Separation of Duties

Separation of Duties without the manual gatekeeping

Published: Thursday, Jan 19, 2023 Last modified: Monday, Apr 8, 2024

In large organisations kills productivity.

The dogma is:

No single team should have end to end access from code to production.

Dev should not deploy code to production.

Ops should not write code.


Separation of duties (SoD) is a key concept of internal controls, controls performed manually by different teams, e.g. “Dev” & “Ops”. Today, we have tools that can automate these controls and provide protections from fraud and errors.

Rise of DevOps

DevOps is a cultural movement that aims to bridge the gap between development and operations, to increase productivity. Combining software development (Dev) and IT operations (Ops) aims to shorten the systems development life cycle and provide continuous delivery with high software quality.

Though how are the controls enforced?

How do we prevent a rogue DevOps team member from deploying risky code or practices to production?

Automated checks & controls

Changes are made via a Merge Request, which is automatically tested by a CI/CD pipeline. The pipeline is configured to run tests, security scans, and other checks. If the pipeline fails, the MR is not merged. These checks prevents risky code from accepted.

Costing and usage

Further automations/checks can triggered from the logs, such as CloudTrail and CloudWatch.

Avoid these SoD smells (lack of automation)

Manual SoD, replaced by automation and working closer together

This is my AWS / 2023 interpretation of the CD-Friendly SoD procedures for Configuration outlined upon from slide 27, by my colleague Ram.

Best practices / tooling will evolve over time, though the idea is to remove manual gatekeeping checks via automation.

  1. AWS accounts provide controls out the box, use them!
  2. CI/CD pipeline providers like Github/Gitlab provide a lot of checking automations to opt in to.
  3. Communication tools like Slack make it easy for teams to foster open collaboration so that expertise can be shared & stakeholders can be kept in the loop.