Second, companies can take process security to the next level by establishing separation of duties, which may be required for Sarbanes-Oxley or other compliance standards. For example, “A developer cannot approve the deployment of his or her own code to a test environment. The developer must check in the code, which is automatically scanned and moved to image creation, where it must be approved by a manager before the creation takes place on a test server” is an example of separation of duties best practice. The enforcement of such policies can be automated, and this too is enabled through RBAC.
Individual and collaboration security
Similar to securing processes, ensuring secure access for individuals and team collaboration starts with managing user access by enabling RBAC. Individuals participating in software development should have different access rights based on their role, whether developer, tester, manager, etc. This gets particularly complicated in a large distributed environment, where multiple teams contribute to an application, where multiple users contribute to multiple microservices that are combined together in different ways for different applications, and where multiple teams work on multiple applications using different tools and different technologies.
For example, the access rights of a mobile banking team are likely to be very different from those of a risk management team. That is, a mobile banking team probably should not have access to a risk management team’s Git repository. Meanwhile, a manager may have read-only access to both repositories, while a build management team may have full access to both.