Download Dev/ops

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
Document related concepts

Enterprise risk management wikipedia , lookup

Transcript 
DEVOPS AND IT CONTROL OBJECTIVES
ALLIES OR ADVERSARIES?
INTRODUCTIONS
Clay Douglas
 IT Manager, Risk Control Group at McKesson Corporation
 Administers SOX self assessment compliance program
 20 years of experience in IT Audit
 IT service management process risk management and compliance
 ITIL Expert, CPA, CISA, CISSP and CRISC certifications (CCSP underway)
 Active ISACA member
INTRODUCTIONS
Chuck Wysocki
 Management Consultant, Maryville Technologies
 IT Service Management Evangelist
 Continual Service and Process Improvement Expert
 Thought Leader and Transformation Agent
 ITIL Master, Six Sigma Green Belt
 President, Atlanta IT Service Management Forum (itSMF) Local Interest Group
WHAT WE’LL DISCUSS TODAY
 DevOps – Defined
 The Rise of DevOps
 Various DevOps Adaptations
 Establishing / Maintaining Control of the Unicorn
 Key Take Aways
DEVOPS DEFINITIONS
 DevOps is a term used to refer to a set of practices that emphasize the
collaboration and communication of both software developers and
IT professionals while automating the process of software delivery and
infrastructure changes. It aims at establishing a culture and
environment where building, testing, and releasing software can
happen rapidly, frequently, and more reliably. (Wikipedia)
 DevOps represents a change in IT culture, focusing on rapid IT
service delivery through the adoption of agile, lean practices in the
context of a system-oriented approach. DevOps emphasizes people (and
culture), and seeks to improve collaboration between operations
and development teams. DevOps implementations utilize technology
- especially automation tools that can leverage an increasingly
programmable and dynamic infrastructure from a life cycle perspective.
(Gartner IT Glossary)
Illustration Source: https://commons.wikimedia.org/w/index.php?curid=20202905
KEY CHARACTERISTICS OF DEVOPS
What DevOps is
How DevOps operates
 Agile
 Culture
 Lean
 Environment
 Rapid
 Collaboration
 Frequent
 Communication
 Continuous
 Automation
THE RISE IN DEVOPS POPULARITY
Source: Gartner
Source: indeed.com
CONTRIBUTORS TO DEVOPS’ RISE
 Agile vs Waterfall methodology
 Distributed vs Command & Control IT Management
 Growing availability of automation tools for:

Development

Testing (and production event management)

