yes. The. Do they mean as roughly a full, presentation, with drumming instruction then. We're going to talk about what. We see as the state of cloud today or rather the very cloudy Facebook, class today then. We'll talk about some of the best practices that we deserve right evil from, our own perspective, doing that the exact. Situation is every agency can and will vary so our words a not possible but they're a set of ideas that you can use will, just make you to different products at 18f. Team is run one, call one. Call federal, and use, each of them speeches and how we apply our, companies and hopefully, showing the results, and you can have from a final symbol. The. Person showing introductions, I'll be myself impeded my. Name is lil flat I joined in today join the government in. March 2015. I've, been doing. That from where, I was working with large hospitals, being large enterprise. Installation, I really, think the world is health care is pretty similar to the world government, I was / there's a lot of design becomes. A lot of different apartments cardiologists. Know exactly what to do there gasser and all these notes necklace you there it's not only a lot of commissions in analyzing, these are hot and I think the same thing applies to file programming, can really vary from, that office to office with, 81 agencies, but. The under one roof. Structure, can, will have comments or stories so, I'm happy to be here as a service, leader and I point out on the right side left side are, so many of our wonderful homes that you don't think visualize, adversity hearing us you know we hear the TV bus taught, and I dispute, arises other, person on the slide I have, a almost. Two years with the federal, government with ATF as, mentioned. Earlier introduction. I was originally trying to succeed as a business but, as I was working through masses. Of data I found that I took greater. Satisfaction and. Not just looking at types of grants that we paid in equal to use technology, more, enough. Threads, through my rear of nearly. Fires working to a team of 18s I was with a tough loss we're working, with enterprises. That's weren't, that dissimilar from the federal government, and hi the desolate, industry, trying, to determine how, to. Modernize. Leverage. What, they were currently running and then living it as cloud and taking advantage of those technologies. So, really. Got to speak here today and, go, get cool, now. Peter, will pick up some women through the clouds yes so. This is a very. High-level overview as I'm sure most of you familiar with, where. The heads of government is of adoptions I wanted to address what we see as women schools for, a spot adoption, and what. Some. Of the impediments are to get in there, have. You made a call mention 2010, under the last administration it. Was clear that the vicinity, of significant emphasis on. Options. And also it was announced as a strategy, in February. Of 2011. Where. We are today. Seven. Years down that road is. Comes. Lag, and that adoption, the icy. Boulevard, or the present government show that in fiscal year 2016. Only, 2.6, billion of 85 billion dollar stands for is on cross Services, overall, say. Like 8 percent of, that. Stands was in non. Conditions, are completing services, that were already ready, to use, to. The last I see. The board from less, administration, 2017. Zero. Agencies. Back to the point of actually running. 50, percent of the work goes into box when. You see real. Progress, moving. Forward the. Sun represented. Authorizes. Cloud service providers, has. Visible, milestone, of having 100, authorized. Provider. In the marketplace, the. Modernization. Of revisiting, distrusted Internet connections, like, better dependent files connected world as well as life. To. None if, this turns off its off myself, oh that's, not valid plan. If you have it far away. Now. Later. Stages. And. We have this investment. In Centers, of Excellence without. A USDA a, like. Out agency. To really dependent. Opportunity, the, the, first few years of cloud, first initiatives, although the focus on cost savings. Need. Focus pretty much this 2013, a talking, more about the, abilities to. Modernize. Way to do line T because it's. Not. Always immediately evident when, those cost savings are going to be realized but definitely. See how the payoff in terms of having complex operating. Expenses, of capital expenses. Welcomed. Is an opportunity in securities, by having. When. We continue, to maintain our own securities, from physical, security to network, security to operating, system security, versus. Large. Providers, like Amazon, Google and. Pasture, and others to. Despoiling. Global networks to, observe, developing. Stress to, observe, absorb, like a sponge I think like the kids, not, observe at the pack and, then.
There's No question of automation. Moving. To actually have an API but drive your. Changes. To infrastructure, using infrastructure, and code which. Is much more feasible when you're using a cloud platform when, you're having to build from this ground up but. Mostly my. Interest, in being at the federal government is to look at how we have mission, focused information, technologies. Where, we're taking a lean approach to. Developing. Products, getting, in front of customers getting. User feedback on, that and being, able to use agile development, techniques, to continue. To build in small batches and. Deliver. From. As, early in the process of hospice as possible, and actually be, innovation. This. Is what we've been seen happening, across. Sectors, and the. Last decades the, public eye one of the next about this though, we. Know that, these missed opportunities are. Not because, civil servants are like missing the ball and a lot of instances it's people trying to fit modernization, efforts within, existing, operating senses that are already stretched to accommodate all, the things that you have to do sometimes. These are situational. Or, systemic. Failures. That are making it difficult to get these other things one of the functions of a TMS and the work that we do is, kind of walking in and we can be outside, experts, to kind of say hey, you know this isn't going to work and help bolster the, case of someone invited agencies trying to do the right thing but. Doesn't have a set it necessary to do that we, are best when we partner with someone inside an agency that knows how that agency, works so, likewise, with cloud adoption, it is strongest, when the parts of an agency that know cloud and noted technology, are partnering, with the program offices that can say what they need because, in less you have a partner, that's inside, the group that you're trying to change a lot of times you're talking things over a wall and not really, communicating and that can be difficult. So. There. So. In the last decade suck submission of ascites has, been a realization, the private sector increasingly, now the public sector that information, technology does, matter. Despite, a. Highly. Regarded and often, reference paper from 2003. Even it was car and the, Harvard Business Review that. I see doesn't matter because at that point IT. Has been very much a. I'm. Differentiating, from undifferentiated. Commodity. That people, would buy their. Enterprise. Relationship, management system, where their email system their HR system and put. It in a closet and division, as a call center and, when. You're doing the, things getting, sustained. EMR, but different industries, then it doesn't actually see any change in, the bottom line, when. You have a decade. Sitting. That's all a decade then essentially.
