This scene could be from a spy movie: Two people enter the room where release management is coordinated for a major release. The person from the operations team takes out a folded piece of paper, looks at it and types half of the password on the keyboard. Then the person from the development team does the same for the second half, and deployment to production begins. A couple years ago, I was working for a client where the dev and ops teams had half the password each for production. It was probably the most severe segregation of duties setup I’ve experienced. The topic of segregation of duties comes up frequently when organizations are moving towards DevOps ways of working. After all, how can you have segregation of duties when you are breaking down all the barriers and silos?!?
We’ll explore this together in this post. But first, let’s acknowledge a few things. First and foremost, I am not an auditor or lawyer. The approaches below have been accepted to different degrees by organizations I have worked with. Secondly, there are several concerns related to segregation of duties. I will cover the three most common ones that I have encountered. Hopefully, the principles still can be applied to further aspects accordingly. Let’s dive in!
Segregation of development and test
Problem statement: In a cross-functional team, wouldn’t the developer “mark his own homework” if testing is done by the same team? To avoid this in the traditional waterfall world, a separate testing team performs an “objective” quality control.
Resolution approach: Even in a DevOps or Agile delivery team, more than one person is involved in defining, developing and testing a piece of work. The product owner or her delegate helps define the acceptance criteria. A developer writes the code to fulfill those and a quality engineer writes test automation code to validate the acceptance criteria. Team members with specific skills like penetration testing or UX test the work as well. And often, business users perform additional testing. Agile ceremonies like the sprint demo and the acceptance by the product owner create additional scrutiny by someone other than the developer. In summary, segregation of duties between Dev and Test is achieved as long as people are working well across the team.
<<< Start >>>
<<< End >>>
Segregation of development and release
Problem Statement: A developer should not be able to release software into production without an independent quality check. This check makes sure no low quality or malicious software can be deployed. Traditional approaches have the operations or release management team validate quality through inspection and governance.
Resolution approach: In a DevOps world, the teams should be able to deploy to production automatically without any intervention by another team. This is true whether we use traditional continuous delivery or more modern cloud native deployment mechanisms. But how can we create segregation of duties in those release scenarios? We leverage high levels of automated quality controls in modern release mechanisms. This means functionality, security, performance and other aspects of the software are assessed automatically before software is deployed. We can leverage this to create independent assurance. A separate group like a “Platform Engineering” team governs the quality gates of the release mechanisms, the standards for it and the access to it. This team functions as the independent assurance and all changes to the release pipeline are audited. The art here is to get the balance right so that the teams can work independently without relying on the Platform Engineering team for day-to-day changes to the quality gates, while still making sure that the quality gates are effective.
Segregation of development and production
Problem Statement: A developer should not be able to make changes to production or see confidential data from production. At the same time, a production engineer shouldn’t be able to use his knowledge of production to deploy malicious code that can cause harm. Traditionally, access to production and non-production systems are only given to mutually exclusive development and operations teams.
Resolution approach: This is the most complicated of the three scenarios, as people should get the best possible data to resolve issues, yet we want to avoid proliferation of confidential data that can lead to exploitation of such data. The mechanisms here are very contextual, but the principles are similar across organizations. Give the developers access to “clean” data and logs through a mechanism that masks data. When the masked data is insufficient for analysis and resolution, then escalated access should be provided based on the incident that needs to be resolved. Automated access systems can tie the temporary access escalation to the ticket and remove it automatically once the ticket is resolved. This requires good hygiene of tickets, as tickets which are open for a long time can create extended periods of escalated access. Contextual analysis is required to identify the exact mechanisms here. But in most organizations, masked data should be able to cover most scenarios so that access to confidential data is very limited. Root access to production systems should be very limited in any case, as automation takes over traditional tasks that used to require such access. Hence, the risk is more limited in a DevOps world. And, automation increases the auditability of changes as everything gets logged.
Hopefully this gives you a few ideas on how to approach segregation of duties in the DevOps world. Keep in mind that you achieve the best results by bringing the auditors and governance stakeholders to the table early. Explore how to make their life better with these approaches. This should be a win-win situation. And in my experience it usually is, once you get to the bottom of what the concern to address actually is.