For many enterprises, the journey to cloud reduces technical debt costs and meets CapEx-to-OpEx objectives. This includes rearchitecting to microservices, lift-and-shift, replatforming, refactoring, replacing and more. As practices like DevOps, cloud native, serverless and site reliability engineering (SRE) mature, the focus is shifting toward significant levels of automation, speed, agility and business alignment with IT (which helps enterprise IT transform into engineering organizations).

Many enterprises struggle to derive real value from their cloud journeys and may continue to overspend. Multiple analysts have reported that over 90% of enterprises continue to overspend in cloud, often without realising substantial returns.

The true essence of value emerges when business and IT can collaborate to create new capabilities at a high speed, resulting in greater developer productivity and speed to market. Those objectives require a target operating model. Rapidly deploying applications to cloud requires not just development acceleration with continuous integration, deployment and testing (CI/CD/CT), It also requires supply chain lifecycle acceleration, which involves multiple other groups such as governance risk and compliance (GRC), change management, operations, resiliency and reliability. Enterprises are continuously looking for ways that empower product teams to move from concept to deploy faster than ever.

Automation-first and DevSecOps-led approach

Enterprises often retrofit cloud transformation elements within existing application supply chain processes rather than considering new lifecycle and delivery models that are suited for speed and scale. The enterprises that reimagine the application lifecycle through an automation-first approach encourage an engineering-driven product lifecycle acceleration that realizes the potential of cloud transformation. Examples include:

• Pattern-based architecture that standardizes the architecture and design process (while teams have the autonomy to choose patterns and technology or co-create new patterns).
• Patterns that address security and compliance dimensions, ensuring traceability to these requirements.
• Patterns-as-code that help codify multiple cross-cutting concerns (this also promotes the inner source model of patterns maturity and drive reusability).
• DevOps pipeline-driven activities that can be utilized across the lifecycle.
• Automatic generation of specific data needed for security and compliance reviews.
• Operational-readiness reviews with limited or no manual intervention.

As enterprises embrace cloud native and everything as code, the journey from code to production has become a critical aspect of delivering value to customers. This intricate process, often referred to as the “pathway to deploy,” encompasses a series of intricate steps and decisions that can significantly impact an organization’s ability to deliver software efficiently, reliably and at scale. From architecture, design, code development, testing to deployment and monitoring, each stage in the pathway to deploy presents unique challenges and opportunities. As you navigate the complexities that exists today, IBM® aims to help you uncover the strategies and target state mode for achieving a seamless and effective pathway to deploy.

The best practices, tools, and methodologies that empower organizations to streamline their software delivery pipelines, reduce time-to-market, enhance software quality, and ensure robust operations in production environments will all be explored.

The second post in this series provides a maturity model and building blocks to help enterprises accelerate their software supply chain lifecycle in the ever-evolving landscape of enterprise cloud-native software development.

Pathway to deploy: Current view and challenges

The diagram below summarizes a view of enterprise software development life cycle (SDLC) with typical gates. While the flow is self-explanatory, the key is to understand that there are several aspects of the software supply chain process that make this a combination of waterfall and intermittent agile models. The challenge is that the timeline for build-deploy of an application (or an iteration of that) is impacted by several first- and last -mile activities that typically remain manual.

The key challenges with the traditional nature of SDLC are:

1. Pre-development wait time of 4-8 weeks within architecture and design phase to get to development. This is caused by:
   • Multiple first-mile reviews to ensure no adverse business impacts, including privacy concerns, data classification, business continuity and regulatory compliance (and most of these are manual).
   • Enterprise-wide SDLC processes that remain waterfall or semi-agile, requiring sequential execution, despite agile principles in development cycles (for example, environment provisioning only after full design approval).
   • Applications that are perceived as “unique” are subject to deep scrutiny and interventions with limited opportunities for acceleration.
   • Challenges in institutionalizing patterns-based architecture and development due to lack of cohesive effort and change agent driving, such standardization.
   • A security culture that affects the speed of development, with adherence to security controls and guidelines often involving manual or semi-manual processes.
2. Development wait time to provision environment and CI/CD/CT tooling integration due to:
   • Manual or semi-automated environment provisioning.
   • Patterns (on paper) only as prescriptive guidance.
   • Fragmented DevOps tooling that requires effort to stitch together.
3. Post-development (last-mile) wait time before go-live is easily 6–8 weeks or more due to:
   • Manual evidence collection to get through security and compliance reviews beyond standard SAST/SCA/DAST (such as security configuration, day 2 controls, tagging and more).
   • Manual evidence collection for operation and resiliency reviews (such as supporting cloud operations and business continuity).
   • Service transition reviews to support IT service and incident management and resolution.

Pathway to deploy: Target state

The pathway to deploy target state requires a streamlined and efficient process that minimizes bottlenecks and accelerates software supply chain transformation. In this ideal state, the pathway to deploy is characterized by a seamless integration of design (first mile), as well as development, testing, platform engineering and deployment stages (last mile), following agile and DevOps principles. This helps accelerate deployment of code changes swiftly and automatically with necessary (automation-driven) validations to production environments.

IBM’s vision of target state prioritizes security and compliance by integrating security checks and compliance validation into the CI/CD/CT pipeline, allowing for early detection and resolution of vulnerabilities. This vision emphasizes collaboration between development, operations, reliability and security teams through a shared responsibility model. It also establishes continuous monitoring and feedback loops to gather insights for further improvement. Ultimately, the target state aims to deliver software updates and new features to end users rapidly, with minimal manual intervention and with a high degree of confidence for all enterprise stakeholders.

The diagram below depicts a potential target view of pathway to deploy that helps embrace the cloud-native SDLC model.

Key elements of the cloud-native SDLC model include:

• Pattern-driven architecture and design institutionalized across the enterprise.
• Patterns that incorporate key requirements of security, compliance, resiliency and other enterprise policies (as code).
• Security and compliance reviews that are accelerated as patterns and used to describe the solution.
• Core development, including the creation of environments, pipelines and services configuration (which is driven through platform engineering enterprise catalog).
• CI/CD/CT pipeline that builds linkages to all activities across pathway to deploy lifecycle.
• Platform engineering builds-configures-manages platforms and services with all enterprise policies (such as encryption) embedded as platform policies.
• Security and compliance tooling (for example, vulnerability scans or policy checks) and automation that is integrated to the pipelines or available as self-service.
• Generation of a high degree of data (from logs, tool outputs and code scan insights) for several reviews without manual intervention.
• Traceability from backlog to deployment release notes and change impact.
• Interventions only by exceptions.

Pathway to deploy drives acceleration through clarity, accountability and traceability

By defining a structured pathway to deploy, organizations can standardize the steps involved in supply chain lifecycle, ensuring each phase is traceable and auditable. This allows stakeholders to monitor progress through distinct stages, from initial design to deployment, providing real-time visibility into the program’s status. Assigning ownership at each stage of the pathway to deploy ensures that team members are accountable for their deliverables, making it easier to track contributions and changes, as well as accelerating issue resolution with the right level of intervention. Traceability through the pathway to deploy provides data-driven insights, helping to refine processes and enhance efficiency in future programs. A well-documented pathway to deploy supports compliance with industry regulations and simplifies reporting, as each part of the process is clearly recorded and retrievable.