Under Investing, in. Innovative. IT in, the private and public sectors, I think to some degree from, the influence of that paper. However. At. The same time we, were getting the. Beginning. Of actual cloud technologies, we were things, like configuration management, come out. As. Al manifest, so came out in 2001, we actually had properties, for developing, Prozac and. There. Was, a you, cannot with the companies, like Amazon. EBay and specifiy, and not. Say the IT doesn't. Matter because they were in, the prophecies. In the way they were building technology. They were out some more many their. Competitors, in. 2014. Gartner came up with this model as well as find, a little IT you have, systems. Of engagement, and, systems, of Records and systems of engagement like, websites could. Potentially. Run this much higher velocity but. The persons of record well we still have to manage them with IP FM's, change, management board, very. A high number of gates and prophecies, in, order to assure ability. But. It's been shown you actually can have these, and stability particularly. In. The last decade with these. Surveys. Across the industry, that has been summarized, in the. State. Of DevOps report, from of a glass health. Nicole Portman, and others showing. That in places, that have. Invested. In IT. We. See writing, these results, when you survey tens. Of thousand people cross the industry, about how they develop. And deploy software. Including. Much separate into high-performing, team for. Meeting the low performing, team the. Garnishing, lay the high performing team will, deploy. So. Much more frequently that the numbers kind of boggle the mind to hundreds more time two. Hundred times more. Than low performing IT and. You. Can go from conception. To code reduction. In much shorter lead time. As. A result of the automation, and testing, goes behind us that little change bail rate that's, recovery, from failures less, time spent reading very. Issues, and in. A culture that actually injects learning back into, the system the people. Who work at the organizations. Are two times more likely. Recommend. Where they work as a place to work there. Anything to add to that a thesis. From. Talking to people and all across like the vast majority of agencies. A slide, like this can oftentimes appear, like wishful, thinking, because there are so, many more constraints, that the government may bring we. Also see, that sometimes. The things that make this feel impossible or based. On how people have always done things and less, so on how, you're actually required to do things so we're, our goal with this presentation is to help show you ways of getting to this place or closer, to this place within the whatever constraints of your agency while, knowing that you. Know all, the full benefits, of automation are sometimes limited by you know forces, that you don't control either within, an agency or across, the government of the ball but, the benefit and the benefit of going in this direction is, still present yes he works here going, in this direction is helpful if you're here going in this direction helpful, we're trying to give you an orientation more. Than an exact set of things that you need to do so that you get closer to this slide even, if heading, it exactly it's not a things going to happen in the next five years it, could be in the next ten and we'll, see a real, example as, we move on yes we all a, part. Of this is changing what we actually value as, we evaluate. The. Measures behind the work we're doing traditionally. People try to look at things of like lines of code and frankly, the best developers, I've worked with have removed, more lines of code in their careers of. Things. Taking, measures from agile, like velocities, which are not switched to use comparison. And then, trying to like, different teams off off of each other. Utilization. Doesn't, really work either because, once does above, a certain level of utilization means. Everyone's, being used all the time and they can't take on new work work, at bogged down in system. Operationally. There's been as a traditional, focus on mean time between failures.
And Exactly. Want to change of, having the right they, focus on mean, time to recovery how. Fast we detect, an incident, and remediate. It and then you, going forward. Likewise. Focus. On strict uptime, as much less, useful than, having something like a service. Level objectives, and SLO, which is based on actually observing the customers, coming into your into. Your site and seeing, are they meeting at certain levels of response. Times for a certain percentile. There, but. The high performance, measure is. How, frequently can you release it, once. A year or once a week or once a day for, many. Multiple, times at seconds places like Amazon, lead. Time how. Can you go from committing, a simple. Change like this color of a button to actually being see that running in production. And. Again having. A low failure. Rate for those, changes and mean. Time to recovery. So. That is the landscape of where we want to get to in terms of being able to go. To having. Sensitivity. High performance, measures of high release low. Change fail rates and I. Recovery. If anything does go wrong and that will will pick us up with strategy, so. I'm going to talk through about. Inner still maybe nine different, areas of strategy, I want, to be really clear that this is a new presentation, and the exact delineation, of these nine things is not a pure you, know I wouldn't, I wouldn't make this as denies steps and then you're in the cloud and everything is great these are all different types of ideas the, way that you can organize these because this is a survey, of a really big field about ways of operating probably. Means that there are more academic ways, to say you know it's really this set and this set I'm, really more geared to give the general broad set of ideas some of these things lots overlap will be gray area in between them so. Please don't consider how, we break things down to, be the most important piece as much, as the ideas that we're presenting one, by one by one so, with that let's. Do first start, small start, core, what. We mean by that is that before you point out a big cloud implementation. There's a real big tendency in the government to say we're going to do something really, huge we're gonna we're going to move all of our stuff into the cloud in the next two years how, much is that that I cost get that money in the budget then go off and do it don't. Do, that start. By saying we're going to move one system, of court system an important is the one that has real rescue DeSales you don't want to take something that is that is you know kind of a free system if it does work it needs to be important, but, it also needs to be small and that way you can learn and adapt and if there is some kind of issue recovery, from that issue doesn't involve you know two, hundred thousand lines of data being at risk or something like that but something important, that's not used so an example of that might be if you're let's say the Forest Service you're running a system that involves permitting, for trees and this is real you, might say we're going to change the system of how we permit, for one tree the. Lowest, you know rate, of permits, that we need to issue for that tree so, that there's a problem we need to flip back that's, not a big manual left for us to do but, that's a real system, it really it has it's subject to all the same statutory, rules all the same regulations. Within an agency about how they need to do some something and then you'll. Then take that example and as. You. Go through it broadcast. To the rest of the agency and broadcast, within your team and around your team how it's going and what you're learning it's, really, important, to find all the things that don't work all the areas we suck your toe even, if you as the project, manager of this you know migration, efforts are, the one that notices it and then fixes it independently. It's still important, to call that out because a lot of other people will be doing what you're doing and lets you document, what you run into so, that if they give an issue and they search for something a wiki or not you know internal, reference database if, they can't find anything everyone's. Going to come along and stub their toe again and again and that adds up very quickly to become a lot of time loss or, even worse someone. Might make the error that you caught and then, if that hair is not caught and it's combined with some other issue or another issue you, can have an unexpected, kind of chain reaction that causes something role theory so. The importance of broadcasting, is to specifically, try, to find, as many problems as you can but. On something small where that's okay and then, be able to you know once you have that thing live you'll, have weren't I'm going to guess about, 70%. Of the stuff you need to know to, migrate everything just, because so many of your rules and properties apply across the board now that that 70 a hard rule that depends on you the.
