Docy Child

PDP-19 Production Deployment Access

Estimated reading: 2 minutes 638 views

What is this control about?

Production Deployment Access – This control usually ends up being a sore point in most audits. As most companies operate in the Agile way, the issue of segregation of duties is often overlooked.

If you answer yes to this question, you may need to spend some time on the Production Deployment Access control:

Do you have employees with elevated access who can write code and push that code through production? In other words, can an employee develop a code and push it to production without any intermediary?

If yes, there needs to be some mitigation in place to reduce the risk of an employee gone “rogue”.  Or an attacker getting this specific individual access and pushing unauthorized changes through.

A great mitigation factor is a File Integrity Monitoring (FIM) tool or an alert mechanism that would notify independent personnel of any changes being deployed. Just make sure that the alerting mechanism cannot be disabled by the same individual with elevated privileges.

Available tools in the marketplace

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools below, because we haven’t personally used them.

File Integrity Monitoring (FIM) Tools
SolarWind Security Event Manager
ManageEngine ADAudit Plus
DataDog Security Monitoring

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

  • N/A – no templates recommendation

Control implementation

Restrict access to deployment tool to a select few. Those with the ability to deploy to production should ideally be separate from those with write access to source code.

Ensure that you implement an automated alerting mechanism for any changes deployed to production.

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action:

  • Provide list of deployment admin users
  • Provide screenshot of the automated alert mechanism or FIM alert mechanisms

Evidence example

From the suggested action above, an example is provided below.

1.    Provide a list of deployment admin users.

TrustCloud example demonstrates the list of users and their rights within the deployment tool

Production Deployment Access


2. Provide a screenshot of the automated alert mechanism or FIM alert mechanisms.

TrustCloud example demonstrates that there is a platform to receive automated notification through Slack

Production Deployment Access

Example of FIM (file integrity monitoring) Tracking changes in files:

Production Deployment Access

Join the conversation

Twitter Facebook LinkedIn

❤️  Joyfully crafted by a 100% distributed team.