Categories Topics
Description
Separation of Development and Production

Overview
Separation of Development and Production is the practice of separating non-production (to include Development and testing) from Production environments. The objective is to ensure non-production activities do not impact confidentiality, integrity and availability of critical business services and sensitive information.

Guidelines
Separation of non-production (e.g. development) from Production systems, applications, access and processes is a critical component of Network Segregation and Access Control strategy. Environments should be segregated to include separate systems, access, network and tools to reduce the risk of unintended modification, unauthorized access and malicious or fraudulent activity.

Examples of controls that should be used to separate non-production from Production environments include, but not limited to:
  • Development systems segregated from Production systems (separated by firewalls and network rules)
  • Separate Development and Production roles used for privileged system, application and network access entitlements
  • Ensure role membership is reviewed periodically by role owner or management (for membership or role changes)
  • Separate access mechanisms used for Development and Production access (e.g. separate Active Directory forests or domains, login ID's, or password repositories)
  • Privileged access monitoring for login and change activity on Production systems
The need for separation is more than just trust or potential for unauthorized Developer access to critical Production information. Mistakes can also happen. For example, lab testing of the latest technology could potentially cause availability issue in production if something unplanned goes awry. Also, imagine a tired, multitasking system engineer who planned to make a change on a development system, but mistakenly mis-configures the wrong system in production instead (e.g. a sensitive internet facing system or application). Having separate systems and access control mechanisms can enhance network and systems segregation of Development and Production.

Topic Category
Access Control
Network Security
 
News Articles
Millions Download "System Update" Android Spyware via Google Playwww.securityweek.com4/20/2017
Formspring springs a leak: 28 MILLION passwords reset after raidwww.theregister.co.uk7/11/2012