Type Of system and if it's you know the. Relative, complexity, of what you're handling as an agency but, you'll discover much, more than you think of the things that walk everything, by doing one thing if. You do instead of trying everything. In one big massive spazio, you're. Going to kind of choke yourself otherwise and this, is something that iPhone, as working with private industry is, that they would say what we would call a boil the ocean approach, which, again, they don't. Know these new technologies, they're trying to learn on the fly at the same time to try to wrap it up on to, a two or three year plan, and. You. Can't, plan around what you don't yet know so starting, small, is not just is, a key, for actually is learning in every. Culture, every the. Need of every institution is going to be lightly different we, provide. Playbook, from which you can select ideas, but there isn't just one size fits all for my. Creating, an institution to both. Cloud, technologies. And realizing, benefits of modernization. Along the way so. You'll know you're doing this well when. You have one team that's managing this and this team has all the skills it needs to, accomplish the full mission that, may mean detailing, people over from, your acquisition shop or from a DevOps shop or versions of your security organization, into, one team so, that the team can problem, solve and say, track in daily meetings you want them to have high availability to, each other so, you're not having to wait for long wear sometimes because there will be a lot of different blockers that come up from a lot of different area and it's really advantageous even, if your, team doesn't have the CEO necessarily. On it to be able to have someone that can act as the core so. That it has a good relationship with SBO so that you can get answers quickly because, there will be a lot of surprised walkers one, of the ones that you'll probably hit you're doing any kind of qualify for the first time is. That we. Don't really know as a government, yet how, to by variable. Usage cloud it's. Kind of like buying power how am i buying utility, you don't know how much power you're going to buy before you do it but the section of the FAR's deals with power is totally. Different than the section that deals with IC and in fact you can apply the section, of the bar for utilities, on, the IP buy so. That's a really, first thing that a Contracting, Officer is going to have to get their head around it. Takes in my experience, a lot, of conversations. Sometimes, multiple conversations because, you're not just asking someone to do something different it's kind of like getting on a bicycle we're, turning right actually steers left like it's a different thing you can eventually program, they're going to do that there's people on YouTube that have done it but it takes a long time to figure it out and, then if you do earn it you can you know win money in a carnival when someone says you can't do this and you can actually win the money those, are like so, one thing about the team is that if.
You're. Told you can't dedicate, a, security, person and an acquisition person. Such. As to the team it's. Important, thing that you know when you're doing it wrong is when you have to wait for tickets to be submitted, and then answered you need something from. Acquisition. You should have Korea, or a room you go to and they say oh I know this project and I can make. Time to use it afternoon, to work on it and they. Actually are invested in the outcome of, that project. So, it, is, essentially, stuff that off store. ActiveX. Top client. All, strung together but, there, is a sense, of mission amount of project, team to, actually deliver on this core project let's unpack that worked at us for a second the DevOps is when you combine work from development and work from operations, and you're having them kind of work in the same field we stayed at set ups because we want to include the fields of compliance and security with, that and then access as ops is just really saying let's get everyone in the same room that you have people are available to you you. Will not be able to do this sometimes, depending on the amount of executive, cover that you have it's. Really important, though to get that executive, cover sometimes I think agencies. Make a big, massive plans, and they make big announcements, and they because, planning for something that that big is really exciting, and it's, easy to get executives, and people on board behind a shared vision of we're going to cloud it's right here then it's happening we're all really excited about but. That's. Not going to get you to a place of success most of the time you're, going to end up kind of buzzed like and. Pedaling your bicycle, kind of into a mud and then you'll get stuck instead. Of doing something smaller, quicker faster so get that same executive, backing but to try out something and that way when you make that three, year plan you'll be that much more informed, we're, spending a lot of time, this life because it is most important, yes and if. People say we can access the club in three years, we're just starting with Christmas tree parties and, the answer to that is when. That team and, six. Twelve. Months, figuring, out how to actually work in an agile fashion, to, start, planning, on shorter. Iterations, and delivering on that then, that team can start training other teams and you'll, actually be a, then. Geometric. Or exponential, growth and your ability to achieve it and I. Think, Disney. Have some great presentations, on how they do. To a DevOps culture, by starting, small in, terms of properties, and then growing out from from. There unfortunately, they're, not online because of IP. So. Yeah I shouldn't, have brought them up as an example well but that's, life that's why we do what we do like everything that you can have has all of our documentation, on hand book itself, is all public the handbook HT nachos, let's, pretty much anything you want to find about us it's all online it's all public to call either on get over it that guides that 18s ever there's, other URLs, that will go through this presentation our goal. Is to give you examples, that you can reference so. That you can go back within your own agencies, and be, better equipped to make an argument to this to do the right thing that's, that's our mission and if you have a question or issue about that we're, always available at 18f, XJ is there to help answer those questions, or our individual, emails will come up at the end of this at. The end of the presentation, I think. We're done with this laughter that now we let's move on start stall start, small start core next.
