From Serverless to NoOps: IT’s automation agenda

April 25, 2019

A blog post by Ken Corless, principal and cloud practice CTO, and Mike Kavis, chief cloud architect, Deloitte Consulting LLP; and Kieran Norton, principal and infrastructure security leader, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP 

In this era of tight budgets and continual disruption, finding ways to shift resources from operations to innovation remains a top CIO goal. Automation frequently plays a key role, and today many organizations are embracing serverless computing, in which cloud vendors allocate compute, storage, and memory dynamically and automatically. That relieves enterprises of the need to handle those tasks manually, but for many, it’s just the beginning. Often, the real goal is a NoOps IT environment—one that is so automated and abstracted from underlying infrastructure that only a very small team is needed to manage it. Surplus human capacity can then focus on creating new value.

Large companies including Netflix and Coca-Cola have been among those at the vanguard of the serverless trend, and many more are likely to follow, growing the market from $4.25 billion in 2018 to $14.93 billion by 2023, according to at least one prediction. NoOps may take longer to achieve, but across industries, the transition—however preliminary—is underway.

Enough With the ‘Care and Feeding’

The terms “NoOps” and “serverless” are often used interchangeably, but in fact they are distinct. “Ops” comprises any number of operational areas—think networking, security, management, and monitoring—and serverless basically describes server administration. Yet both terms are misnomers. In the serverless model, there are still servers—it’s just that their functions are automated. Likewise, in NoOps environments, traditional operations such as code deployment and patching remain internal responsibilities—they are simply automated to the extreme.

Serverless computing offers CIOs a toolkit for transforming their IT operations. Potential benefits include:

• Infinite scalability and high availability. Functions scale horizontally and elastically depending on user traffic.
  
• No idle-time costs. In a serverless computing model, companies pay only for the duration of execution of a function and the number of functions executed. When a function is not executed, no charge is levied, thus eliminating any idle time. This represents an improvement over legacy cloud computing models in which users are charged on an hourly basis for running virtual machines.
  
• NoOps (or at least less Ops). Though operational tasks such as debugging typically remain in-house, infrastructure management is fully outsourced.
  

In many companies today, cloud strategies remain works in progress, as do efforts around virtualization and containers. With its promise of a NoOps future, serverless computing does not suddenly render these efforts redundant—rather, it offers a vision of a highly automated end state to which CIOs can aspire. And aspire they do: In the 2018 Deloitte's global CIO survey, 69 percent of respondents identified “process automation and transformation” as the primary focus of their digital agendas. In the coming years, serverless will likely be a key technology many CIOs use to automate the deployment, scale, maintenance, and monitoring of applications.

The Elusive NoOps Dream

NoOps is the ultimate vision for many organizations in part because it offers a new way of looking at an age-old problem: How can we make resources go further? For budget-strapped CIOs whose enterprise fiefdoms generate no revenue directly, there’s historically been no clear answer. What is clear is that there is not a lot of business value to be found in maintaining servers and data centers. Paying employees whose expertise lies solely in patching servers has traditionally been just another cost of doing business.

The NoOps trend offers CIOs an opportunity to shift the focus from patching, monitoring, and measuring to higher-value engineering and development tasks. More broadly, it makes it possible to manage IT operations more efficiently using automation and orchestration capabilities that others have pioneered and proven. In a NoOps model, developers no longer have to coordinate with other teams to execute minor tasks involving underlying infrastructure, operating systems, middleware, or language runtime.

Several cloud providers currently offer serverless platforms that can help enterprises move ever closer to a NoOps state. Amazon, Google, and Microsoft dominate today’s serverless market, but Alibaba, IBM, Oracle, and a number of smaller vendors are bringing their own serverless platforms and enabling technologies to market as well. Meanwhile, open-source projects such as OpenFaas and Kubeless aim to bring serverless technologies from the cloud to on-premise environments.

The Risk Perspective

It’s important to remember that the serverless computing model is still evolving—it is by no means a cure-all for development and operations problems. For example, the production tooling that provides visibility in serverless development environments is currently limited. Development professionals cite migration, monitoring and debugging, and vendor lock-in among the top challenges when working with serverless today, according to a recent survey.

The potential cyber risks may seem daunting, but in fact automation can help protect against potential threats. Done properly, security protocols in a serverless environment supported by a NoOps operating model might significantly reduce cyber risk. The key is to see risk mitigation as an opportunity to develop and implement security and risk processes within the code itself.

There is no way to eliminate cyber risk altogether, of course, so it is imperative that enterprises re-evaluate and redefine their risk tolerance in light of their serverless technology adoption. By leveraging the power of that technology, however, security teams can deploy solutions that will help contain and respond to threats new and old in a way not previously possible. NoOps automation can not only make it easier but also take active defense efforts even further.

For years, the basic care and feeding of critical systems claimed large portions of IT’s budget and labor capacity. Today, the serverless and NoOps trends offer CIOs a way to redirect these precious resources away from operations and toward outcomes. They also offer development teams opportunities to learn new skills and work more independently. The journey from legacy internal servers to cloud-based compute, storage, and memory will not happen overnight, nor will it be without challenges. But as more CIOs are realizing, the opportunity to fundamentally transform IT from being reactive to proactive is just too good to ignore.

This article first appeared on the WSJ.