Cloud & DevOps Leader

State of Global DevOps  
FEB. 26, 2025  





Overview  
• Disciplines and Coverage  
• What does the DevOps team do?  
• What product areas does the DevOps team cover?  
• Roles and Responsibilities  
• Deliverables  
• Challenges  
• ISO 27001 & SOC 2 Compliance  





Disciplines & Coverage  





What Does the DevOps Team Do?  
• The DevOps team has a wide array of responsibilities that can be categorized into three broad  
areas:  
• DevOps  
• CloudOps  
• Security  
• The team carries out these responsibilities over the following areas:  
• Studio  
• Networks  
• Shared Services  





What is DevOps?  
• DevOps is a set of practices that bridges the gap between development and operations.  
• Goal is to foster collaboration and encourage faster delivery of software by eliminating bottlenecks in  
the development process.  
• DevOps covers things like:  
• CI/CD processes, release management  
• Development and test infrastructure (registries, feeds, build servers and agents, tooling and  
automation)  
• Repository creation and management, Azure DevOps administration  
• Application delivery; packaging, publishing, delivery to SaaS environment  





What is CloudOps?  
• CloudOps is a collection of strategies, tools, and processes used to manage the delivery,  
performance, and orchestration of IT services running in the cloud.  
• Goal is to orchestrate, operationalize, and govern cloud infrastructure.  
• CloudOps covers areas such as:  
• Infrastructure design and maintenance  
• Infrastructure as code deployments  
• Cloud spend optimization and management  
• Performance monitoring of cloud resources  
• Cloud migrations  
https://www.redhat.com/en/topics/automation/what-is-cloudops  





Security  
• The DevOps team is responsible for the application and monitoring of security practices as they  
apply to R&D.  
• This includes areas such as:  
• Development best practices (code review, QA enforcement, change management)  
• Vulnerability scanning  
• Cloud security  
• Members of the DevOps team also have varying levels of involvement in our two security  
compliance certifications, SOC 2 (Studio), and ISO 27001 (DACH). More on this later.  





Areas of Responsibility  
• Studio: This includes all Studio products, regardless of whether they’re developed in Canada or  
Europe, and their infrastructure.  
• Networks: This includes all development for Networks, including third party contractors.  
• Shared Services: These are services and infrastructure used across the organization:  
• Documentation sites (docs.vertigis.com and docs.vertigisstudio.com)  
• Download Centre  
• Container registries  
• Azure DevOps  
• Transifex  





Roles & Responsibilities  





•
We have three core team members  
•
Petr is based in Europe  
•
Dayton and Hannah are  
based in North America  





•
•
We have three core team members  
•
Petr is based in Europe  
•
Dayton and Hannah are  
based in North America  
Collectively the team handles the  
DevOps work for all shared  
services, including:  
•
•
•
Azure DevOps management  
SonarQube management  
Adding products to the  
Download Centre  
•
•
•
CI/CD pipelines for  
documentation sites  
Shared registries, feeds, and  
GitHub orgs  
Pipeline templates and  
guidelines, tooling  
•
•
EOL services/products  
Azure DevOps onboarding  
and migrations  





•
•
Team members are responsible for  
different product lines  
Within each product line, team  
members provide:  
•
Repository management  
•
Permission and policy  
management  
•
Build server and agent  
management  
•
•
•
Pipeline support  
Publishing support  
Guidelines and best practices  
•
•
While responsibilities are divided,  
the team coordinates all work in a  
single backlog  
Focus is on unifying DevOps  
practices across product lines  
where reasonable/possible  





•
•
The Studio team is responsible for  
all CloudOps relating to the Studio  
product line  
The Studio team also handles  
CloudOps for shared services  
•
Download Centre  
infrastructure  
•
Documentation  
infrastructure  
•
•
Static assets  
Repository backups  
•
Networks CloudOps is shared  
jointly by Petr and Thomas  
Buchmann  