Up Lies, prototyping. So. When I say prototyping. I don't always mean, prototyping. In the open but I'm going to talk about as operating, the open for a second because most, of the systems that we run as the government that serve the public are in, public your. Prototypes, for these systems that serve the public and are visible the public should, also be public, otherwise. The, prototype, isn't really a prototype, and, you should be trying out all the stuff that you want to do with system all the new things you want to do it all the new deployments you want to do it getting. Staging, or a text, or somewhere, before, the production system but, that really acts like. There's a tendency sometimes to say all the rules around production, are so bored and so owner it it only really works doing all that stuff grow. The production system but, then you're never going to catch the issues that effects production I'm having an issue right now with the systems that locally. It works run, on the command line it works deploys, into the actual system something, is bugging at one sixty four in a library and no one understand, why and. It's taking us two days so far to trace the issue and figure out what's going on you. Need to have a real prototype you, need to have a real deployment, system that allows you to stop before. You get to production and finding issues that you're happening because, that's what makes these Rapids is releases, and deployment Thanks, and this makes them this makes it's what allows them to work we, have some huge game change control boards and big, change control meetings to control this risk because, there's no other way to, evaluate or people don't feel like it's safe to the voice to everyone so, expressing, by when we you mean that is the status quo yeah we're trying to get away from yeah as the government right now people, to, make things feel safer you bring other people into a conversation but. The safest thing to do is to make it really easy to make a change but have a stop along the way that prototype where you can make, sure something is working and then, the other cool thing is once you figured out how to do that with one staging, system you can do multiple systems, to do multiple, versions, of the system with different color schemes or different workflows to allow people to test out each one at the same time you, can do multiple versions, of assistance, to help make the case up we, do it this way and spend a little bit more money making, the whole system this place will. Get that much better results showing people something real is still much more effective, than showing them a spin shot or showing them a word document and it allows you to actually test it and mess with them and, we'll get to this born we get to the security, side but if you're wondering how. Do you get security on board with this you start early though, by starting. With a live prototype, from. Week one it's possible, that means you already have the stakeholders, involved early, on to say yes, we can go ahead and improve. This data sight and. Make sure your systems, are following, our policies, then there's not a long wait for when you're actually needing to go live might, just get them both as getting. Someone to find from the ATO and change. The URL another, blocker you might have when it comes to prioritizing, is the fact that people want to be able to announce something new when, it goes live and they worry if we deploy this early, we're, going to remove our ability to announce it it's kind of mess up the kind of PR, or, the for the publicity of the thing I am, here to tell you no, one checks your prototypes, from the outside we have prototypes, so many things that made a big splash when they launch it's, all hopeless it's all there people can visit it not one news. Story has ever come out about a thing we launched before launch because, watching, someone, else work is, a job, and people all have other jobs to, do I think, obvious was yeah. That's one, edge it just came out a few weeks ago one even built yourself out what if I goes back up yeah that was the one that was prototypes and then made available but, it was. It's. A rational concern, for people to have but don't, worry about your thing weakened because it's public whatever.
Might Cause a new center Li announcement, is not going to be tied to the status your software from those part even if your codebase described it you should still have a publicly, available prototype, because, otherwise you really can't test your systems that's, meant to serve the public unless, your prototypes is also coupled it, doesn't really it needs to act exactly like your line system does have all. The same constraints if you really want to be able to learn cool. Let me know from the flex let's move on that's scary for version. Control, everything. You do for. A system, to be represented. In version control even. The stuff you're not used to doing in version control should, be represented, in version control version. Control deployed, effectively, is, something that we think should, be done not just in the technical part service of an agency that they can include your your lacks technical folks I am trained, everyone. That I've ever worked with and, how to use github as an example although you can use this bucket fit, you lab there's a lot of different services. Out there that provides us and while, it's 50 to initially learn it, is teachable, once. People get over those affected, screens are so busy they're not very usable but, it's really important to get virtual control out there and to, express everything they're doing with your system in version, control you, can start with that version control system being local it can be on someone's even local PC for that first deployment that you do okay but, eventually. You wanted to get into the clouds or get into a SATA space solution because. That will be more powerful and you can take advantage of all the new features that are coming out with these services as they compete we, as the government gets as benefits massively, from the fact of you services are out there and they are rapidly going at each other and providing, new services and features but, you only take advantage of those when you are using the, outside services, and features and being. Able to use them you'll, know that this is working well when peer review on your scores the first step assess is that peer review on all coach changes should become normal the idea of someone making a hotfix, surprise if. You make sure deployment easy enough people, should be able to just commit it straight to the Virgin whole system pretty easily yes. Oh I. Have so much to say on this one where. To start but I'll, just start with Jeffrey. Snow burr is now. The lead for Microsoft, server. And. The. Mid-2002. Took a step back from working at Microsoft on, you. I write, PowerShell, and then. When, they were able and then it says when, he's very working with teams that were able to move. From, making. All the changes to, a distributed, system through, user interfaces. To expressing, that encode and committing, excursion, control it, was delightful to, go around and talk to people visit, they hope let, me show you the subroutine, that I wrote of this library that I'm sharing and, it made sharing, and conversations. Around the work that they were doing possible. In a way it's, just working with user interfaces. And one-off dint, provide. So. The, version control is, not just about audit. And control but it is also about communicating. About the changes that are happening being. Able to test in small batches because. You don't want to give someone here's the last, two. Weeks worth of work please review this for me means you have to be saying how can i express when in changing, in. Something. Looks like maybe an or. One or a hundred lines both, other people can say okay I can see what this change is going to do both. In terms of the tests that you're writing around it but then also thinking through what are the other side effects that aren't immediately apparent and, you have surface as you have personnel, change over on your team adding. Centrally, available version helps you understand, why, I think happened the way it did especially, when people are having communications. Over those or requests, over those issues using, the tools of version control to really start collaborating, and communicating you. Also know this is working when people start looking at the commit history and thinking, you know that's a source of pride for them of showing the cool work that they've done and, as, you, start moving all the, things you do in operations, Pro changes so for example you can make updating, your DNS using, performance, of other technologies, you can make DNS representative.
