Facebook Pixel
Everything-as-Code

Written by Mike Hogan

July 7, 2021

Everything-as-Code (EaC) is the future of IT; the benefits are simply overwhelming. EaC is the next logical step of DevOps; the merger of development and operations. Under the DevOps model, developers took responsibility for running their code. EaC gives developers responsibility to define everything, especially the underlying infrastructure that the code runs on. As developers assume responsibility for selecting, provisioning, and configuring infrastructure, they will also increasingly assume responsibility for selecting technology vendors and services. The inevitable adoption of EaC will reshape all companies that develop software, as developers assume responsibility for many traditional IT functions.  The largest disruption, however, will impact traditional technology vendors who have ignored developers in favor of selling to IT. Those companies will fare as well as the dinosaurs did against the massive meteor strike that suddenly altered their climate. If you think this is hyperbole, you won’t once you read this article.

A Brief History of How We Got Here

Everything-as-Code is actually the merging of three major trends that have been building over the last 30-years: virtualization/cloud, shift-left/DevOps, and Kubernetes/microservices.

Virtualization and Cloud: In the late 1990’s IT companies started virtualizing compute. In the early 2000’s they started virtualizing storage and networking. Public clouds hit the scene in 2006 with Amazon AWS. Unlike on-premises clouds, public clouds do not provide physical access to equipment. Virtualization had paved the way for public clouds and admin panels enabled remote management. APIs then took remote management one step further enabling most services to be controlled via code.

CI/CD, Shift-Left, and DevOps: At the same time, the software development pipeline was being automated first with Continuous Integration (CI) tools, then evolving into CI/CD. Companies began to automate software testing/QA and to move it into the CI/CD process. QA was shifting left, becoming the responsibility of developers. Then security shifted left as developers assumed responsibility for addressing code vulnerabilities, policies, secrets analysis, and more. Then developers assumed responsibility for operating their code as more companies adopted the DevOps model.

Kubernetes and Microservices: Kubernetes, which is quickly becoming the application operating system of the future, enabled microservices, further changing the development pipeline. Kubernetes orchestrates microservices: small loosely coupled services that evolve independently of each other. When companies adopt a microservices development model, there are so many moving pieces that automation is required; traditional manual process simply cannot scale.

Everything-As-Code

Everything-as-Code: Virtualization and Cloud, CI/CD, Shift-Left, and DevOps, Kubernetes and Microservices

Everything-as-Code

Everything is shifting-left to developers and Everything-as-Code is the next logical phase of this evolution. The adoption of cloud technologies provided us with APIs to control provisioning and management functions. Development was already subsuming operations (DevOps) and security (DevSecOps). CI/CD provided the backbone for automating many phases of the development lifecycle. Now Kubernetes provides a standard application operating system powering the adoption of microservices.  These trends combine to enable Infrastructure-as-Code (IaC), enabling automated provisioning, configuration and management functions. With this, microservices can define, provision, configure and manage themselves, all automated within CI/CD tools. Pipeline-as-Code, the automation of the software deployment process often called GitOps, is being automated as well. Everything is being shifted left to the realm of developers in the form of Everything-as-Code.

Not that these trends needed additional incentives, but off-shoring and work-from-home (WFH), which are driven by Covid-19, are further accelerating the adoption of microservices because they reduce dependencies between code. This is increasing adoption of EaC.

As developers take on more responsibility, more functions over smaller pieces of code, they are hollowing out many of the functions traditionally handled by IT. Vendor selection and procurement are some of the traditional IT roles that are increasingly handled in code. This has a massive impact on large numbers of IT vendors who have traditionally sold through IT. Many of those functions are now being defined and executed by the development team in the form of EaC. Those technology vendors who cling to their traditional model of selling to IT, will be increasingly disrupted by those that build a relationship with developers.

Shift Left Diagram

Benefits: It’s NOT Just About Automation

Obviously, Everything-as-Code enables automation, which improves development speed, scale, and time-to-market. This is very compelling, but it isn’t the only benefit of the everything-as-code (EaC) trend, not by a longshot. Here are some of the additional benefits driving the EaC trend.

Quality: Developers love to copy code that works. Why create something from scratch, when you can leverage all the thought, refinement, and testing that has been applied to an existing piece of code. EaC puts many of the traditional IT functions into code that has already been put to the test. Code reuse is not only faster, it improves both quality and consistency.

