Rubrik
  • Products
  • Solutions
  • Knowledge Hub
  • About Us
  • CXO
  • Partners
  • Support
  • Contact Sales
Rubrik
LinkedInTwitterFacebookYouTubeInstagram

Call us at 1-844-478-2745

Submit Interest

ABOUT RUBRIK

CompanyLeadershipInvestor RelationsNewsroom & Press ReleasesCareersBlog

NEW TO RUBRIK

Why RubrikProductsSolutionsPartnersCustomersResources

POPULAR LINKS

Cyber RecoveryBackup & RecoveryRansomware Recovery Cloud Disaster RecoveryCloud Database Backup and Recovery ServiceSaaS Backups

CompanyLeadershipInvestor RelationsNewsroom & Press ReleasesCareersBlog
Why RubrikProductsSolutionsPartnersCustomersResources
Cyber RecoveryBackup & RecoveryRansomware Recovery Cloud Disaster RecoveryCloud Database Backup and Recovery ServiceSaaS Backups

CompanyLeadershipInvestor RelationsNewsroom & Press ReleasesCareersBlog
Why RubrikProductsSolutionsPartnersCustomersResources
Cyber RecoveryBackup & RecoveryRansomware Recovery Cloud Disaster RecoveryCloud Database Backup and Recovery ServiceSaaS Backups
  • Cookie Policy
  • Legal
  • Privacy Policy
  • Terms of Use
  • Trust
  • CA Residents only: Do not sell or share my personal information | Do not share my sensitive information

© 2026 Rubrik – Zero Trust Data Security™

Technical Blog Hub

Protecting What Powers the Business: How Siemens Automated DevOps Protection with Rubrik

Technical BlogTechnology, ITAzure DevOps
JUN 25, 20266 min read
Technical BlogTechnology, ITAzure DevOps
JUN 25, 20266 min read
Protecting What Powers the Business: How Siemens Automated DevOps Protection with Rubrik
Share
Background
Technical Blog Hub

Protecting What Powers the Business: How Siemens Automated DevOps Protection with Rubrik

Technical BlogTechnology, ITAzure DevOps
JUN 25, 20266 min read
Technical BlogTechnology, ITAzure DevOps
JUN 25, 20266 min read
Protecting What Powers the Business: How Siemens Automated DevOps Protection with Rubrik
Share

Table of Contents

Introduction

An audit that surfaced an uncomfortable truth. A 150-repo Azure DevOps environment held together by developer scripts. And a mandate from leadership to fix it.

In 2022, an internal audit at Siemens Smart Infrastructure's IT Value Center made the gap impossible to ignore. The team had backups, technically. Each developer was responsible for running scripts against their own repositories. Main branches, when remembered. A few selected repos, when time allowed. Artisan work, done manually, with no central ownership and no way to reliably verify what could actually be restored.

Multiple red flags. Leadership asked the team to find something better.

For Paulo Nascimento, Solutions Architect and internal security champion at the IT Value Center, it was the moment that crystallised what was at stake. Siemens is a company with over 170 years of operational history. The IT Value Center runs 150 repositories across 20+ projects, growing week over week, with AI-automated pipelines spanning cloud and on-premises workloads. The governance requirements that come with that scale are serious. The protection model in place was not.

We protect the cloud, we protect on-prem, we protect everything," Paulo said. "But what about the code? The code is the most important asset of our company. And I think any company that is not treating it that way is leaving a critical gap.

What protection actually looked like before Rubrik

The core problem was not just coverage, it was reliability. Backups existed for some repos, on some branches, run by some developers. But nobody could say with confidence what was covered, whether restores would actually work, or how long recovery would take if something went wrong. The pipelines, YAML templates, release definitions, variable groups, task groups, and wikis that the team depended on every day had no protection at all.

"It was very manual, done by developers when they understood they should do backups," Paulo recalled. "But it was artisan. Error-prone. Not systematic."

That kind of approach can survive in a small environment. At 150 repositories across 20+ projects, with CI/CD pipelines running across Azure, AWS, and GCP, it was no longer viable.

From marketplace search to policy-driven protection

Paulo's starting point for finding a solution was the Azure DevOps Marketplace, a natural first step given Siemens' deep Microsoft ecosystem investment. Rubrik's Azure DevOps protection surfaced quickly and addressed what the audit had flagged directly: automated protection across the full ADO object stack, immutable and encrypted backups, repo-level and organisation-level restore, role-based access control, and audit-ready compliance reporting.

Critically, it met Siemens' internal CYS and SCM compliance requirements. The same requirements the 2022 audit had flagged as unmet.