Growth And that, makes it so much easier to figure out what, in the world happened is DNS is hard enough on its own like, remove this part of the complexity unit better 50 bucks let's, keep moving for the sake of time e. Agile. Agile. Is a. Not. As much a foot it is there's a lot of different trainings and representations, of what it means to be agile we, have been called sometimes people that have been told my, my. FPS told me I need to do an agile, something, but, they don't actually know what agile is and it becomes less they to even talk. About it because people don't feel clear, about the definition, of agile that speak of agile doesn't have necessarily always, a clear definition and, the meaning is doing something in an agile, way sometimes. Means a set of practices or, set of measurements or, set of metrics to this it can really vary so when I say be agile what we mean is more a. Idea. Or an orientation, of working men a specific, set of things but you and your agency in your situation can work out what does that mean do you want to do scrum or do you want to do Kanban, or do you want to do other kind, of practices, that's that all fit into some time Seattle category when. We say agile though in general what, we mean is that you're creating and, iterating. On working software instead. Of making giant comprehensive. Plans the. Core work effort is in the software itself and the documentation, of the software and the comments on the software not in the, planning. Document that, you made if you want to see how the system's working you see that in the actual code itself and you, start by. Putting things in the code from the very beginning. Agile. When done properly it's, always going to be more expensive than waterfall, because, you're expecting, to change direction as you make a project if we were on missions. We could make giant waterfall plans that were exactly correct in the walk space ISM and we'd be done and we would you know that would be really fast and really efficient but, we know that eighty, percent of the time in the government or more depending on how you want to measure it the, government has done that waterfall, like a poach and then got into the end zone and then this. Result wasn't useful to anyone because, we didn't learn or, iterate, or change along the way so. When, I say be agile a lot of what I mean is nature, executives, expect to, be agile make them accept then you're going to have to change direction as you do this first pilot, you might have to do something different because when you change direction you, learn and when you get to the end of the road you will have something that is useful even if, you change direction a lot or you're going to find out hey maybe this is going to get a despot to make and, you'll fail a lot faster, and cheaper than, going. All the way down the line part. Of this is also organizational. Culture, where, it. Has to be safe for people to say this, isn't working because. Otherwise there's a tendency to say everything is great everything is great everything is very and you drop off the bus so, I chose only more expensive, when you compare it to the waterfall projects, the sixties, exactly.
That's, That's actually signed up yes okay, but 80% of waterfall project don't, succeed so, in. The longer term return, of the investment, agile, win, and it's. Easier sometimes to spot what is an agile than, what is as I welcome you so they as, a club two best people around the head with if, if. You're following the rich will in terms of agile but you feel like nothing, has really changed then. You're not doing it if you offend the first two sprints. Coming up with irrevocable. Requirements. That have to be met then you're definitely not doing agile just, using the forms of agile but still practicing. Waterfall. People. What, we call agile, fall good, blog post on Bob yeah, but. There, are indicators. Here that, you are doing as well when, your team. Expects. And ppreciate look forward, to the rituals because they know the retrospective, is actually going to be, used. To help improve things they, want, to get what people are doing and help unblock them and people. Are speaking up in field States to, make contribution, because they know, the voice of trends occurred the, whole idea of psychological. State gee that google has shown today he. Determines what high performing, teams are if the question of culture more, than it's a question, of exact Bacchus so, you will know you're doing ad so well when, your team has adopted a culture that expects, the agile practices not, when you're doing the practices, by themselves, otherwise, it's like, that. That is it being really painful if you have a team or a culture. That doesn't work with agile and then you try to make that you're going to end up in a sprint planning where, only one person is talking and that's not how a proper, spread clinic. Now. Since, we got started a little bit late with the audio, problems, I'd open keep moving forward and then pause for questions yeah we're going to get there at five, more slides or so, automatic. Code deployment, this should be a little bit of a clicker slide what, we mean by this is that you, need to when, you miss out as XO to be deployed in the acts of Semitic or, to be more specific when, you deploy from your staging, system in your travels or whatever prototype, into production production. Goes live there's not someone, else having to click into something else to, cook a makes, this possible make this possible life is possible it is one flow, and you, should start that box on day one by releasing code you, should be releasing code each, day every depending, on within a sip of the system and sometimes it makes more sense to do it on a weekly basis in the beginning but you want to have code, deployment, systems that are inherent, to how your system works not.
