ISO/IEC 27001 Control 8.31: Separation of development, test and production environments
Control
Development, testing and production environments should be separated and secured.
Necessity of MidPoint
MidPoint is optional for implementation of this control.
Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.
Implementation Overview
MidPoint has mechanisms to control access to individual environments, as well as access exclusion mechanisms.
Implementation Details
MidPoint can use role-based access control (RBAC), organizational structure and other mechanisms to independently control access to any and all environments. Separate accounts can be created for development and testing purposes, logically separating access to individual environments. As the control suggests, carefully designed RBAC roles can be used in conjunction with segregation of duty (SoD) mechanisms to make sure access to individual environments is separated. Synchronization mechanisms and orphaned account management can be used to clean up development and testing environments after experiments and tests, making sure access to the development and testing systems is not left open.
Implementation Notes
-
We strongly recommend to apply equivalent security measures to development and test environments as are applied to production environments, which is also suggested by control 8.33. MidPoint can be used to apply security and access control policies consistently across all environments.
Rationale
While small development and testing environments can be managed manually, systematic approach provided by midPoint is necessary for management of larger environments.