James DeLuccia, director and auditor at Ernst & Young, in a recent post writes that organizational DevOps skill can indeed support auditing processes through collaboration and clear communication between DevOps personnel and the auditors. Software development and IT operations should be a proactive partner in the auditing process. The post in the Wall Street Journal CIO section underlines the importance of auditing DevOps implementations in Financial Services companies.
According to James, businesses need to demonstrate how their DevOps culture and processes support their business model:
The most important thing that organizations can do from the onset of an audit is to help show the linkage between what the control objectives are, and what internal procedures are in place to support this control.
In essence, he describes these general principles for DevOps people when dealing with audits:
- Involve early into control objectives discussion.
- Understand the critical business risks.
- Help auditors understand how DevOps procedures proactively minimize risk.
- Integrate audit and DevOps systems within the enterprise.
- Continually improve the auditing process.
- Audits can provide critical feedback to DevOps practices.
While his post is targeted specifically at Financial Services, James' previous conference talks with Gene Kim (Successfully Establishing and Representing DevOps in an Audit and Keeping the Auditor Away) suggest that the principles are valid in general. Gene and James also co-initiated the DevOps Audit Defense Toolkit, which strives to "define the authoritative guidance of how management and auditors should conduct audits where DevOps practices are in place."
According to Gene, the reason behind the problems between DevOps and audit processes is that latter are based on the traditional software development life cycle and there still is little agreement on "DevOps control objectives."
Specific tips for dealing with these problems come from Rich Mogull. He suggests to:
- Investigate which parts of an application and operations are in scope and which out of scope from the regulation perspective. Apply controls and logging granularity accordingly.
- Make sure that continuous integration tools include security checks and log all updates and changes.
- Automatically keep records of all changes in the deployment pipeline and store the records to a secure log repository.
- Track all infrastructure API calls and keep the logs for the auditor.
- Log all SSH instance access and dump the logs to a central repository.
- Keep revisions of all code and infrastructure changes.
Rich also suggests:
Explain to your auditor that all changes go through an automated approval system that checks the code, tests it (detail the tests), tracks the change, and then moves it into production. That all server logins and infrastructure changes are logged, as is the complete history of the structure of your entire environment. And that you can provide all the documentation, filtered for the pieces within compliance scope. [...] The trick is explaining this to your auditor in their terms. They expect manual checks and records. You need to show them that you still have these checks and balances, but they are automated.
Or as Gene puts it:
We don't need to wait for auditors to learn about DevOps - by learning about audit, we can successfully bridge the gap.