The implementation shifted the operating model in a fundamental way. Protection moved from something individual developers managed ad hoc to something the platform handled automatically. SLA policies applied at the organisation level mean any new repository or project is discovered and protected without manual intervention. Developers stopped carrying the backup burden. The compliance gap closed.

What is protected today covers the full scope: agentpool, artifacts, builds, processtemplates, project metadata, pullreqSnapshots, queries, release pipelines, repos, snapshots, taskgroups, variablegroups, wikis, and all CI/CD pipeline definitions.

The recovery test that validated the approach

The real test came through a controlled simulation. The team deliberately deleted repositories and ran the recovery process. Before Rubrik, a recovery scenario would have taken one to two days, accounting for developer availability, manual reconstruction effort, and the gaps in what was actually backed up. With Rubrik, the same recovery ran in 10 to 15 minutes.

No real incidents have occurred. Paulo is direct about why that matters: "It is like insurance. Everything is protected."

The before and after looks like this:

Dimension

Before Rubrik

After Rubrik

Coverage

Few main/master branches, selected repos

150 repos, all ADO objects, 20+ projects

Method

Manual scripts, per developer

Automated, policy-driven, centralised

Recovery time

1 to 2 days

10 to 15 minutes

Auditability

None

Full audit log, compliance reporting

Compliance

Multiple red flags

CYS and SCM requirements met

Developer burden

High

Near zero

Practitioner Tips

With 25 years across systems administration, database administration, cloud engineering, and solutions architecture, Paulo has seen how organisations rationalise gaps like this one until they cannot anymore. His advice to any DevOps lead in the same position comes down to four things.

 

Pipelines are not optional.

Source code is visible. Pipelines, YAML templates, and release configurations are invisible until they are gone. Rebuilding them from memory is far more painful than protecting them upfront.

 

AI changes the risk calculation.

AI-assisted development is accelerating the rate of change in codebases. More commits, more pipelines, more automation. If an AI agent with elevated permissions is touching your repositories and your protection model is still a developer running scripts, you have a gap.

 

AI and cloud together demand extra caution.

The codebase is the foundation. As teams lean further into cloud-native development and AI tooling, the risk of leaving critical infrastructure without proper governance grows. That foundation cannot be delegated to the same systems that could compromise it.

 

Do not wait for an incident.

The trigger at Siemens was an audit. That is the best-case scenario. As Paulo put it: "Don't wait too much, because sometimes these things are not properly valued. But if you think your code is one of the most important assets of your company, it is important to act fast."

Conclusion

For the Siemens Smart Infrastructure IT Value Center, the shift was not just about fixing a compliance gap. It was about making protection something the platform handles automatically, so developers can focus on building rather than managing backup scripts. The code that powers the business deserves the same discipline applied to every other critical workload.

Contributed by

Paulo Nascimento
Paulo Nascimento

IT Solutions Architect and Internal Security Champion, Siemens

Paulo Nascimento is an IT professional with 25 years of experience spanning systems administration, database administration, cloud engineering, and solutions architecture across Azure and AWS environments. Based at Siemens Smart Infrastructure's IT Value Center, he led the organisation's shift from ad hoc, developer-managed backup scripts to systematic, policy-driven DevOps data protection, directly resolving compliance gaps identified in internal security audits. As an internal security champion at Siemens, Paulo focuses on the intersection of development velocity and operational resilience, with a particular focus on the risks that AI-assisted development and multi-cloud architectures introduce to DevSecOps strategy.
Craig Thompson
Craig Thompson

GTM Tech Lead for DevOps Resilience, Rubrik

Craig Thompson works directly with customers to design and deploy protection for modern DevOps environments. As AI-generated code expands the attack surface and pipeline dependencies grow more complex, he helps organizations build resilience into their development workflows before an incident forces the issue.
Nikita Bhuma
Nikita Bhuma

Customer Advocacy Specialist, Rubrik

Nikita Bhuma is a Customer Advocacy Specialist at Rubrik with over a decade of experience across IT, networking, cybersecurity, and enterprise software industries. She leads the Reference Concierge program, amplifying customer voices through technical storytelling that highlights real practitioner insights and measurable outcomes.

Share Your Insights

Have an interesting story or technical findings to share? Reach out to create a blog with us.

Learning & Certifications

Access free and instructor-led training and certification paths to master Rubrik products and maximise your data security expertise.

Explore coursesNext
Background

Share Your Insights

Have an interesting story or technical findings to share? Reach out to create a blog with us.

Learning & Certifications

Access free and instructor-led training and certification paths to master Rubrik products and maximise your data security expertise.

Explore coursesNext