Mission Live Enterprise : Distributed Agile and DevSecOps Automation at Scale Through Platform Approach (Europe 2021)

What will it take for companies with complex legacy landscapes to quickly sense changing business needs and continuously evolve in response? As several of them embark on the digital transformation journey, the opportunity to transform into agile, responsive beings, at enterprise scale, is a compelling one. The opportunity to be a Live Enterprise. Our vision for Infosys as a Live Enterprise is to position our 300K+ workforce at the sensing-feeling-responding core of the company, with the ability to seamlessly interact with and continuously learn from our client and partner ecosystems. To realize this vision, we are reimagining our employee experience, our core business processes, and all our enabling IT systems and infrastructure. This means focusing on personal productivity, nurturing zero-latency in processes, ensuring just-in-time data for decision-making, driving hyper-productivity and facilitating continuous learning to instill new patterns of sentient behaviour. Our session tells the story of how Infosys IT went through this transformation, primarily focusing on the Agile and DevSecOps adoption and automation at scale to transform the delivery of IT systems to be sentient, faster, reliable, resilient and scalable. Along with the technology transformation to modernize IT applications and systems, Infosys Distributed Agile & DevSecOps Model was adopted to transform Ways of Working and DevSecOps practices. To enable and accelerate this adoption, an *enterprise-grade platform* that empowers teams with codified engineering practices and AI/ML driven insights for faster and secure releases, was employed. Infosys DevSecOps Platform is a Cloud native, ‘NoCode’ DevSecOps platform built on sentient principles powered by AI/ML driven insights, with security built in across the value stream. The platform significantly eased the adoption of modern technologies due to it's out-of-the-box CI-CD support and its metrics driven visibility across portfolios guided in managing the KPIs and goals. Through its self-service model, it accelerated the adoption of SOX compliant release automation pipelines governed by templates and gating w.r.t to code quality, security and automation coverage. Through this session, we share our learnings from this massive transformation led by a platform approach, touching areas around people, process, technology and tools transformation. The landscape involves diverse technologies (Angular, JAVA, Service fabric, Android, IOS, Docker, Kubernetes, Python, Cloud, PostgreSQL) and environment agnostic (On-premise / Hyperscalers) container-based deployments. Platform approach helped in moving from from Docker Swarm to Kubernetes and Nexus to JFROG. INFOSYSIT has delivered DevSecOps automation at scale – 150+ applications, 700+ pipelines, 100K+ builds & deploys. DevSecOps practices at INFOSYSIT automated code quality analysis, Continuous testing have resulted in 100% increase in the no. of releases per month, 50% improvement in Deployment Lead time, 48% defect reduction and 15% ticket reduction due to better quality releases.

breakout2021europelondon
KB

KrishnaKanth B N

Senior Technology Architect, Infosys Limited

SA

Shilpa Aphale

Delivery Manager, Infosys Limited

TRANSCRIPT

00:00:00

Um,

00:00:19

If skin is a challenge for your dose, AQAP stands for mission. Then this is the session for you. Good day, to all from me and my colleague I'm Shilpa delivery manager for influence society with 22 years of experience in darknet SAP and open source technologies. In addition to my portfolio, I also anchor the SecOps for influences.

00:00:50

Hi, I'm Chris McCowen, senior technology architect at Infosys with our own 15 years of experience on Java JW development is still here in Dell SecOps, stools consulting, and presently, I am leading the Infosys ops platform development and implementation. So today my set of friends, Shilpa are going to share how we went about mission DevSecOps at Infosys ID, the challenges that we faced and how we overcame it. And what kind of benefits we saw.

00:01:27

We represent Infosys an organization with around two 49,000 employees and 13 billion us dollar revenue across 46 countries. Automobile app infamy itself gets 10 million hits daily, but this scale systems become the digital backbone for the organization. Our vision for enforces as a life enterprise is to position our two 40 K plus workforce at the sensing feeling and responding core of the company with the ability to seamlessly interact with and continuously learn from our ecosystems to realize this vision. We have imagining our employee experience our core business processes and all our enabling it systems and infrastructure. This means focusing on the personal productivity, nurturing zero latency in the processes and shorting just-in-time data for decision-making driving hyper productivity and facilitating continuous learning to instill new patterns of sentience behavior. The book for life enterprise transformation is available online when the pandemic stuck quick turnaround for the changes in processes for work from home was acid test for late winter price.

