This the 6th part of our series on DevOps.
The increased collaboration between Development and Operations teams in the DevOps paradigm of software development introduces compliance challenges. The primary compliance issues come in the areas of change management, code access, production environment access, segregation of duties and data protection.
There are many best practices to consider when implementing a DevOps approach to a compliant application. Access to source code repositories need to be restricted. Developers should be prevented from directly accessing the production operations environment. Changes in the production environment should be restricted and auditable. Data must be protected not only when it is being transmitted, but when it is processed and stored as well.
In this article, we will discuss how DevOps can enable compliance when running on Amazon Web Services.
The issue of change management is addressed using extensive logging, access control and restrictions on unauthorized modifications using AWS offerings such as CloudFormation, CloudWatch, CloudTrail, Identity and Access Management (IAM), Elastic Beanstalk, and OpsWorks. Unauthorized changes to files and applications in the production environment can be detected and prevented using file integrity monitoring services, an add-on to the AWS CloudWatch service.
The issue of unauthorized access to code and production environments is alleviated when the build process of taking code from source code repositories, compiling and linking dependencies, versioning and deploying the executable artifacts into production environment is automated using DevOps offerings such as the AWS Elastic Beanstalk and OpsWorks. AWS Elastic Beanstalk is a service that is used to automatically deploy and scale an organization’s Web applications in the AWS Cloud. When combined with a managed AWS DevOps approach and CloudTrail, the AWS service that records and logs all actions and calls from the AWS management console, command line tools and other services, such as CloudFormation, one can gain insight into the history of changes which enables security analysis and compliance auditing.
Deployment automation using DevOps tools within the AWS offerings in a sense eliminates the issue of segregation of duties, as there is no manual involvement in the deployment process. However, if user interaction is required, the AWS Identity and Access Management (IAM) solution comes in handy. With IAM one can create and manage user groups and permissions, thereby making it possible to implement role-based access control (RBAC) and enforce least privilege. IAM RBAC provides a way to securely grant or restrict users access to production instances and applications. This access can also be audited using CloudTrail. CloudTrail can be configured to log and record interactions on a periodic basis (real-time, hourly, daily, etc.) and makes log review of the log data easy as well.
The issue of data protection when the data is being transmitted is achieved using secure communication mechanisms. In fact, most AWS offerings, such as the OpsWorks API allow only secure communication and require Transport Layer Security, such as Secure Sockets Layer for access. This provides data protection on the wire. Compliance that attests that the data which is stored is protected as well, can be achieved using encryption, and the keys needed for cryptographic operations can be protected logically using the AWS CloudHSM solution. This ensures that the cloud service provider does not have access to the cryptographic keys, which is something that an organization’s auditors would need IT to prove.
Using DevOps for deployment with a Managed AWS improves compliance. Next time the auditor is in the room, IT can breathe easy if they have deployed their Cloud App using DevOps tools and AWS.
By Mano Paul