Something You try to tack on at the end it's, part of the system, that you run that. Will also demonstrate and. Help, you build confidence in your testing. Testing, and testing procedures to. Make sure that your code is good when, you have when, you deploy code automatically. And, it's you're only going to feel safe really pressing that button when you know you have a lot of good tests and good. Software has a lot of testing, going on because the testing captures all the things that you don't think about when, you're making a basic dungeon. Finally. That will what. You and help you yeah. And so. You are going to have more tests code then, you actually have functional, code that's, fine that's expected. Your. One-button. Release process doesn't actually have to get physical or, virtual, buttons, that it should your release process should boil, down to not, many more bullet points on this bit of on this slide, guess, it's get. This. Man line tool the boy does check. Out this. Repository. And run these commands that you don't actually have a button, but, it takes off the process or a macro and, guess. What you deployment, also. This gives you a great deal of vendor portability, because then if you're not depending, on 400-page. Screenshot run book it means that when you are adding, personnel, or changing, whole team you, know that the, intellectual. Property, that actually says how the system, works and all comes together is already there in, code, and of course per script this, is not necessarily, something you can do with your start, small start for projects because, a lot of times this is going to be a really big change for an agency but, it's it's an in-state to. Get to so that as you do more projects you can always get on day one but this is a big scary Bank and I want to acknowledge that there, are real blockers, to this that have to be resolved, this is not a you, know come in and you can make all the changes to make this possible in a day this, is a instinct. To drive toward and something. You can get to you know if you just move up your how often you release from every, year to every six months that's still an improvement that's getting you closer to. Start. With security we. See an anti-pattern, a lot of times where the people that are doing the coding and people doing the program and the people doing the security or kind, of on different teams and they have different priorities and different goals and different metrics, and that means the end up working and opposite, way and then. It is a you end up spending energy, and effort kind of working against people. That are really all in the same team your agency is one team trying to work together to build out code but. That's partly because the, code is sometimes developed without thinking about what security, is or those the workflows are all all the elements of your systems not just the code itself the code is sometimes an element. But not the full element you, should have security in mind and has this evokes from your security and compliance team in the, room when you start when, you start to develop when you start to hitter age you start to practice so that's one of their failure points that I imagine, you'll change you change direction and you do agile some. Of those points will be someone for security saying hey this, really doesn't work at least initially we should really do it this way and that's, a good thing to learn instead of getting to the end of something working. Out all the bugs and kinks, getting a kickback over the wall and saying well that really won't work for all these reasons, anytime, you send them into security, and you get that you know a twenty part resulting, thing that says like you have this problem and this problems as well that was twenty times that you could have found something individually going. Through a process where they were more involved with the team something. That has worked well for us we call 280s printing team we, had a team with the authorization personnel. Themselves, and our, team that work together and built bridges and really became you.
Know A team fully, working to be both compliance, but also providing, results as fast as possible and that made it a much more pleasant experience as, well to, get a lot of ATS done the, final thing I want to add about security, and this is there's a whole other slide, there's all the presentations, to make about this is post mortem when something goes wrong especially. In the world of security there, is a tendency for, a lot of good reasons that are way above all of our pay grades just, be. Really careful about what you say about it because of figuring out questions of blame and food is ethically to that your. Organization. Will not be able to be efficient, as long as that is the case even if you may not be able to control this but when, you have a blameless or, postmodern, culture when you run post mortems for all the issues big or small and that becomes a normal standard process people, are much more likely to be able to figure out what, are patterns that are causing these things happens, or an increase you know the mental models of those things and then you'll head off issues of the past so. As you, develop of course monoculture people. Learn more and eventually you have fewer, security issues and your time to recover is a lot earlier because you're running these post-mortems not just about what, went wrong and what caused the problem but, also what was the process of recovery in, organizations, that do this that just. Left on security, as they say so if you think of working from left to right build, in security. As part of the test, so. The same automated, codes employment, also run static code analysis, and practice dynamic busting, of your code means. And catch problems, earlier where they're easy attachment, remediate, and. Until. Those games spend 50 percent less time remediating, security, issues to, give automation, you also not, just have the code that. Stands for pin you have a way of making sure that patches, and other updates are, rolled out and then, for a great example what's not a brainless post-mortem and, conveyed the call after the equifax breach that the peo on testifies. As it could all be blamed on one employee, what. He didn't say that what employees was, him, because, you should be building a culture, that says, all. This was about learning we're here to learn and build not, this blame, and played our game there was a vendor that they accidentally, deleted. A good chunk of their database and they put themselves they, put their their. Exchange share in tax as they were fixing issue live on youtube and everyone. Loved it for they got good press for that when, you're more transparent. I'm not saying we should do that necessarily I'm not I'm noting that but, doing, these building more transparency, more comfort is good for everyone because, a system that allows one person to screw something up is bit as the nor expected effort. Embrace. And I as has that model, where infrastructure, as a service platform as a service software as a service will, be quick for the sake of time because we have a lot more to get through but, just kind.
Of Getting to what you said in the earlier part of the presentation a system, as built in a data center doesn't. Need to work the same way in the cloud if you guys think that's a greater than simple I'm correct all I did oh I know, I think, they should think they know things on a glass right that's what I think I, think, that's what I was actually think about the. Benefit of doing things in this model is. That you can reuse portions, of authorization, if, you set up infrastructure, in a good way you can reuse that infrastructure, multiple. Times you set up a platform in a good way like Bob you. Can use that platform multiple, times so that the only thing your, program, teams have to worry about is, what's happening at the software level if, they don't have to thing go out what's happening below it's, like catching, a cable cars it takes you most of the way up the mountain so that your final summoning. You can focus on what actually, matters in the system the workflows that people are actually following not, all the Stephanie every. Time you answer the same question or do the same work of what's kind, of below, the iceberg below the ocean about what's taking all that time you're, not spending time thinking about the actual user, we want to try to make that as efficient as possible by. Using upper structure of service and platform it's. High. School. Agile. Procurement, neither. Of us or acquisition. So these is a set of ideas but. I'm, I, think with questions especially on this one there's, a great website that you can look at and a lot Matthew to answer some of the things but I don't want to represent myself. Domination. In general and we talk about agile procurement, or modular procurement, what, we're saying is a different set of practices and enable you to get to these outcomes sometimes. You were going to be locked into contracts, that makes some of the things we've already talked about really hard or impossible so. These things all work together and sometimes user tested you can make you know iterative improvements, within sounds, of what a contract allows but. As your contracts, to come up for renewal as you have new procurements, that you need to set up here, are some practices, that we suggest, instead. Of having a long list of detailed technical requirements. Which, you shouldn't have because you don't know them because you haven't planned out your system waterfall Sal you, want to have a challenge summary that says here's the problem that we're trying to solve you. Want to have lots and lots of smaller proposals, that all work together so that if one is part of your project falls through everything, else can still work your, systems in the cloud doesn't, have to be like one system running on one place in a data center you get as multiple, pieces of your system all communicating, and that will then allow you in the future to upgrade piece by piece by, piece instead, of having it be one model at where one failure brings down the whole thing you.
