Introduction
An audit that surfaced an uncomfortable truth. A 150-repo Azure DevOps environment held together by developer scripts. And a mandate from leadership to fix it.
In 2022, an internal audit at Siemens Smart Infrastructure's IT Value Center made the gap impossible to ignore. The team had backups, technically. Each developer was responsible for running scripts against their own repositories. Main branches, when remembered. A few selected repos, when time allowed. Artisan work, done manually, with no central ownership and no way to reliably verify what could actually be restored.
Multiple red flags. Leadership asked the team to find something better.
For Paulo Nascimento, Solutions Architect and internal security champion at the IT Value Center, it was the moment that crystallised what was at stake. Siemens is a company with over 170 years of operational history. The IT Value Center runs 150 repositories across 20+ projects, growing week over week, with AI-automated pipelines spanning cloud and on-premises workloads. The governance requirements that come with that scale are serious. The protection model in place was not.
We protect the cloud, we protect on-prem, we protect everything," Paulo said. "But what about the code? The code is the most important asset of our company. And I think any company that is not treating it that way is leaving a critical gap.
What protection actually looked like before Rubrik
The core problem was not just coverage, it was reliability. Backups existed for some repos, on some branches, run by some developers. But nobody could say with confidence what was covered, whether restores would actually work, or how long recovery would take if something went wrong. The pipelines, YAML templates, release definitions, variable groups, task groups, and wikis that the team depended on every day had no protection at all.
"It was very manual, done by developers when they understood they should do backups," Paulo recalled. "But it was artisan. Error-prone. Not systematic."
That kind of approach can survive in a small environment. At 150 repositories across 20+ projects, with CI/CD pipelines running across Azure, AWS, and GCP, it was no longer viable.
From marketplace search to policy-driven protection
Paulo's starting point for finding a solution was the Azure DevOps Marketplace, a natural first step given Siemens' deep Microsoft ecosystem investment. Rubrik's Azure DevOps protection surfaced quickly and addressed what the audit had flagged directly: automated protection across the full ADO object stack, immutable and encrypted backups, repo-level and organisation-level restore, role-based access control, and audit-ready compliance reporting.
Critically, it met Siemens' internal CYS and SCM compliance requirements. The same requirements the 2022 audit had flagged as unmet.
The implementation shifted the operating model in a fundamental way. Protection moved from something individual developers managed ad hoc to something the platform handled automatically. SLA policies applied at the organisation level mean any new repository or project is discovered and protected without manual intervention. Developers stopped carrying the backup burden. The compliance gap closed.
What is protected today covers the full scope: agentpool, artifacts, builds, processtemplates, project metadata, pullreqSnapshots, queries, release pipelines, repos, snapshots, taskgroups, variablegroups, wikis, and all CI/CD pipeline definitions.
The recovery test that validated the approach
The real test came through a controlled simulation. The team deliberately deleted repositories and ran the recovery process. Before Rubrik, a recovery scenario would have taken one to two days, accounting for developer availability, manual reconstruction effort, and the gaps in what was actually backed up. With Rubrik, the same recovery ran in 10 to 15 minutes.
No real incidents have occurred. Paulo is direct about why that matters: "It is like insurance. Everything is protected."
The before and after looks like this:
Practitioner Tips
With 25 years across systems administration, database administration, cloud engineering, and solutions architecture, Paulo has seen how organisations rationalise gaps like this one until they cannot anymore. His advice to any DevOps lead in the same position comes down to four things.
Pipelines are not optional. Source code is visible. Pipelines, YAML templates, and release configurations are invisible until they are gone. Rebuilding them from memory is far more painful than protecting them upfront. |
AI changes the risk calculation. AI-assisted development is accelerating the rate of change in codebases. More commits, more pipelines, more automation. If an AI agent with elevated permissions is touching your repositories and your protection model is still a developer running scripts, you have a gap. |
AI and cloud together demand extra caution. The codebase is the foundation. As teams lean further into cloud-native development and AI tooling, the risk of leaving critical infrastructure without proper governance grows. That foundation cannot be delegated to the same systems that could compromise it. |
Do not wait for an incident. The trigger at Siemens was an audit. That is the best-case scenario. As Paulo put it: "Don't wait too much, because sometimes these things are not properly valued. But if you think your code is one of the most important assets of your company, it is important to act fast." |
Conclusion
For the Siemens Smart Infrastructure IT Value Center, the shift was not just about fixing a compliance gap. It was about making protection something the platform handles automatically, so developers can focus on building rather than managing backup scripts. The code that powers the business deserves the same discipline applied to every other critical workload.
Contributed by

Paulo Nascimento
IT Solutions Architect and Internal Security Champion, Siemens

Craig Thompson
GTM Tech Lead for DevOps Resilience, Rubrik

Nikita Bhuma
Customer Advocacy Specialist, Rubrik




