For Cloud Infrastructure Provider Cyxtera, Security Is a Constant Work in Progress

To revamp a highly specialized security product, CTO Kurt Glazemakers first had to rethink its outmoded development processes.

Moving to a DevOps culture can help to modernize legacy software, revitalizing it to meet changing market demands. That was the game plan for Kurt Glazemakers, chief technology officer at Cyxtera, when he introduced DevOps to a key product called AppGate in 2015.

The network access control product was initially produced by a Swedish company of the same name, which was founded in 2002. AppGate creates a “segment of one” that shows users only those parts of the network that they are authorized to see, and it secures network access for remote users around the world. When Glazemakers’ private equity employer acquired AppGate’s owner, he saw the product’s potential as a tool to manage access to multicloud environments.

But to get there, AppGate needed work. “It was in maintenance mode,” Glazemakers recalls. Most of its core developers had departed, leaving a team of 18 developers and quality assurance staff.

The product’s original development team had created it using a traditional waterfall method, with separate QA cycles. That meant a long slog to ready vulnerability fixes for release. The entire development process needed an overhaul.

First Steps on a DevOps Journey

In 2015, when Glazemakers became CTO, he decided to rekindle feature development for AppGate using DevOps, a move few companies were making at the time.

Today, slightly more than one in four developers (27 percent) report having worked on a DevOps team, an increase from 19 percent in 2015, according to the 2018 “Accelerate: State of DevOps Report.”

To begin AppGate’s transition, Glazemakers recruited some of the core product developers back to the fold. Next, he moved to a DevOps environment that built QA testing directly into the continuous integration pipeline. Using automation was key, he says, and that included controls that prevented bad code getting into the system.

“If developers fail to upload proper code, you should have controls over it so that they don’t stop others from working,” he explains. Code must pass the automated tests before it is allowed to merge into the master branch. As a result, all developers know that the master branch is tried and tested, so they can upload their own code to it without waiting for other developers to test and fix theirs.

Building a Custom Toolkit

The continuous integration process rests on a tool chain built on GitHub Enterprise, which can prevent code commits without testing. But Glazemakers’ team created its own tools for the testing and simulated deployment environments that integrate with that platform.

“In the first two years of this project, we spent the entire development cycle on the toolsets and not on the product itself,” Glazemakers says.

That’s a long time to prepare a toolset, but it was time well spent, according to Glazemakers. As a specialized security product, AppGate manages highly sensitive issues like device visibility on the network, as well as the use of signed certificates for authentication. “Most tools don’t even support that,” he explains.

Once code passes all of these tests, developers can merge it with the master branch. The team then can use the master code itself, deploying it internally for developers to use for their own network access. This helps identify any other issues before pushing the product to final release.

DevOps at Your Service

Cyxtera now has 25 core AppGate developers, divided into five teams. Each team handles a core product component such as the software client, the user experience, or the software embedded in appliance hardware. Each of the five fully owns its own software component, setting development priorities and writing its own tests.

All teams work toward a maintenance release every month and a feature release every quarter. In the two weeks before the quarterly release, the entire DevOps community becomes a QA team, testing each other’s code for overlooked issues. “Those we do find are very minor,” Glazemakers says, adding that they’re the kinds of fixes that could be pushed out in hourly releases if the software was accessed as a cloud service.

Already, Cyxtera is moving toward that service-based model, having launched a cloud-based AppGate service option this year. Glazemakers expects it to become the main consumption model within two years. That will make the two-week QA sprint irrelevant, because the DevOps team will find and release minor fixes to customers far more frequently.

The fast turnaround has already significantly enhanced AppGate’s security. Glazemakers notes that the team updates the code internally six times each day.

“The only way to make a service that automatically updates all the time is to have the model in place before you do it,” he says. “All the ingredients are preparing for what’s going to happen as the service gets traction and becomes mainstream.”

When that happens, AppGate will be ready.

About the author

Danny Bradbury is a freelance journalist specialising in technology, business, and environmental writing. He has been a freelance journalist since 1994.