DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones AWS Cloud
by AWS Developer Relations
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones
AWS Cloud
by AWS Developer Relations
The Latest "Software Integration: The Intersection of APIs, Microservices, and Cloud-Based Systems" Trend Report
Get the report
  1. DZone
  2. Testing, Deployment, and Maintenance
  3. DevOps and CI/CD
  4. Separation of Duties: How to Conform in a DevOps World

Separation of Duties: How to Conform in a DevOps World

Automating the approval process in separation of duties can help speed up development. Read on to learn about common automation techniques.

Robert Stroud user avatar by
Robert Stroud
·
Aug. 22, 18 · Opinion
Like (3)
Save
Tweet
Share
8.59K Views

Join the DZone community and get the full member experience.

Join For Free

During a recent Webinar, I was asked for some tips on maintaining the separation of duties in software delivery — a question I get quite often these days. And for good reason.

Software delivery in enterprise environments already entails lengthy, detailed, and often manual processes, and strict compliance regulations only add to the complexity.

For companies in highly regulated industries, such as banking, insurance, and healthcare, compliance is no trivial matter. Non-conformance with regulations and any breaches of their systems or applications can have significant consequences — huge fines, loss of customers, and a damaged reputation.

These organizations need to do everything possible to ensure that their applications and customers are protected. One way of doing that is through what’s called separation (or segregation) of duties.

While much of the security focus is typically placed on external threats, separation of duties aims to protect the organization from its internal threats.

What Is Separation of Duties?

Separation of duties in software development refers to restricting the amount of power held by any single person or team taking part in the development and delivery of software. This usually means that a programmer who can make changes in the Development environment is not permitted to also deploy those changes to Production. Requiring that multiple people be assigned to complete a task reduces the risk of fraud and failures and increases internal controls.

While separation of duties is necessary for organizations that develop and deploy custom applications, it can be difficult to maintain and keep track of who’s authorized to do what, using which tool, in which environment, and when. And while it’s crucial to have tight control over what different users can and can’t do with software in development, things can get very complicated very quickly—and often significantly slow down deployments.

Manually managing all of the various roles, permissions, tasks, and tools involved in delivery and in tracking what people are doing can be a very daunting task. By not automating the controls for separation of duties, your software will be left vulnerable to risk and your company open to compliance violations.

The Case for Automating the Approval Process

A long-held myth in the software delivery world is that everything that goes to your Production environment needs separate human approval, often implemented in the form of manual controls. This is based on a practice that separates those who write code from those who implement code in order to mitigate the potential for collusion—nefarious or accidental.

For compliance requirements where controls are required for ensuring conformance, including SOX, HIPAA, and now GDPR, just to name a few, the controls are typically implemented in a “one-size-fits-all” fashion. Often for simplicity and ease of conformance, manual segregation is implemented as it’s often very difficult, if not impossible, to discern whether a change impacted a system that requires compliance controls.

In most traditional environments, automation is rarely done across the entire process. And where automation of a process does exist, it is generally not impervious to unauthorized changes.

But let’s face it, whether they intend it or not, humans increase risk. So, you need to find a technology that allows you to verify that, once you’ve set up your approval processes, they are under appropriate controls, are secure, and can’t be changed without the appropriate level of approval and audit.

Automating your approval process also allows you take advantage of the audit trails produced by the technology you’re using so you can establish alerts for when an error occurs or an unauthorized change is made. In such cases, relevant teams will be immediately notified, and the technology can immediately stop the process where the errors or unauthorized changes occurred.

By effectively managing human interactions, software delivery outcomes include a significantly higher success rate in terms of assurances that your verification processes are trustworthy, and your software is protected.

Common Automation Techniques

Despite some ongoing concerns from the audit, risk, and compliance communities about automating the separation of duties, companies are starting to leverage the practice. A couple of common techniques include:

  1. Automation of the change approval process. Most change management systems use tools like ServiceNow or Remedy for approvals for completion of testing and validation in the software development lifecycle (SDLC) before triggering the movement of code between stages. Automating your various testing and quality assurance stages allows you to then trigger the approvals in those tools. Additionally, depending on the sensitivity and compliance requirements of the code, you can automatically insert additional tests and approvals into the SDLC. Lastly, you can use the success of each stage as the approval system for deploying into the Production environment.
  2. Using third-party compliance software. Another, simpler way is to hold a Production deployment until you get an approval from independent third-party compliance software. This approach requires documenting how you will ensure that the developers who create the code will not also configure and deploy to the Production environment, and that you are deploying with the right level of security. All of this can be configured in tooling, so once the approval is given, these steps can happen automatically.

The above approaches can be scripted for small projects, but they’re not sophisticated enough to handle the complex scenarios of an enterprise environment because audit, compliance, security, and risk teams cannot validate the scripts. And if the scripts themselves are not controlled with approved change processes, they invalidate themselves.

Release orchestration and deployment automation, however, deliver all the foundational elements necessary for managing the complexities of separation of duties, while accelerating the delivery of high-quality software.

Software development DevOps

Published at DZone with permission of Robert Stroud, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • MongoDB Time Series Benchmark and Review
  • Beyond Coding: The 5 Must-Have Skills to Have If You Want to Become a Senior Programmer
  • CRUD REST API With Jakarta Core Profile Running on Java SE
  • Seamless Integration of Azure Functions With SQL Server: A Developer's Perspective

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: