"I will gladly lock myself into the best platform"
Just, the best platform of today may not be the best platform of tomorrow...
DevOps, a combination of development and operations, may have to be rethought because ops is on the outs. In recent years, those who develop applications and those who manage the machines hosting the apps have tended to tended to be distinct. Even recently, as physical machines have given way to virtual machines and containers …
And outsourcing, at least of computational resources is just another word for the old computing bureaux.
How many years do we give it before departments are trying to sneak PCs in and hide them under their desks to take back control (which will probably be a good deal more effective at that than Brexit)?
> departments ... sneak PCs in and hide them under their desks to take back control
Nope, won't be as visible as that. People will run apps on their phones that will allow them to take back control. (But unknown to them, behind the scenes, all activity will be sent off to be tracked and accumulated by a master server afar off. Can you say, 'Bigger Brother?'.)
This all sound like a frothy respray of managed hosting. WordPress blogs work like that, and in the middle ground, you have Plesk and C-Panel. What's to get excited about? I've never had to manage my own servers - I do it because I want that level of insight into and control over my processes.
I wouldn't put GDPR grade data on AWS even now - let alone in a context where process management was outsourced as well. People looking at this through bonus driven, cost-cutting beer goggles need to remember the basic legal principle that you can delegate authority (to AWS, to manage your processes), but you can't delegate responsibility (for inevitable cock-ups). Failure to have professional ops staff on the payroll, directly responsible only to the business rather than some cloudy subcontractor could in some cases be grounds for a future negligence action all by itself.
One of the blindingly obvious questions is how will GDPR effect the move of out sourcing. The whole crux of GDPR is security by design. This raises the very obvious question where do you host your data? In your own data centre where you control the entire environment or a remote data centre managed by someone else where numerous other organisations are hosting their data?
GDPR has statuary fines which can be applied to the business, however the company officers who make the decisions can also be sued. So the company officers had better make the right decision or it could prove to personally financially very damaging indeed.
It is also possible for a Non Governmental Organisation to take a class action against an organisation and its company officers like the one created by Max Schrems.
This approach probably works OK for the NYT.
News apps often need to be built fast - an extra day or two working on deployment is a much bigger deal for him then it is for most CTOs.
They also don't have a real long lifespan - a few will stay up for at least a year or two, but most will have a lifespan of weeks or months. By the time the stack you're locked into sucks it's ancient history.
Finally, they use pretty much exclusively public data with a goal of getting it to the public.
Hosting everything on someone else's infrastructure is fine for him. But I can't think of any other industry where that's as true.
Speaking as an experienced software architect & developer, there's absolutely no comparison between the "serverless" design idiom and something like Wordpress (as suggested by another commentard above). Essentially, we're outsourcing the entire webserver all the way from the tin to the actual endpoints ["Azure Function" in my case]. As always, there are tradeoffs involved particularly with respect to lock-in*. My _personal_ view is that the flexibility is very appealing, but I wouldn't want to tie a large long-term design (such as an entire company infrastructure) to a single proprietary platform. From a business perspective this seems analogous to the engineering mistake of a critical system with a single point of failure. On the other hand, for short-term applications (e.g. 2 year lifespan) it's highly appealing. To me, Subbu Allamaraju's absolutely bang-on in with his quoted views, though my gut feel is to do like Polvi and wait for an OSS alternative whilst the early adopters find both the technical and real-world pain points.
Windows user, because my employer's assessment of the tie-in is similar to Rockwell's. In a couple of decades we'll know who was right.
* there's also the uncomfortable fact that although Microsoft do the maintenance, it's still our responsibility to get the configuration right in the first place. Turns out that making settings very easy to apply doesn't help people that don't grok security ... see Red Disk & AWS et al. along with the ridiculous numbers of home routers with default passwords.