Separation of Duties: How to Conform in a DevOps World

During a recent Webinar, I was asked for some tips on maintaining the separation of duties in software delivery — a question I get quite often these days. And for good reason.

Software delivery in enterprise environments already entails lengthy, detailed, and often manual processes, and strict compliance regulations only add to the complexity.

For companies in highly regulated industries, such as banking, insurance, and healthcare, compliance is no trivial matter. Non-conformance with regulations and any breaches of their systems or applications can have significant consequences — huge fines, loss of customers, and a damaged reputation.

These organizations need to do everything possible to ensure that their applications and customers are protected. One way of doing that is through what’s called separation (or segregation) of duties.

While much of the security focus is typically placed on external threats, separation of duties aims to protect the organization from its internal threats.

What Is Separation of Duties?

Separation of duties in software development refers to restricting the amount of power held by any single person or team taking part in the development and delivery of software. This usually means that a programmer who can make changes in the Development environment is not permitted to also deploy those changes to Production. Requiring that multiple people be assigned to complete a task reduces the risk of fraud and failures and increases internal controls.

While separation of duties is necessary for organizations that develop and deploy custom applications, it can be difficult to maintain and keep track of who’s authorized to do what, using which tool, in which environment, and when. And while it’s crucial to have tight control over what different users can and can’t do with software in development, things can get very complicated very quickly—and often significantly slow down deployments.

Manually managing all of the various roles, permissions, tasks, and tools involved in delivery and in tracking what people are doing can be a very daunting task. By not automating the controls for separation of duties, your software will be left vulnerable to risk and your company open to compliance violations.

The Case for Automating the Approval Process

A long-held myth in the software delivery world is that everything that goes to your Production environment needs separate human approval, often implemented in the form of manual controls. This is based on a practice that separates those who write code from those who implement code in order to mitigate the potential for collusion—nefarious or accidental.

For compliance requirements where controls are required for ensuring conformance, including SOX, HIPAA, and now GDPR, just to name a few, the controls are typically implemented in a “one-size-fits-all” fashion. Often for simplicity and ease of conformance, manual segregation is implemented as it’s often very difficult, if not impossible, to discern whether a change impacted a system that requires compliance controls.

In most traditional environments, automation is rarely done across the entire process. And where automation of a process does exist, it is generally not impervious to unauthorized changes.

But let’s face it, whether they intend it or not, humans increase risk. So, you need to find a technology that allows you to verify that, once you’ve set up your approval processes, they are under appropriate controls, are secure, and can’t be changed without the appropriate level of approval and audit.

Automating your approval process also allows you take advantage of the audit trails produced by the technology you’re using so you can establish alerts for when an error occurs or an unauthorized change is made. In such cases, relevant teams will be immediately notified, and the technology can immediately stop the process where the errors or unauthorized changes occurred.

By effectively managing human interactions, software delivery outcomes include a significantly higher success rate in terms of assurances that your verification processes are trustworthy, and your software is protected.

Common Automation Techniques

Despite some ongoing concerns from the audit, risk, and compliance communities about automating the separation of duties, companies are starting to leverage the practice. A couple of common techniques include:

1. Automation of the change approval process. Most change management systems use tools like ServiceNow or Remedy for approvals for completion of testing and validation in the software development lifecycle (SDLC) before triggering the movement of code between stages. Automating your various testing and quality assurance stages allows you to then trigger the approvals in those tools. Additionally, depending on the sensitivity and compliance requirements of the code, you can automatically insert additional tests and approvals into the SDLC. Lastly, you can use the success of each stage as the approval system for deploying into the Production environment.
2. Using third-party compliance software. Another, simpler way is to hold a Production deployment until you get an approval from independent third-party compliance software. This approach requires documenting how you will ensure that the developers who create the code will not also configure and deploy to the Production environment, and that you are deploying with the right level of security. All of this can be configured in tooling, so once the approval is given, these steps can happen automatically.

The above approaches can be scripted for small projects, but they’re not sophisticated enough to handle the complex scenarios of an enterprise environment because audit, compliance, security, and risk teams cannot validate the scripts. And if the scripts themselves are not controlled with approved change processes, they invalidate themselves.

Release orchestration and deployment automation, however, deliver all the foundational elements necessary for managing the complexities of separation of duties, while accelerating the delivery of high-quality software.