Want To plan to evaluate these, the things submitted, to you as part of the Buy in weeks, instead of months because they should be smaller things to evaluate you. Want to set of your contracts, to reward not the doing of a lot of work that it's very easy to do a lot of work that goes nowhere, but. Instead to reward actual, delivering and, you want to set up things so that you have moments. Of early failure point so if something isn't working you, earn you boss the money and you move on instead, of building, yourself into going in a bad direction you'll. Know this is working when you've broken up one of those large monolithic, contracts, into something small, with different pieces I know, this is a tricky thing this is something that we can help with and talk a lot more about there are people presenting about this right now on panels in California, so. Ask there's more questions but this is the first step and modular, contracting that, you can a set of tells, you more so I think, the biggest thing for this audience especially is that we know that grow spearmint and be limiting for us and so, there's a set, of solutions here as well that apply to CEOs and Fords and the work that you know the USPS contract other, Oh John. The. Really big cool thing is once you get to the end of this way and you've done this remembering, the style if, one of your systems completely falls over and has a big problem the rest of your, and. That's one of them they. Are going to have to combine. This with an enterprise, architecture that. Supports modularity. As. Well be underlying bubbles so if everything is talking directly to a database and, you can't change out the database underneath, it so, it, does come back to technology, they make, sure you're using a. TI, let's, represent how, all. Your applications are talk me into database, so the database can be changed. Without the other application, having so, and the, other fossilizes. So. We have finished half of the presentation the, next half is going to be all about how we've done these things and, how they work so that you have data points you can cite when, making these cases, conferences. Know in silent, mode, appear, was going to take us through five, that was a case step I'm a pop-up with a view of the box and then I'll talk about federal but Peter take it away so. This is a case study both in terms of we. Have tried to apply some of these strategies, ourselves. As we move forward our products as well, as being able to enable our customers to employed, it and, when we talk about the. Cultural innovation. Culture. Comes, about because your. Tools can help support. Certain, kinds of behavior, and then, behavior. And habits then inform, the kind of culture, that you have and, in. The end this means that your. Tools actually, matter and particularly, for those of us who, are involved in building customer. Facing platforms. Or services, with the public or other members of the government are using the, platform matters, and.
The. Platform, in the fences uses platform of assertive, is where you're, going to have a team that comes together that, means to build test and run a. Suite. Of technologies, and. Administrative. That's. That includes once you're back at include a web, server app server database, is that truck how, do you have multiple, environments, that, are identical. Largely. Across. Mobile, development their, development, testing, all the way up to production how, do you manage the users, that are going to be having, certain, roles in there whether they are all-powerful or, someone who's read-only and. Then there's the work that's been typically delegated, to an Operations, team they, can care patching shipping, logs making. Sure that, this, is available and, scan, for vulnerabilities. Traditional. Platforms. That we've worked with often adds friction, to the, process. Of agile. Delivery and, platform. At the service can often be your best support for iterative work and. Platform. As a service is a, pre built environment, for deploying application. So. We have, your, developers, on your project team, being. Able to focus on mission and then. The common technology, resources, within that. Back. Many. Of which I have any other slide are managed, by an expert operation, if. You've probably seen something like this breakdown before of, platform, and platform. Versus, data center versus infrastructure, as a service in terms, of who's responsible for the facility, or the hardware or, the platform, a lot, of. Government. Cloud. Adoption is, focusing. Very much on the infrastructure, of the service layer. Forgetting. That there is an extraordinary. Amount of work that, happens, at the platform, layer in terms of all these bullet points here. From, operating systems, automated, updates so. How do we reduce what, you manage as common across government. Well. In 2016. There was no available platform, at the service running open, source framework, that was authorized. Again at Graham so, at 18f, we were seeing that a lot of the work that we were building conjunction. With agencies, just couldn't shift because. A trying. To do, the full authorization for. Everything, at the infrastructure, as a service layer in addition. To the code we were writing was just becoming insurmountable. So. The. Team built cloud gov, which is platform, as a service using. The open, source cloud foundry. Product. Which is. And turn build, on top of AWS, cloud, and we have had excessive. Focus on baking, in federal security compliant so, that as you adopt the platform, we make compliance, as easy, as, we can you. Know it looks, quickly about this one, is that we, used to provide 18f. School a to us directly, the agencies or we made it possible to access and particularly service we, stopped selling that because, it didn't work because there was too much other work that agencies, had to do figuring. The eight of us that we were basically spending more time on, calls with them helping them use it than, we were actually, making it available and, being able to work on the core product so we stopped providing, and purchase service, we now provide populism, service the, other note about cloud backups because we made it initially to support our own ease because their own image into the void a product which we sort of small not.
With The idea of building a whole system and then. We realized oh wait a second we made something useful breast maybe, other people can benefit for living so we just danced the clouds I feel able on top of the thing we already made and that became the products of you talking them. So. How it works is that your, team can bring custom, software that you're writing so these are the Forest Service of a permitting system or you can bring off-the-shelf, software and, then, we have delegated, self-service. Tools that those teams can use to. Commonly, configure, needed, services, like databases, storage. And content, delivery network. And then. That team also has the power to as, we mentioned earlier deploys. A prototyping. Environment, from day one because, it's all done as code. Against an API makes. A very, routine, to. Take the deployment, process and put it into some sort of continuous. Delivery system. So that when Otis checked in it, gets tested release, to attesting, for a prototyping. Environment. A. Number. Of different. Agencies are. Using us. Now I don't, have all of our logos on the five but the Federal Election Commission is. One. Of the ones we like to talk about because, they. Have a very, elastic. Demand, because. Three-quarters, of time you don't think about the Federal Election Commission. Ideally. Picked up perhaps in the run-up to election, where you want see, who's. Filing, what, reporters. Are checking it out the. Campaign for filing, and so they had to have a, lot of excess capacity to, support, some kind of CD once Fort Worth and then. There's a filing once per quarter so. By going to class go on top of Amazon Web Services, they. Were able to save 1.2. Million in, savings annually. But, more exciting to me was, being able to down with those jeezum the. Scaled. Agile framework training. And see out. The platform, was, able to support them truly adopt, agile. Because, instead of having to react. Break. Fixes, and rework. They're, able to say this is where we want to be in three months and some of the work we're going to do is two-week increment, and it's, really, two weeks because.