00:03:06

Our systems and processes had to undergo quick changes for work from home info society, and they build the changes through DevSecOps automation with quick turn around and quality deliverables. To understand how we did this at scale, we need to understand the digital transformation and of info society. We started our digital transformation journey in, uh, in 2017. We were primarily.net and SAP shop with manual functional testing and homegrown released. There were 200 plus web applications to be transformed, but digital transformation speed of delivery was important. And logically first step was to move from waterfall model to agile. We had tailored Ajay program for info society and the business partners more than 1000 employees were trained during this program followed by assessment framework definition and RJ certifications. We have 50 plus certified scrum masters. We were clear that the walks was needed as the all home grown release tools and the manual testing would hinder the speed of digital transformation.

00:04:38

The next important step was to standardize the technologies for digital transformation movement from dotnet to open source what's clear direction. We had identified seven new open source technologies for digital transformation. There were 200 applications with more than thousand pipelines, 6,000 builds per month and 50,000 test cases per month. Automation for DevOps SecOps, keep up with the speed at which new technologies were being standardized. Ease of adoption for those SecOps was critical as to manage the scale. As we continuously, uh, we were continuously learning and evolving the new tech stack. Uh, we needed agility to add new technologies and change tools for CT and CD on the flight with the agility and speed. We also needed governance with common habits and routines across teams, visibility of adoption to DevSecOps practices and ability to measure the results. This was a critical decision point for us. And we asked ourselves, how do we, the SecOps adoption across thousands of components I technology team does the slapping a SecOps automation setup. How do we cope up with the constantly changing tools and how do we go on these DevSecOps transformation at scale? Are you also facing the same challenges at this juncture in forces? DevSecOps platform gave us ability for ease of use scalability and good governance platform over to you for the solution that helped in for society to transform at scale

00:06:41

Passion bar, thanks for sharing the challenges and the Infosys it landscape. So when we talk about DevSecOps our option and that's true at scale, there are some challenges that we typically see. So it is easy to set up a DevSecOps pipeline for one team, the team can acquire the required skills. They can choose the tools that are best suited for them, and they can write the scripts and automation that they need. But when talking about an entire portfolio with thousands of components, each having their own types of delivery processes, cutting across devas tools and technologies, it becomes very challenging to standardize and govern the implementation of processes and tools without standardization and governance, heavy investment is needed to set up and maintain multiple integrations, customize the processes and also maintain isolated implementations as well. To add to this, the diversity in system makes it very difficult to gain visibility into the problems, the performances of development, QA and all teams inward in the value stream.

00:07:55

Any small change that is required will lead to a lot of manual interventions and impact in several areas. So what Infosys it needed was an enterprise grade platform and Infosys DevSecOps platform was for that. So what is Infosys DevSecOps platform or IDB? So it is an enterprise grade cloud first DevSecOps solution that provides a platform approach for distributed agile and DevSecOps transformation with quality speed. And at scale automation across the agile software delivery life cycle was key for impulses it to rapidly evolve, innovate, and adopt modern engineering practices. ADP helped Infosys it adopt STLC automation and also achieve higher levels of .

00:08:50

So they had to see how so firstly, let us look at how ADP helped in simplifying and accelerating adoption. The platform comes with no code DevSecOps pipelines for over 25 plus technologies. And it has integration with over 85 plus industry standard, open source and commercial tools for novice users. The platform comes with an abstract, this simplified visual interface to configure and deal with pipelines. The entire domestic ops pipeline can be configured in a script, less fashion, and the predefined templates in the platform standardizes the engineering practices and the television three, the insights, the metrics that come out of the platform, guide the user and teams in improving the habits routines, and also making the behavior and processes more Syngenta. So this made it significantly easy for the process, it to onboard thousands of components at ease. Secondly, with the one same technology landscape undergoing major transformation to suit the new age application architectures, it became imperative for the platform to be ready to support any new entry into the tools, our technology landscape, while the platform already supported rich set of integrations with tools and technologies, which actually helped teams migrate from old to new tools and technologies.