•
•
The Studio team is responsible for  
all CloudOps relating to the Studio  
product line  
The Studio team also handles  
CloudOps for shared services  
•
Download Centre  
infrastructure  
•
Documentation  
infrastructure  
•
•
Static assets  
Repository backups  
•
•
•
Networks CloudOps is shared  
jointly by Petr and Thomas  
Buchmann  
CloudOps for FM is handled by  
Lukas Kleppin’s team, with Thomas  
Buchmann playing an advisory role  
There is no overlap between FM  
(CloudOps or DevOps) and the  
DevOps team  





•
•
DevOps’ involvement in security  
compliance varies by region  
In North America, the DevOps  
team helps lead the SOC 2  
attestation effort in conjunction  
with the IT team. Areas of  
responsibility include:  
•
•
•
Change Management  
Cloud Asset Management  
Server hardening and  
penetration testing  
•
ISO 27001 compliance in Europe is  
primarily handled by the European  
IT team, with Thomas Buchmann  
responsible for cloud security in  
the Azure Landing Zone tenant  





•
•
•
•
The true amount of collaboration  
can’t be fully captured by a simple  
diagram  
The DevOps team often  
collaborates across product lines to  
fulfill requests  
The entire DevOps team regularly  
meets with the CCOE to plan and  
coordinate across Azure tenants  
The inclusion of Studio in ISO  
27001 necessitates involvement of  
the Studio DevOps team in the  
audit process, although chief  
responsibility lies with the  
European IT team  





Deliverables  





Guiding Principles  
• Enable developers to deliver software by automating processes, removing barriers, and  
facilitating collaboration through developer tools  
• Create and maintain secure, scalable, and reliable infrastructure in the cloud  
• Create and uphold processes for maintaining security compliance  





Studio  
1.  
Next-gen Printing and Reporting running in the SaaS environment  
o
o
o
SOC 2 compliance  
Infrastructure design, templates, and testing  
Application delivery  
2. Finish templating the Studio SaaS Environment  
o
o
Initial goalpost is all SaaS infrastructure  
We ultimately want to be able to deploy the entire Geocortex Online Production subscription from  
templates  
3. Monitoring and telemetry for all Studio products  
o
o
o
Primary focus is monitoring service health and sending more detailed alerts when there are issues  
Primary responsibility is organizing, enabling, and handling all Azure infrastructure  
Work in coordination with XPI  
4. Maintain and improve security compliance and posture  
o
Includes tackling Defender for Cloud recommendations, infrastructure redesign to improve security,  
and carrying out compliance audits  





Networks  
1. Landing Zone templates and associated automation  
o
o
o
Reorganization of the Networks template repos to reduce confusion  
Optimize existing templates for reliable, quick deployments wherever possible  
Add templates and automation to reduce the amount of manual work done in deployments  
2. Unity with Studio team in development processes  
o
This is a two-way street with the Studio development team; the goal is to minimize the gap between  
teams to enable effective collaboration  





Team  
1. Unified testing and development infrastructure across all development teams  
o
Aim to create testing infrastructure that is cloud-based and accessible to all who need it  
2. Improved process documentation for continuity  
o
Eliminate knowledge silos within the DevOps team  
3. Education/certifications for the DevOps team  
o
o
o
Pluralsight  
Azure certifications  
Knowledge transfer sessions  





Challenges  





Capacity and Request Volume  
• The DevOps team’s volume of work outstrips the capacity of a three-member team  
• In the absence of additional DevOps resources, the team will continue to prioritize requests and  
projects and communicate delays to the relevant stakeholders  
• Work that is not strictly related to DevOps/CloudOps/Security will inherently have a lower priority  
• We encourage teams to frequently refer to security policies and existing documentation to  
develop a better understanding of what work they can self-serve  
• Teams requesting support should have an understanding that requests are triaged through a  
backlog system, and as such requests should be submitted with a reasonable amount of time to  
complete them  





