As IT organizations increasingly adopt DevOps, there is more tension than ever between IT and Audit. DevOps challenges traditional thinking about auditing, controls and risk mitigation. Disconnects arise between the controls DevOps teams have in place and the IT controls auditors believe need to be in place.
What It Feels Like to Live in a DevOps World
Imagine living in a DevOps world, where product owners, development, QA, IT operations and InfoSec work together relentlessly to help each other and the overall organization win. They are enabling fast flow of planned work into production—performing tens, hundreds or even thousands of code deploys per day—while preserving world-class stability, reliability, availability and security.
DevOps is built around a high-trust, collaborative culture, where everyone is responsible for the quality of their work. Instead of approval and compliance processes (the hallmark of a low-trust, command-and-control management culture), we rely on peer review to ensure that everyone has confidence in the quality and security of their code and the environments in which they run.
“Just as Dev and Ops need to find new and better ways of working together to help their organization win, so now do security and compliance.”
— Gene Kim, researcher and author
Furthermore, DevOps is a hypothesis-driven culture, requiring everyone to be a scientist, taking no assumptions for granted and doing nothing without measuring. Why? Because we know that our time is valuable. We don’t spend years building features that our customers don’t actually want, deploying code that doesn’t work or fixing something that isn’t actually the problem. All these factors contribute to our ability to release exciting features to the marketplace that delight our customers and help our organizations win.
Security and Compliance: “DevOps? Over My Dead Body”
So, at its heart, DevOps is transformative. It’s the way to increase the flow of work through the DevOps value stream, and it’s also the way to properly integrate information security into the daily work of Dev, Test and Ops. Yet, when organizations actually embark upon this journey, probably the number one obstacle they encounter is that “the compliance guys will never let us do this.”
There’s some truth to this. When an organization starts to implement DevOps, so much of what’s being proposed removes the key controls that traditional IT organizations have used, such as separation of duty or change approval processes.
It’s no wonder that when auditors, compliance managers and security people hear, “Hey, I’m going to be letting our developers deploy whenever they want, without necessarily getting a change approval order from the change advisory board,” they often panic.
Just as Dev and Ops need to find new and better ways of working together to help their organization win, so now do security and compliance.
Compliance Can Co-Exist with DevOps
We know many large, complex organizations in highly regulated industries with stringent compliance requirements that are using DevOps successfully (for example, Capital One, Disney, Barclays Capital, U.S. Citizenship and Immigration Services inside the Department of Homeland Security, and more).
Instead of asking auditors, compliance managers and information security managers to fully understand DevOps and how to do it securely, we DevOps practitioners should teach ourselves to think like auditors and security practitioners, so that we can go through a top-down, risk-based audit process. We then “show our work” to auditors, demonstrating our understanding about risks and the controls we are using to mitigate these risks.
Three concepts underpin how auditors view the world:
- How audit exists inside the organization and its relative role versus management
- The internal control objectives of the organization
- The audit process itself
Once we understand which risks are most likely to jeopardize the organizational goals, we can then design and implement the control environment that can prevent those risks from occurring or enable quick detection and recovery from errors when they occur.
Throughout this process, we document our work so that we can create a shared understanding with auditors, compliance managers and information security managers. By using audit methodologies and language, we will be able to bridge the DevOps audit gap. And because of the high precision and specificity of the language of audit, it is likely that this will help us better plan and execute our own work as well.
DevOps Audit Defense Toolkit
Bridging these gaps can be painful for both IT teams and auditors. To define the authoritative guidance of how management and auditors should conduct audits in which DevOps practices are in place, James DeLuccia, senior manager, advisory at Ernst & Young; Jeff Gallimore, co-founder and partner at Excella Consulting; Byron Miller, systems engineer at Luminex Corporation; and I created the DevOps Audit Defense Toolkit. We seek to educate IT management and DevOps practitioners on the audit process, so they can demonstrate to auditors they understand the business risks and are properly mitigating those risks.
The Toolkit summarizes the techniques they use to mitigate risk and also provides a section answering the most common questions about value creation, compliance and DevOps. The information in the Toolkit should help organizations wanting to pursue DevOps and continuous delivery explain their approach and improve communication between IT and audit.
In the Toolkit, we describe a fictitious organization—including its business processes and control environment—along with a set of audit concerns and how management could successfully prove controls exist and are effective.
The DevOps community has articulated the need for further guidance on how to help IT and audit work better together. To address this need, the DevOps Audit Defense Toolkit provides information for how to bridge the gap between organizations adopting DevOps practices and their auditors who have the responsibility of assessing whether the organization is mitigating risk adequately. The Toolkit is intended to create a common perspective and shared understanding between organizations and auditors to reduce the pain and increase the effectiveness of audits, ultimately helping the business create more value and win in the marketplace.
The DevOps Audit Defense Toolkit is now available.
To read more about Integrating Infosec into the Daily Work of Dev and Ops, subscribe to updates on The DevOps Cookbook.