Written by: Pooja Arya, Principal, Cyber Group Inc.
IT security is intended to prevent the manipulation of data and systems by unauthorized parties. The issue comes when anyone developing code has access to deploy the code or someone in the development team has access to the production box, or someone who is coding is also validating or approving the changes. To overcome these issues, Separation of Duties comes into the picture.
Separation of Duties (SoD) is a key concept of internal controls. The concept of Separation of Duties (SoD) became more relevant to the IT organization when regulatory mandates such as Sarbanes-Oxley (SOX) and the Gramm-Leach-Bliley Act (GLBA) were enacted. A very high portion of SOX internal control issues, for example, come from or rely on IT. This forced IT organizations to place greater emphasis on SoD across all IT functions, especially security.
With SoD, we introduce boundaries of different persons or teams responsible for different operations whereas DevOps emphasizes breaking down the barriers and silos. The question that we may think of now is how these two go together. Although in the DevOps world, we are talking about bringing the development and operational teams into one, implementing the Segregation of Duties is still one of the most common practices to control what/who can or cannot be promoted to production.
Before going further into what problem Separation of Duties solves, let us understand what Separation of Duties is. Separation of Duties is the concept of having more than one person required to complete a task. In the software engineering world, this basically means the person who has developed the code cannot approve or deploy the code.
The principle of Separation of Duties is based on the fact that no individual person or group should be able to execute all parts of an SDLC. More than one person or department of a key process should share responsibilities to disperses the critical functions of that process.
SoD has two primary objectives. The first is the prevention of conflict of interest, wrongful acts, fraud, abuse, and errors. The second is the detection of control failures that include security breaches, information theft and circumvention of security controls.
In terms of IT security, there are 3 main types of internal control that can be implemented: detective, preventive, and corrective. These controls are processes or policies implemented to prevent any security breaches. Separation of Duties is critical to effective internal control implemented to reduces the risk of both erroneous and inappropriate actions. All business units should attempt to separate functional responsibilities to ensure that errors, intentional or unintentional, cannot be made without being discovered by another person. It is imperative that there be separation between operations, development and testing of software, security, and all controls to reduce the risk of unauthorized activity or access to operational systems or data.
Introducing only a few changes in your DevOps practices can help you achieve the goal of Separation of Duties the DevOps way. A few suggestions to begin with include:
We will continue this discussion next blog as we take a deep dive around the challenges of SoD and how we can implement SoD using DevOps best practices.