00:10:24

The platform also offer a highly extensible plugin framework that a lot teams to onboard newer tools and technologies accurately. The platform is cloud native, and it also supports DevSecOps in a hybrid cloud ecosystem as well. Infosys, it has several applications with deployment targets spread across on-premise as well as cloud infrastructures, ADP help in touchless deployments across these hybrid environments and ADP in itself is a microservices based platform. And it runs on a scalable container orchestration platform like Kubernetes, lastly, in the government, Syria IDPs, granular role-based access controls helped in onboarding various impulses. It stakeholders into a common DevSecOps, but flow. And that made them actively participate in shift-left security and complaints related actions. The platform has logging Demetry and reporting built into it, which it makes the automation completely auditable. I am Sox complaint, the ML insights in the platform offer predictions and recommendations on various areas, such as developer analytics, infrastructure utilization, the least risk application hotspots, anomalies, and various others IDP in itself is built on live enterprise principles. And it processes capabilities to act as a key enabler towards SNT. And that's a cop stooling ecosystem.

00:12:04

So this is how IVP plays a vital role in a DevSecOps student ecosystem. So it complements the existing tooling investments and it elevates the teams to move from pipeline based tooling into an enterprise grade DevSecOps platform. It helps in making systems, processes and experiences more with Infosys light enterprise framework principles, such as proximity to source zero latency in stem simulation guided practice as among many others, the plug-and-play capabilities and the modular nature of ADP helped Infosys ID to use certain capabilities of the platform as they moved in there to SecOps team. The teams that started with pipeline based tooling, web guide guided through the platform to move into a higher maturity state that is characterized by cognitive automation, enhanced and quantified SecOps and data ops practices, entire values, three management, analytics, and management and metrics driven, visibility and governance. And this journey is also characterized by self-service more for teams to onboard themselves without the need to learn or acquire DevSecOps skills or to depend on dev ops experts outside of DP, the platform also democratizes extensibility, and it makes it possible for teams to extend the platform capabilities in a self-service for the platform approach.

00:13:32

Also standardized the tools, it automated the processes and it shifted left the security practices, making the applications more secure by the virtue of the platform, integrating with multiple tools, it provided a single unified pain for visibility across the value stream. ADP takes a tools and technology agnostic approach to cater to the needs of enterprise teams. And this was put to best use in Infosys ID, as it was adopted across legacy package, mobile data cloud, and hybrid application areas. Let us now see some glimpses of how ADP made the Infosys. It ideally DevSecOps processes, more systems, more and light. So first is how ADP enabled faster decision-making with minimal steps in the flow. The platform presents at 11 data at point of views for decision-making for different personas. So what we see here are a few dashboards for application leads, developers, architects, and ScrumMasters. Some of these metrics in the dashboard are also baked into the performance management system, thereby establishing a transparent DevSecOps culture and also driving healthy team performance and productivity. These views are hyper-personalized and that customer is able to provide one stop access to information across the STLC landscape.

00:15:07

So IDP also helped in reducing closure time of workflows. So all the human touch points in the DevSecOps processes, uh, let a minimized and the end to end and SecOps pipeline offers zero touch automation capability, and it provides instant amplified feedback for action in the form of metrics, dashboards for different personas. So the platform also enabled users with what if kind of scenarios in the flow. It also suggests alternatives and recommendations to optimize costs and to mitigate risks. Here are a few examples of, uh, RJ velocity and defect and forecast for a team on the right side is the infrastructure utilization. Uh, it's actually data infrastructures, uh, actual utilization data and predictive data. And to the right bottom is an indicator of cost savings in infrastructure if the recommendations were to be implemented. So this is based on the forecast of usage and the actual utilization.

00:16:15

Next is feedback and data that are captured at crucial flows and user interactions across the platform interface. So this data is used to improve the platform and it is also used to improve the usage of the platform. So this data is used to dry what our maturity, as well as what our DevSecOps complaints across teams. So a very micro front end or the UI component, and all the key transactions are followed up with a feedback prompt to capture the user specific feedback. And the elementary graph provides a measure of overall use that sentiment on each feature of the platform.