Knowledge Silos  
• The “team” part of DevOps Team is still relatively new and we’re all learning about new systems  
and platforms as the scope of the role expands.  
• Often, only one member of the team has experience with a particular system or process, meaning we  
have little redundancy in the role  
• With limited time, requests and tasks have taken priority over knowledge sharing, creating  
knowledge silos within the team  
• We are building better systems for knowledge sharing (ex. DevOps wiki, shared OneNote,  
knowledge transfer meetings), and more structured onboarding to help everyone get on equal  
footing  





Differing Compliance Requirements  
• Multiple security compliance frameworks across different regions create confusion and slow  
down iteration for teams  
• Restrictions on what personnel are allowed to make and approve changes reduce the agility of  
the team  
• The DevOps team has produced documentation on Access and Approvals to help our team and  
others navigate our complex security landscape  
• There are ongoing initiatives to open up better access routes to resources (for example Azure)  
for senior developers to improve efficiency in this area  





ISO 27001 & SOC 2  





ISO 27001  
• ISO 27001 is a security compliance standard that defines the requirements an Information  
Security Management System (ISMS) must meet  
• An ISMS is a set of policies, procedures, and controls that govern how an organization manages  
information security risks  
• ISO 27001 compliance relies on 5 security principles:  
• Confidentiality  
• Integrity  
• Availability  
• Authenticity  
• Non-repudiation  
• Our ISO 27001 certificate is held by VertiGIS GmbH and VertiGIS AG, covering all offices in  
Germany, Switzerland, and Austria  
https://www.iso.org/standard/27001  





SOC 2  
• SOC 2 is a security compliance framework used to evaluate and validate an organization’s  
information security practices, used most commonly in the North American SaaS industry  
• SOC 2 has 5 trust services criteria:  
• Security (required)  
• Availability (optional)  
• Confidentiality (optional)  
• Processing Integrity (optional)  
• Privacy (optional)  
• The VertiGIS Studio SaaS Environment is SOC 2 Type II compliant, meaning our controls have  
been checked against the SOC 2 criteria, and their effectiveness has been tested over the  
entirety of our audit period  
https://www.vanta.com/collection/soc-2/what-is-soc-2  





Overlap  
• ISO 27001 certifies a legal entity and all its assets, whereas SOC 2 covers a specific product  
scope. This functional difference leads to some overlap.  
• Development teams in Europe working on Studio SaaS products (Printing, Reporting, Search)  
are bound by both ISO 27001 and SOC 2  
• Since the .eu Studio SaaS environment is considered an asset of VertiGIS GmbH, it falls under  
the ISO 27001 umbrella, presenting challenges when Studio products don’t meet certain ISO  
27001 requirements that aren’t covered by SOC 2  
• Shared tools like Azure DevOps must also meet requirements for both SOC 2 and ISO 27001  
• Requirements for SOC 2 are limited to Studio projects and powerful user groups (like global  
administrators), whereas ISO 27001 requirements apply to Azure DevOps as a whole  
• Responsibility for the compliance of these shared resources is not clearly defined, but there is extensive  
collaboration between the ISO and SOC 2 teams  





Summary  
• “DevOps” team is a misnomer; the team covers DevOps, CloudOps, and Security for  
Studio, Networks, and services shared by the entire organization  
• The DevOps team works in conjunction with the CCoE, NA IT Team, and European IT  
Team to deliver services and meet security compliance requirements  
• The Studio DevOps team is focused on supporting new products, modernizing the  
SaaS environment, providing better monitoring insights, and improving our security  
posture  
• The Networks DevOps and CloudOps teams are focused on cloud infrastructure in  
the Landing Zone, and unifying development practices with the Studio team  
• The biggest challenge facing the DevOps team is capacity– we don’t have enough  
resources to meet demand  
• The DevOps team participates in ISO 27001 and SOC 2 audits to varying degrees; the  
two compliance frameworks overlap in certain areas that can present logistical  
challenges