简体繁体 English

用于 SOX 合规性的 Azure DevOps 权限层次结构

[英]Azure DevOps Permissions Hierarchy for SOX Compliance

原文 2020-01-10 15:11:23 8 1 azure/ azure-devops/ devops/ continuous-delivery/ sarbanes-oxley

Issue: As part of SOX Compliance Audit, the auditors who are demanding separation of duties, are asking to remove contribute access to the source code even for administrators like Project Admins and Collection Admins in the Azure Repos in the Azure DevOps Services or to any one who are able to deploy to production environments through release pipelines.问题：作为 SOX 合规性审计的一部分，要求职责分离的审计员要求删除对源代码的贡献访问权限，即使是管理员，如 Azure DevOps 服务中的 Azure Repos 中的项目管理员和集合管理员或任何人谁能够通过发布管道部署到生产环境。

Question: How does MS or any other companies utilizing Azure DevOps or similar services address these permission conflicts in the Era of the DevOps and SRE where a person who has access to production deployment will need to make code changes (if required) to address any customer problems, all at the same time keeping compliance folks happy ?问题：在 DevOps 和 SRE 时代，MS 或任何其他使用 Azure DevOps 或类似服务的公司如何解决这些权限冲突，在这个时代，有权访问生产部署的人需要进行代码更改（如果需要）以解决任何客户的问题问题，同时让合规人员满意？

Solution Tried so far:- - Added explicit denies for the project collection administrators group for the contributing permission in the repositories but it does not address all other scenarios as for Collection admin, deny does not trump allow.解决方案到目前为止尝试过：- - 为项目集合管理员组添加了明确拒绝存储库中的贡献权限，但它没有解决所有其他场景，对于集合管理员，拒绝不会胜过允许。 From MS Docs - Azure DevOps Permission Settings来自 MS Docs - Azure DevOps 权限设置

1 个解决方案

Not sure if this is an acceptable answer but your problem is your auditors.不确定这是否是可接受的答案，但您的问题是您的审核员。 In this era, it is generally understood that a combination of automation and robust audit logs, that is enough to comply.在这个时代，人们普遍认为自动化和健壮的审计日志相结合，即足以合规。

I would speculate that your problem comes from the auditor's lack of understanding.我推测你的问题来自审计师缺乏理解。 The actual deployment is handled by the machine, not a person.实际部署由机器处理，而不是人。 I'd agree that developers should not be making unchecked arbitrary changes in product.我同意开发人员不应该对产品进行未经检查的任意更改。

My suggestion, speak to your CTO about getting a new audit team next time.我的建议是，和你的 CTO 谈谈下次组建新的审计团队。

For reference here is what Puppet say on this: Puppet 对此的评论供参考：

What does “separation of duties” really mean? “职责分离”的真正含义是什么？ Some companies implement controls to limit access to IT systems or require manual approvals, believing that regulations — for example, the Sarbanes-Oxley Act or SOC 2 — mandate separation of duties.一些公司实施控制以限制对 IT 系统的访问或要求手动批准，认为法规（例如萨班斯-奥克斯利法案或 SOC 2）要求职责分离。 This is often interpreted to mean that people who can commit to a code repository must not be allowed to deploy that same code to production.这通常被解释为意味着不能允许可以提交代码存储库的人将相同的代码部署到生产中。 Indeed, many auditors and security professionals are convinced that this is what the regulations say.事实上，许多审计师和安全专业人士都相信这就是法规所说的。 In reality, regulations can frequently be satisfied with the combination of: • Automated deployment • A requirement that someone other than the code author must review and approve the change • Supporting controls such as strong audit logs and access control If your automation efforts are being hamstrung by controls such as these, we suggest you focus on building a collaborative relationship with your auditors and risk management teams.实际上，法规通常可以通过以下组合来满足： • 自动化部署 • 要求代码作者以外的其他人必须审查和批准更改 • 支持控制，例如强大的审计日志和访问控制如果您的自动化工作受到阻碍通过此类控制，我们建议您专注于与您的审计师和风险管理团队建立协作关系。 Work together on genuinely satisfying regulatory requirements in an efficient and secure manner.共同努力以高效和安全的方式真正满足监管要求。 We've seen very few people actually reach out to their risk teams to collaborate, but the ones that do nearly always succeed.我们已经看到很少有人真正联系他们的风险团队进行协作，但那些确实成功的人几乎总是成功的。