Releases
 “Self-healing” applications and services
 Software-driven infrastructure
UNICORNS… AND OTHER “NOT–SO–LEGENDARY” ANIMALS
TRADITIONAL IT
CIO
PMO
BRMs
Architecture
Operations
QA
Development
Project A
PM
PM
Architect
Dev
Dev
Dev
Tester Tester
Support Support
PM
PM
Architect
Dev
Dev
Dev
Tester Tester
Support Support
PM
PM
Architect
Dev
Dev
Dev
Tester Tester
Infra
Infra
PM
PM
Architect
Dev
Dev
Dev
Tester Tester
Infra
Infra
Project B
AGILE TRANSFORMATION
CIO
PMO
BRMs
Architecture
Operations
QA
Development
Project A
PM
PM
Architect
Dev
Dev
Dev
Tester Tester
Support Support
PM
PM
Architect
Dev
Dev
Dev
Tester Tester
Support Support
PM
PM
Architect
Dev
Dev
Dev
Tester Tester
Infra
PM
PM
Architect
Dev
Dev
Dev
Tester Tester
Infra
Project B
Project C
Project D
Infra
Cloud
Computing
Services
Infra
AGILE TO DEVOPS TRANSFORMATION
CIO
Product A
Product B
Product Strategy
Product
Owner
Architect
Agile
Coach
Engineer
Engineer
Tester
Engineer
Operations
Agile
Coach
Product
Owner
Architect
BA
Engineering
Support Support
BA
Engineer
Engineer
Engineer
Product
Management
BAs
Architecture
QA
Support Release
Agile Coach Office
Tester
Cloud
Infra
Cloud
Infra
Cloud
Infra
Cloud
Infra
DEVOPS CULTURE
CIO
Product Strategy
Engineering
…
Product B
Product A
Product Engineering Agile
Owner Manager Coach
Engineer Principal Engineer
Engineer
BA
DevOps DevOps
Engineer Engineer
…
Office of
CIO
Operations
Agile Coach Office
Product C
Cloud
Infra
Cloud
Infra
Cloud
Infra
Cloud
Infra
Support Support
Support Release
Budget
HR
Vendor
Management
CHANGE MANAGEMENT
New/Changed
Business
Requirement
CAB
Approval
YES
Normal
Change
Risk
Assessment
Management
Approval
Change
Request
High
Risk?
NO
Implement
Change
Standard
Change
Script
Change
DEVOPS AND IT CONTROL OBJECTIVES
 Accelerated?
 Continuous releases?
 Project to Product focus?
 Merging development and operations responsibilities?
 What about IT controls?
IT CONTROLS FOR CONSIDERATION
 Automated software scanning
 Automated vulnerability scanning
 Web application firewall
 Developer application security training
 Software dependency management
 Access and activity logging
 Documented policies and procedures
 Application performance management
 Asset management and inventorying
 Continuous auditing and/or monitoring
Source: Dev Ops Practitioner Considerations (Published by ISACA). ISACA, DevOps Overview, USA, 2015,
www.isaca.org/Knowledge-Center/Research/Documents/IS-DevOps_whp_Eng_0115.pdf
CHANGE MANAGEMENT RISKS FOR DATA INTEGRITY
 Changes are not authorized and properly approved
 Changes are not tested appropriately
 Lack of SOD between development, testing and migration to production
POTENTIAL APPROVAL & CHANGE TESTING CONTROL OBJECTIVES
A FOCUS ON DATA INTEGRITY
 Changes are authorized and approved prior to development
 Testing is automated based on design requirements
 Prior to migration to production
 Continuously monitored in production
 Evidence of control execution is auditable
 Approvals and testing of changes are documented or conducive to automated controls testing
DEEPER DIVE INTO POTENTIAL SOD CONTROLS
A FOCUS ON DATA INTEGRITY
 Achieve separation of duties by automation when logging is enabled and retained
 Log developer access and activity that results in changes to production code
 Logs should, at a minimum, record the individual responsible for and the time of changes
 Consider these potential audit steps
 Observe log files to ensure that logging is enabled
 For a sample of production changes, observe that the change can be mapped back to specific developers
 Review a sample of historical production changes to ensure that log files are retained
Source: Dev Ops Practitioner Considerations (Published by ISACA). ISACA, DevOps Overview, USA, 2015,
www.isaca.org/Knowledge-Center/Research/Documents/IS-DevOps_whp_Eng_0115.pdf
WHAT ELSE SHOULD WE AUDIT
INTEGRITY OF THE AUTOMATION TOOLS
Other Auditing Activities:
 Review administrative access to the logging/tools
 Review logging/tool change management activities
 Determine if notifications are automatically sent if the logs/tools are disabled
 Review logging/tool incident management
 Determine if user authentication adheres to the password policies
 Review authorization of new users and access revocation of terminated users
DEVOPS AUTOMATION
DevOps Automation
Plan
Code
Build
Test
Release
Continuous Integration
ITSM SOAP/REST/OTHER API
Automated
Logs
CMDB
SIM
Run
Continuous Delivery
ITSM SOAP/REST/OTHER API
InfoSec
Automation
CI Lifecycle
Automation
Deploy
Change Record
Automation
Change Repository
Incident &
Availability
Incident Repository
OTHER KEY AUDIT TAKE AWAYS
Audit strategy must keep pace with DevOps evolution
 Develop open communication with DevOps key stakeholders
 Become involved with DevOps early in the transition process
 Adapt a product vs project focus audit approach to DevOps implementation
 Identify and test automated change management controls
BIMODAL IT
Traditional
Mode
Required
Reliability
(COBIT,
ITIL,
CMMI)
Accept
Instability
(DevOps,
automation,
Reusable)
Systems of
Innovation
Systems of
Differentiation
Systems of
Record
Governance
Change
Nonlinear
Mode
THANKS!
QUESTIONS, DISCUSSION
APPENDIX
Related documents
SEA
SEA
Challenge Who is
Challenge Who is
Bringing DevOps to the Database
Bringing DevOps to the Database
Apply brief
Apply brief
Cell Cookie Quiz - Beacon Learning Center
Cell Cookie Quiz - Beacon Learning Center
Math 235 Answers (Practice-Sept
Math 235 Answers (Practice-Sept
Document
Document
Statistics_A4_NormalCDFv3 - 2011-01-Kelvin
Statistics_A4_NormalCDFv3 - 2011-01-Kelvin
Circuit Tester - Morris Products
Circuit Tester - Morris Products
“ECT Server for Rally” Integration Collect user feedback
“ECT Server for Rally” Integration Collect user feedback
ACM DEV 2016, November 1821, Nairobi, Kenya
ACM DEV 2016, November 1821, Nairobi, Kenya