Separation of duties: How to conform in a DevOps world
I was recently asked for some tips on maintaining the separation of duties in software delivery — a question I get quite often these days. And for good reason.
Software delivery in enterprise environments already entails lengthy, detailed, and often manual processes, and strict compliance regulations only add to the complexity.
For companies in highly regulated industries, such as banking, insurance, and healthcare, compliance is no trivial matter. Non-conformance with regulations and any breaches of their systems or applications can have significant consequences — huge fines, loss of customers, and a damaged reputation.
These organizations need to do everything possible to ensure that their applications and customers are protected. One way of doing that is through what’s called separation (or segregation) of duties. While much of the security focus is typically placed on external threats, separation of duties aims to protect the organization from its internal threats.
What is separation of duties?
Separation of duties in software development refers to restricting the amount of power held by any single person or team taking part in the development and delivery of software. This usually means that a programmer who can make changes in the Development environment is not permitted to also deploy those changes to production. Requiring that multiple people be assigned to complete a task reduces the risk of fraud and failures and increases internal controls. While separation of duties is necessary for organizations that develop and deploy custom applications, it can be difficult to maintain and keep track of who’s authorized to do what, using which tool, in which environment, and when. And while it’s crucial to have tight control over what different users can and can’t do with software in development, things can get very complicated very quickly—and often significantly slow down deployments. Manually managing all of the various roles, permissions, tasks, and tools involved in delivery and in tracking what people are doing can be a very daunting task. By not automating the controls for separation of duties, your software will be left vulnerable to risk and your company open to compliance violations.
The case for automating the approval process
A long-held myth in the software delivery world is that everything that goes to your production environment needs separate human approval, often implemented in the form of manual controls. This is based on a practice that separates those who write code from those who implement code in order to mitigate the potential for collusion—nefarious or accidental. For compliance requirements where controls are required for ensuring conformance, including SOX, HIPAA, and now GDPR, just to name a few, the controls are typically implemented in a “one-size-fits-all” fashion. Often for simplicity and ease of conformance, manual segregation is implemented as it’s often very difficult, if not impossible, to discern whether a change impacted a system that requires compliance controls. In most traditional environments, automation is rarely done across the entire process. And where automation of a process does exist, it is generally not impervious to unauthorized changes. But let’s face it, whether they intend it or not, humans increase risk. So, you need to find a technology that allows you to verify that, once you’ve set up your approval processes, they are under appropriate controls, are secure, and can’t be changed without the appropriate level of approval and audit. Automating your approval process also allows you take advantage of the audit trails produced by the technology you’re using so you can establish alerts for when an error occurs or an unauthorized change is made. In such cases, relevant teams will be immediately notified, and the technology can immediately stop the process where the errors or unauthorized changes occurred. By effectively managing human interactions, software delivery outcomes include a significantly higher success rate in terms of assurances that your verification processes are trustworthy, and your software is protected.
Common automation techniques
Despite some ongoing concerns from the audit, risk, and compliance communities about automating the separation of duties, companies are starting to leverage the practice. A couple of common techniques include:
- Automation of the change approval process. Most change management systems use tools like ServiceNow or Remedy for approvals for completion of testing and validation in the software development lifecycle (SDLC) before triggering the movement of code between stages. Automating your various testing and quality assurance stages allows you to then trigger the approvals in those tools. Additionally, depending on the sensitivity and compliance requirements of the code, you can automatically insert additional tests and approvals into the SDLC. Lastly, you can use the success of each stage as the approval system for deploying into the production environment.
- Using third-party compliance software. Another, simpler way is to hold a production deployment until you get an approval from independent third-party compliance software. This approach requires documenting how you will ensure that the developers who create the code will not also configure and deploy to the production environment, and that you are deploying with the right level of security. All of this can be configured in tooling, so once the approval is given, these steps can happen automatically.
The above approaches can be scripted for small projects, but they’re not sophisticated enough to handle the complex scenarios of an enterprise environment because audit, compliance, security, and risk teams cannot validate the scripts. And if the scripts themselves are not controlled with approved change processes, they invalidate themselves. Release orchestration and deployment automation, however, deliver all the foundational elements necessary for managing the complexities of separation of duties, while accelerating the delivery of high-quality software.
Automating separation of duties with Digital.ai
An application release automation (ARA) solution, one that orchestrates release pipelines and automates software delivery, can provide the control and visibility needed to successfully maintain the separation of duties without compromising the speed at which you get applications to Production.
Release orchestration: Mitigate risk. Enforce controls. Deliver the proof
Release orchestration with Digital.ai Release, formerly XL Release, gives you visibility all the way across the pipeline, making everything—your tools, processes, and tasks—visible and manageable from a central place. Once you have detailed insight into your pipeline, you can set up quality gates, integrate manual steps into the process where necessary, and establish approval checkpoints throughout your pipeline. You can also enforce role-based access to tasks, tools, and environments. Digital.ai's, formerly XebiaLabs’, integration with active directory control enables role-based authentication and authorization for all systems. You get granular control, so you can restrict both tasks and system access only to the people who need it. In addition, since the Digital.ai architecture is agentless, and many tasks can be automated, you can reduce the number of people who need access to secure systems. With automated checks and permissions in place, you can enable users from all parts of the business to collaborate, get up-to-date status, and make decisions, while ensuring that everyone is following the same compliance checks across every release and automatically capturing a full audit trail.
Deployment automation: Ensuring the right version is in production
Deployment automation with Digital.ai Deploy, formerly XL Deploy, enables you to automate deployments in all of your environments, ensuring that all releases occur in a repeatable, standard way and that the version in production is always the authorized one. Digital.ai Deploy also helps you identify when and where deployment “drift” (changes in the development, test, or QA environments that impact production) is occurring. In the event of an error, users can configure tooling so that the application will automatically roll back and redeploy to the last authorized version.
Achieving automated assurance
Software delivery in the enterprise is a complex process that demands compliance with strict regulations because, without it, the whole company is at risk. Maintaining a clear separation of duties that limits the power of any one individual is the best way for companies to reduce the risk of fraud and failures and increase internal controls. But like everything in modern enterprise software environments, manual processes only add to the complexity. Manually managing all of the various roles, permissions, tasks, and tools involved in delivery is not only difficult to maintain, but will likely slow down deployments. ARA gives you the visibility necessary to glean insights from across your entire pipeline, coupled with the ability to create standard, repeatable deployments throughout. Combined, these features allow you to maintain a separation of duties while continuing to increase software delivery speed and quality.