00:17:00

ADB also provides easy access to knowledge and expertise to help teams make the decision in the flow and based on the data analysis, the platform, not just the users to perform actions as well, the last one, the most critical of the challenges and the key area to be addressed for security. So we briefly touched upon this in one of the earlier slides. So here the platform provided multiple capabilities to address security and compliance, uh, uh, from different dimensions. So firstly, the platform provides something known as Gordon templates feature that can be enforced at portfolio lemons. So these templates contain predefined steps and stages of the pipeline that cannot be modified by application teams. So not only they accelerate the application onboarding, but they're primarily helping government, the way the SecOps pipelines need to be implemented in a consistent manner across the portfolio. Secondly, the portfolio leads can also set getting the shorts for core quality test coverage metrics and other metrics as well, which can apply to all applications and pipelines under the portfolio.

00:18:24

These thresholds can be accompanied with even the frequencies to set how often the tools need to be run mandatorily for each team so that the feedback can be proactive and timely. Then, as we understand by now, ADP already integrates with multiple tools, many of which are security related, say code scanning, container scanning, open-source complaints, privacy checks, spending patient tests, et cetera, and as part of deployment process as well that our secure integrations with Ansible Kubernetes for pre and post deployment validation assessment, the platform also offer separate and granular permissions for different personas. As application leads, release managers, environment, donors, developers, QA engineers, auditors, all of them come to this unified interface to automate the entire DevSecOps process. So next observability is one key principle of the live enterprise framework and we have Waterford elementary and logging that helps us extract audit reports for executions deployments, configurations, user access management, and various other dimensions.

00:19:37

So we also used external world to store all sensitive information required for biplanes. This means the pipelines are not coupled with data or inputs and the data is, uh, entirely externalized from the pipelines, which makes the pipelines more generic and reusable. Then we also have approval mechanisms for the various enrollment owners, managers, QA leads to review metrics and to Onpro deployments to higher environments. So these are proven steps can be added at any point in the pipeline and to even invite external stakeholders, to be part of the same biplane, which can give an immersive experience for continuous delivery. Lastly, as an additional check in the government's flow, we also integrated the platform with our homegrown release management solution. So this means that along with the default security capabilities that the platform offer say role-based governance approval based workflows, et cetera, the platform had an additional check, which will allow the production deployments to happen only if the lease management system validates the token approval. And so these aspects helped us immensely to help, uh, the DevSecOps automation scale and as well become more secure and the delivered applications also what a lot secured because of these capabilities. So back to your Shilpa to talk about how we adopted ADP in the journey and to talk about results and outcomes,

00:21:14

Thank you KK. So this way, uh, IDP was adopted for this massive transformation of our dial Lendo SecOps practices at scale, and for society in the initial phase applications, including the new technologies chosen for the modernization, whether rapidly onboarded for basic CIA comprising of build automation with core quality checks are enabled with tools like lint and SonarQube automated deployments, better configured for lower environments. In the next phase, we targeted integration with home grown release management solution and also extended the CGI capabilities to perform cloud and container based deployments. Along with automated database and infrastructure deployments. During this shift, many tools were realigned on the fly. Thanks to the ready support the platform had for multiple industry standard tools. Multiple container orchestration platforms were evaluated, experimented and finalized with ease, likewise factory governance tools, security tools, underwent rationalization alongside the CIC DCP journey without any impact on the dose at GAAPs automation. Now we already have seven new technologies fully onboarded with over 200 applications and thousand plus biplanes performing over 300 releases per month. The automation consistently rolls out with 50,000 automated tests that run as part of pipelines.

00:23:04

As next steps. The Doni continues with capabilities. Our target is to make applications more resilient with self-healing and auto remediation techniques, and also use more ML based insights and recommendations for more automated and accurate decision-making. So how did this platform approach helping forces it in its stands formation at scale, here are the results, but that's less end to end automation adopted for our of over seven technologies on over 200 applications has resulted in two times productivity increase thousands of pipelines running in the platform with over one 50,000 bills happening through the platform till death has shown four times increase in velocity and 75% improvement in lead time. This also has brought down on that on time, significantly in services, testing, regulation, testing, and cloud releases, few other traces of interest that, uh, other improvement of core quality and continuous testing our adoption, uh, by about 20% and also increase in automated deployments by four times. But platform led transformation of it. We were able to, uh, implement the process changes needed for pandemic work from home within few days for our mobile platform in FEMA, 94% of enforces employees were unable within the few days with work from home quick turnaround due to transform this transformation at scale helped organization to align, to changes needed for the pandemic quickly. This is our mission. There was like ops at scale with platform approach, stay safe, stay healthy. Thank you so much for your patient here.