Developers accessing production? Tricky doubt

Hi guys!

I have one question that is confusing me so much and I really don't know where to ask it other than here. I know that we have experts in a lot of subjects in this forum and the question is more related to infosec/audit field.

At my company, we have a lot of people in the IT department that is considered 'developers'. However, all the development is being executed by an outsourced company and our 'developers' are more focused on the role of business analysts.

That said, they really need to have access on our production environment to support the users and as a rule, we all know that it isn't accepted by auditors. Therefore, we always have appointments about that, but we really don't know how to contest it or what we can do in order to be compliant.

Please, someone give me some advice to fix it or to 'justify' it to the auditors, so we can still leave them accessing the production environment.

Look to hear from you guys, I think that a lot of people are passing or has passed through this situation

Find more posts tagged with

Comments

Matt2

Basically it's called separation of duties. Developers shouldn't have access to production, period. They should have a proper development environment that mimics production as much as possible (ideally perfectly of course). If you have regular audits then it's probably against your company Security Policy, because your company Security Policy will be written at a minimum to align with audit /compliance requirements. Not only will the auditor "not like it", but the result of that and other problems can result in fines for your company (at least with PCI compliance).

SANS separation of duties content: Separation of Duties in Information Technology

Good luck!
Matt

P.S. And what's to prevent this 3rd party company from making a copy of all your data if they get access to production? What's to prevent them from accidentally or intentionally compromising the systems?

EagerDinosaur

I've worked as a developer for a couple of large household-name companies, and in both the developers ended up having direct access to production environments. This was mainly because the companies were too cheapskate to recruit and retain operations staff with enough skill and experience to support and troubleshoot in-house-developed applications in production.

I'd like to work for a company that's willing to spend the money to create a clear divide between development and production, I just haven't found one yet. If there is a clear divide, then the company must pay staff on both operational and development teams enough money to minimise staff turnover and ensure that both teams retain enough application knowledge to do their jobs, without having staff frequently crossing the divide.

As a developer, having access to production boosts my productivity, because I can closely monitor the live applications and get ideas for future improvements. I never intentionally alter anything in production without going through required change-control procedures, but there's always the risk that I will select "Shutdown" instead of "Logout" on a production server one day.

I don't know where "DevOps" fits into this either.

TheFORCE

If they have developer type access in production but are doing business analyst functions then you know what you need to do. Remove their dev access and give them enough access to do their business analyst functions. Then you can go to the auditors and tell them we have separation of duties in place.