When designing software, some roles are recommended. As they are not specific to common DevOps roles, they are are provided within this chapter separately. The activities of the mentioned roles are defined in the National Institute of Standards and Technology (NIST 800-53), International Standardization Organization / International Electrotechnical Commission (ISO/IEC 27001). Common categories within NIST 800-53 are:
- Access control
- Awareness and training
- Audit and accountability
- Security assessment and authrization
- Configuration Management
- Contingency planning
- Identification and authentication
- Incident response
- Presonnel security
- Risk assessment
- system and service acquisition
- System and communication protextion
- System and information integrity
- Program management
Platform Provider
Platform providers are repsonsible for securing the perimeter of the computing platforms used by an organization. Thee role ensures isolation among customers of the platform and adequate resource sharing when required. It also provides services used by the security architect.
Security Architect
Security architects are responsible for the design of an organization’s network to achieve security for the network. This role is also responsible for overseeing the implementation of the network. The IT staff implements those designs
Solution Architect
Solution architects are responsible for the design of systems to support the organization’s business functions. Developers implemente these designs. This role focuses on the following technical controls (see NIST 800-53):
- “Within channels” controls
that allow legitimate users access the network, authenticate users, autorize users to access information or respurces. These controls support and should be applied to activities involved in the application itself; therefore they are crucial to be considerd by the solution architect. For example modifying a script involves authentication and authorization and should be traked in a version control system (infrastructure-as-code). - “Outside of channels” controls
prevents access through non-approved channels to prevent side channel attacks, which exploit timing, power consumption, and sound and electrometric leaks to gain useful information. As mentioned, information can be in several states (and therefore in different channels) and must be protected. - Auditing
Records should be kept of various activities within the system such as use of resources, access to data and modification of data. Auditing controls are intended to ensure that such records are created and maintained. Especially in DevOps this means:- Useage of automated tools and infrastructure-as-code to record security test results
- Integration of security testing in the DevOps pipeline
- Securing of the DevOps pipeline and other operations tehmselves
IT Staff
This role is responsible for monitoring and tracing any events related to potential security attacks. This role is also responsible for the implementation of the architecture designed by the security architect. The developers of DevOps can also participate in this role as part of the infrastructure-as-code pattern or as part of implementation, tracking, automating or making the system auditable. Those items can be achieved through exposd APIs (automatization) or software-defined networks (SDNs).