Separation of Duties
Separation of duties—especially separating work between developers
and operations engineers—is spelled out as a fundamental control
in security and governance frameworks like ISO 27001, NIST
800-53, COBIT and ITIL, SSAE 16 exams, and regulations such as
职责分离,特别是开发和运营工程师之间的分离,在安全和治理框架中被称为基本控制,如ISO 27001、NIST 800-53,COBIT和ITIL,SSAE 16,以及诸如SOX、GLBA、Mifid II和PCI DSS等监管制度。
Auditors look closely at separation of duties, to ensure that requirements
for data confidentiality and integrity are satisfied: that data
and configuration cannot be altered by unauthorized individuals,
and that sensitive or private data cannot be viewed by unauthorized
individuals. They review change control procedures and approval
gates to ensure that no single person has end-to-end control over
changes to the system. They want to see detailed audit trails to prove
all of this.
Even in compliance environments that do not specifically call for
separation of duties, strict separation of duties is often enforced to
avoid the possibility or the appearance of a conflict of interest or a
failure of controls.
DevOps, by breaking down silos and sharing responsibilities
between developers and operators, seems to be in direct conflict
with separation of duties. Allowing developers to push code and
configuration changes out to production in Continuous Deployment
raises red flags for auditors. However, as we’ll see in “Compliance
as Code” on page 51, it’s possible to make the case that this can
be done, as long as strict automated and manual controls and auditing
are in place.
Another controversial issue is granting developers access to production
systems in order to help support (and sometimes even help
operate) the code that they write, following Amazon’s “You build it,
you run it” model. At the Velocity Conference in 2009, John Allspaw
and Paul Hammond made strong arguments for giving developers
access—at least limited access—to production:
Allspaw: “I believe that ops people should make sure that developers can see what’s happening on the systems without going through operations… There’s nothing worse than playing phone tag with shell commands. It’s just dumb.
“Giving someone [i.e., a developer] a read-only shell account on
production hardware is really low risk. Solving problems without it
is too difficult.”
Hammond: “We’re not saying that every developer should have root
access on every production box.”
At Etsy, for example, even in PCI-regulated parts of the system developers get read access to production system metrics dashboards (“data porn”) and exception logs so that they can help find problems in the code that they wrote. But any fixes to code or configuration are done through Etsy’s audited and automated Continuous Deployment pipeline.
另一个有争议的问题是允许开发人员接触生产系统,开发人员帮助支持(有时甚至帮助运营)他们写的代码,遵循亚马逊 “你构建它,你运行它“的模式。在2009年的Velocity大会上,John Allspaw和Paul Hammond为给开发者提供了有力的理由至少可以有限制地访问生产系统:
Any developer access to a financial system, even read-only access,
raises questions and problems for regulators, compliance, InfoSec,
and customers. To address these concerns, you need to put strong
compensating controls in place. Limit access to non-public data and
configuration to a minimum. Review logging code carefully to
ensure that logs do not contain confidential data. Audit and review
everything that developers do in production: every command they
execute, every piece of data that they look at. You need detective
change control in place to report any changes to code or configuration.
In financial systems, you also need to worry about data exfiltration:
making sure that developers can’t take data out of the system.
These are all ugly problems to deal with.
You also need to realize that the closer developers are to operations,
the more directly involved they will get in regulatory compliance.
This could lead to developers needing to be licensed, requiring
examinations and enforcing strict restrictions on personal conduct.
For example, in March 2015 FINRA issued a regulatory notice proposing
that any developer working on the design of algorithmic trading strategies should be registered as a securities trader.