Distributed Knowledge: YouTube disrupted education because you no longer had to pay for a second-rate local teacher, you can learn anything from the world’s expert (or best teacher) in a 5-minute video. Code does the same thing, it enables the world’s experts to define the best practices, and then anyone can copy and tweak the resulting code to fit their needs. Reusable code is the ultimate in distributed knowledge.

Distributed Development: EaC codifies (or code-ifies) processes in code that is shared throughout the organization. This facilitates offshoring and work-from-home (WFH) because they all use the same automation code, such as IaC files.

Cost Savings: In addition to the cost savings that derive from automation, there are other cost savings from EaC. Because it facilitates distributed knowledge, companies no longer need an army of highly specialized and expensive IT people with deep knowledge in a narrow field. That knowledge is in the code itself and that code evolves as human knowledge evolves. Companies can reduce their IT staff and budgets. Spoiler alert: If you are an IT company and you sell to these domain experts, prepare to be disrupted by competitors who cater to developers.

Deployment Flexibility: Companies want the ability to shift workloads based on a variety of factors, deployment flexibility. By leveraging EaC technologies, you abstract away the details of the platform and processes. The code can be easily deployed, moved and shared across any infrastructure, whether on-premises, hybrid- or multi-cloud environments, giving companies the ultimate in deployment flexibility.

Improved Security: There are several security advantages that result from EaC. Policy-as-Code (PaC) can be used for fine-grained role-based access controls (RBAC) to reduce risks. Security-as-Code can be used to automate analysis of software risks such as vulnerabilities, dependencies, license types, secrets, versioning issues, malware, infrastructure-as-code, and more. Shameless plug: This is what www.carbonetes.com does. You can also implement a variety of security measures—such as network microsegmentation—via EaC. There are many aspects of Security-as-Code and it is a rapidly evolving field.

Compliance: For compliance to operate at scale and at development speed, particularly in a microservices world, it must be automated. PaC can automate and distribute the company’s security policies. The results from the above-described security analysis can be automatically evaluated against security policies to ensure compliance. Between CI/CD processes, distributed development and microservices, the only way to enforce compliance is by automating it as code.

Governance: EaC creates versioning and changelogs that can be analyzed to identify when things changed, how they changed, and who changed them. This makes governance much faster, easier, and more scalable than it was in the days of manual provisioning.

Conclusions

Everything-as-Code (EaC) is far more than simple automation, it is the foundation of future IT processes. As more and more IT functions move into code, those functions are increasingly shifting left to software developers. With a shift of control, also comes a shift in ownership. Developers are gaining the power to select deployment environments.

IT Vendors: If you sell infrastructure—compute, storage/backup, networking, cloud, etc.—your customer will look less and less like traditional IT and more like the development team. If you don’t have a strategy to build a developer community and ease their interface to your tools via code, then you will be disrupted by a competitor that does. If your sole interface to your customers is via IT, things will get painful.

IT People: Your users have already disintermediated IT to some degree by going to SaaS applications, known as Shadow IT. Some developers may have slapped down a personal credit card and done their own thing on public clouds as well. But you remained in control of vendor selection as the gatekeeper to the company’s infrastructure. This will increasingly move to code. Traditional IT will be disintermediated, but those individuals who embrace EaC will thrive.

Developers: As more and more capabilities shift to code, they shift-left into your realm. If you develop your skills in EaC, you can lead your company through this transition. A great way to get started is via Kubernetes, Carbonetes and GitOps (IaC + automation agents). If you embrace these technologies, you’ll be calling the shots going forward.

Everything-as-Code will continue to demonstrate faster time-to-market, agility, code quality, security, deployment flexibility, compliance and governance, while lowering costs. This is a wave that will only grow and subsume more of the traditional IT functions. Don’t fight the wave, ride the wave.

Related Blog

Choosing the Right Security Policy Solution

Choosing the Right Security Policy Solution

Security policies are a critical component of your security solution and selecting the right security policy is critical to secure development. This article looks at the different types and provides insight into what to look for in a security policy to balance...

read more
Container Security Asset Management

Container Security Asset Management

Container security is the practice of correlating all inherent security risks in conjunction with the context of how the container is deployed and used. The risks can include vulnerabilities, dependencies, secrets, malware, IaC, licenses, and more. By adding the...

read more
Security & CI/CD Toolchains

Security & CI/CD Toolchains

Modern security tools provide a variety of implementation options including full-function clients, APIs and CI/CD plugins. What is the best option for you? The answer to that depends on your role and how you will use the tools. Are you doing software development,...

read more
Share This