We Have the self-service, platform fast. Includes, the ability to, codify. All the steps from the release process they're, able to test continually. And. I. Forgot. To put his name in way Louis's, authorizes, this quote way move deputy, CIO. At FEC. Says, when I talked to reporter last night fastest. Mom I told them I'm sleeping, as well at night even. Though it's a big project, Fitz and tested for a year this, for years able to have an interception actually. Connecting, to their lost, back-end, database, anyway. Just build out more, functionality. And then use ice. Infiltrated, it. We. Chose cloud. Foundry because, it was the. Platform as a service available. To work. Models and, it groups, really enjoyed it, has excuse, me as of. April, or Mathis is a certified, slider the, same, classic. Providers as I, am. And, fits. Us and intriguing. Across, terms, of API. Facilities. And keeping up with. This. Means that essentially, you can run Cloud Foundry internally, and take. Totally. Depending, on how backed up. Installation. For some other editor and. And. Of course they have the huge ecosystem that's, contributing, more and more teachers all, the time at the Platt home later and, a, consumer layer. It. On we just vendor walk in as, two levels one is actual. Application, portability and the other that, vendors the building, boundaries. Gauges. Say oh I can bring this application that, regarding built run in South boundaries, running, on flag, of, and you don't have to wait two years provision. The server and the database and, the. Networking, to run that even. With your audience instructions a service if you don't have this automation, at your age. We. Have FedRAMP. Authorizations, that were the. Second, year that were sustained. Include. 100, CSP, that budget has now authorized, each. Run workloads a modulus, and. What, is. Um interesting. Here is not just the fact that work has. A job, and work force runs local, businesses in the moderate we. Take a lot of steps and how can we could use Griffin, in enhancing. Degrees don't. Blame you. We. Do a lot of certified. Convention, for customers. Making, central, did, you sling - configuration. Of their.
Defining. System buildings, if, you have something that's free storage bucket, did. You go do, that HSUS, these, are there are only. 400, different options, how you can save, your budget right, now we have to, be, there public private or private, bucket we're going to add a few options, for how to roll things over to glacier but. By. Evening, absence. - 80, to, 90% you, think we, can make it very clear what it is that people are doing -, to, actually, even, and. Again we. Make. We. Are always taken. Care of, having. The riser bolts in place configure. A database as encryption at rest this. Environment. As, well as encrypted. Connection. And, disassociated. It, can get a prototype new town secure agency, anyone, in the agency. There's. No research, satellite, EE 1000, called us credit card cloud. And. Keep our. Remarks. Earlier he'll take the cable car up the mountain terms, of I, as. If, as if that. If. You're want to change a. Application. Of any degraded FISMA moderate impact the, reason. 25 security, controls that need to attend to resemble. Application, running on how to stop, sub. 269. Ago already. Inheritable, from our security. Planner. 41. Of them are shared system full. Your responsibility. In terms of are, you doing, static security, code analysis having. Better to either contractors, and. This. Is much more. That you would get from any infrastructures, and service provider, to. The citizens, access canary. 8500. Infrastructure. Reservist, ourselves. Though some type of AWS, currently, we. Inherited. Before because you want to get off the fence in succeeding month on a trip to s and, eventually if we're able to run as well as your Google cloud, platform you, would have those. And constructors, under underlined. Over giving it back of, people. First. Thing, he, could speak closer to them because, I keep stepping for. And. I mentioned we have, the joint authorization, moderate. ATO will build on top of, AWS. No clouds and, will. And I and others go through the, GSA background, tax in terms of position. Of public trust. And. We. Are work. With our multi, tenant but everything. Runs as a, container. So you have that level of isolation from. The. Different workflows running within log. Of, figure. Something like a day they you. Would configure your own database that's not shared and we're. Able to. In. The background, simulate. Manage. Catching. Enough. Mention. Before we are so that everything that's infrastructure, to code including. Configuration. Files all, of our secrets are managed. Because. Management systems we know that. Changes, planned in terms of database, credentials. Version. Control we. Test. All the change in how we run the platform, through multiple, parallel, environments, before we actually release that to the platform, that, is running or custom application. Because. We have this automation if there's a patch or a. Library. Or an operating system. Vulnerability. We're able to do that within hours of release, without any downtime you sure what that works. If. You run an application on cloud gov what page is called my app and it's available at the URL my. App that gov. When. You request, that URL, it. Will go to our cloud backup router and. Get routed to the worker so where, that application is running until. You have multiple, copies of that application running across. Multiple cells so if one of them goes down there's. No downtime. Now. Suppose, we find an app, in January, that the worker sells indeed, affected. By the meltdown. Bug, and we.
Need To remediate, that throughout, the, entire platform. We. Bring up another working. So which is an entirely, new VM that's, been built, and hardened. To run within log of. Instantiate. New copies, of your application, and everyone else's. Tear. Down the old route and, the. New route is available, there on the fully fashioned operating and the fully patched system, and, then, we can just tear, down the old self, we. Do this at, least every two weeks and more. Often of ulnar. Ability to release the. Patches are released more often. And as we mentioned before is key to have, continuous. Release, automated, deployment. We. Practice, that ourselves, with. What, has now become a rather. Daunting, number of pipelines, for continuous, deliveries but we. Make, sure that all the inputs the system for. Building it our and, vetted. Across multiple environments and tested us their release. So. That is, how. That does at a, and. A whirlwind, to work. We. Have to go, to club that goes we, have number. Customer. Stories. There I. Should. Mention this. Not on the slides that we. Are
2018-06-28 00:12
