Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
DEVOPS AND IT CONTROL OBJECTIVES ALLIES OR ADVERSARIES? INTRODUCTIONS Clay Douglas IT Manager, Risk Control Group at McKesson Corporation Administers SOX self assessment compliance program 20 years of experience in IT Audit IT service management process risk management and compliance ITIL Expert, CPA, CISA, CISSP and CRISC certifications (CCSP underway) Active ISACA member INTRODUCTIONS Chuck Wysocki Management Consultant, Maryville Technologies IT Service Management Evangelist Continual Service and Process Improvement Expert Thought Leader and Transformation Agent ITIL Master, Six Sigma Green Belt President, Atlanta IT Service Management Forum (itSMF) Local Interest Group WHAT WE’LL DISCUSS TODAY DevOps – Defined The Rise of DevOps Various DevOps Adaptations Establishing / Maintaining Control of the Unicorn Key Take Aways DEVOPS DEFINITIONS DevOps is a term used to refer to a set of practices that emphasize the collaboration and communication of both software developers and IT professionals while automating the process of software delivery and infrastructure changes. It aims at establishing a culture and environment where building, testing, and releasing software can happen rapidly, frequently, and more reliably. (Wikipedia) DevOps represents a change in IT culture, focusing on rapid IT service delivery through the adoption of agile, lean practices in the context of a system-oriented approach. DevOps emphasizes people (and culture), and seeks to improve collaboration between operations and development teams. DevOps implementations utilize technology - especially automation tools that can leverage an increasingly programmable and dynamic infrastructure from a life cycle perspective. (Gartner IT Glossary) Illustration Source: https://commons.wikimedia.org/w/index.php?curid=20202905 KEY CHARACTERISTICS OF DEVOPS What DevOps is How DevOps operates Agile Culture Lean Environment Rapid Collaboration Frequent Communication Continuous Automation THE RISE IN DEVOPS POPULARITY Source: Gartner Source: indeed.com CONTRIBUTORS TO DEVOPS’ RISE Agile vs Waterfall methodology Distributed vs Command & Control IT Management Growing availability of automation tools for: Development Testing (and production event management) Releases “Self-healing” applications and services Software-driven infrastructure UNICORNS… AND OTHER “NOT–SO–LEGENDARY” ANIMALS TRADITIONAL IT CIO PMO BRMs Architecture Operations QA Development Project A PM PM Architect Dev Dev Dev Tester Tester Support Support PM PM Architect Dev Dev Dev Tester Tester Support Support PM PM Architect Dev Dev Dev Tester Tester Infra Infra PM PM Architect Dev Dev Dev Tester Tester Infra Infra Project B AGILE TRANSFORMATION CIO PMO BRMs Architecture Operations QA Development Project A PM PM Architect Dev Dev Dev Tester Tester Support Support PM PM Architect Dev Dev Dev Tester Tester Support Support PM PM Architect Dev Dev Dev Tester Tester Infra PM PM Architect Dev Dev Dev Tester Tester Infra Project B Project C Project D Infra Cloud Computing Services Infra AGILE TO DEVOPS TRANSFORMATION CIO Product A Product B Product Strategy Product Owner Architect Agile Coach Engineer Engineer Tester Engineer Operations Agile Coach Product Owner Architect BA Engineering Support Support BA Engineer Engineer Engineer Product Management BAs Architecture QA Support Release Agile Coach Office Tester Cloud Infra Cloud Infra Cloud Infra Cloud Infra DEVOPS CULTURE CIO Product Strategy Engineering … Product B Product A Product Engineering Agile Owner Manager Coach Engineer Principal Engineer Engineer BA DevOps DevOps Engineer Engineer … Office of CIO Operations Agile Coach Office Product C Cloud Infra Cloud Infra Cloud Infra Cloud Infra Support Support Support Release Budget HR Vendor Management CHANGE MANAGEMENT New/Changed Business Requirement CAB Approval YES Normal Change Risk Assessment Management Approval Change Request High Risk? NO Implement Change Standard Change Script Change DEVOPS AND IT CONTROL OBJECTIVES Accelerated? Continuous releases? Project to Product focus? Merging development and operations responsibilities? What about IT controls? IT CONTROLS FOR CONSIDERATION Automated software scanning Automated vulnerability scanning Web application firewall Developer application security training Software dependency management Access and activity logging Documented policies and procedures Application performance management Asset management and inventorying Continuous auditing and/or monitoring Source: Dev Ops Practitioner Considerations (Published by ISACA). ISACA, DevOps Overview, USA, 2015, www.isaca.org/Knowledge-Center/Research/Documents/IS-DevOps_whp_Eng_0115.pdf CHANGE MANAGEMENT RISKS FOR DATA INTEGRITY Changes are not authorized and properly approved Changes are not tested appropriately Lack of SOD between development, testing and migration to production POTENTIAL APPROVAL & CHANGE TESTING CONTROL OBJECTIVES A FOCUS ON DATA INTEGRITY Changes are authorized and approved prior to development Testing is automated based on design requirements Prior to migration to production Continuously monitored in production Evidence of control execution is auditable Approvals and testing of changes are documented or conducive to automated controls testing DEEPER DIVE INTO POTENTIAL SOD CONTROLS A FOCUS ON DATA INTEGRITY Achieve separation of duties by automation when logging is enabled and retained Log developer access and activity that results in changes to production code Logs should, at a minimum, record the individual responsible for and the time of changes Consider these potential audit steps Observe log files to ensure that logging is enabled For a sample of production changes, observe that the change can be mapped back to specific developers Review a sample of historical production changes to ensure that log files are retained Source: Dev Ops Practitioner Considerations (Published by ISACA). ISACA, DevOps Overview, USA, 2015, www.isaca.org/Knowledge-Center/Research/Documents/IS-DevOps_whp_Eng_0115.pdf WHAT ELSE SHOULD WE AUDIT INTEGRITY OF THE AUTOMATION TOOLS Other Auditing Activities: Review administrative access to the logging/tools Review logging/tool change management activities Determine if notifications are automatically sent if the logs/tools are disabled Review logging/tool incident management Determine if user authentication adheres to the password policies Review authorization of new users and access revocation of terminated users DEVOPS AUTOMATION DevOps Automation Plan Code Build Test Release Continuous Integration ITSM SOAP/REST/OTHER API Automated Logs CMDB SIM Run Continuous Delivery ITSM SOAP/REST/OTHER API InfoSec Automation CI Lifecycle Automation Deploy Change Record Automation Change Repository Incident & Availability Incident Repository OTHER KEY AUDIT TAKE AWAYS Audit strategy must keep pace with DevOps evolution Develop open communication with DevOps key stakeholders Become involved with DevOps early in the transition process Adapt a product vs project focus audit approach to DevOps implementation Identify and test automated change management controls BIMODAL IT Traditional Mode Required Reliability (COBIT, ITIL, CMMI) Accept Instability (DevOps, automation, Reusable) Systems of Innovation Systems of Differentiation Systems of Record Governance Change Nonlinear Mode THANKS! QUESTIONS, DISCUSSION APPENDIX