This presentation focuses on practices to implement the appropriate controls, systems and processes to support modern delivery methodologies and architectural styles in a way that doesn't slow down delivery and introduce friction.

1. RESPONSIVE GOVERNANCE FOR
EVOLUTIONARY TECHNOLOGY PLATFORMS
Heiko Gerin

2. Things to cover
● Evolutionary technology platforms & governance
● Things to govern & common friction points
● Governance principles: what we’ve seen working
● Common limitations & exciting stuff

3. Evolutionary Technology Platforms
● Support incremental, constant change
● Are built in a way that is appropriately coupled
● Optimise for high delivery velocity & quality
● Promote end-to-end ownership and accountabilities
● Deliver through cross-functional teams aligned to
business outcomes

4. Evolutionary Technology Platforms
● Include people, process and technology
● Change rapidly and constantly
● Appropriate governance changes with the
requirements and the environment
● Needs to be responsive to evolve

5. Definitions: GRC
IT Governance provides a structure for aligning IT strategy with business
strategy;
Ensures Risk is identified and addressed and
Ensures Compliance to laws and regulations
Definition Paraphrased from
Wikipedia

6. Ensure we understand
potential risks and
mitigate them
Ensure that we do the right
things (aligned to business
goals)
Ensure that we do things
the right way (within laws
and regulations)
http://jonnyschneider.com/

7. Why the friction?
1. Governance tends to come in extremes
2. Governance implemented can’t
support constant change

8. 1. Governance tends to come in extremes

9. Big Corporate
Governance Extremes: How governance “happens”
Startup
Super Scale-Up
Global Scale
Medium Scale-Up
Single Market
Small Scale-Up
Single Segment
Large Scale-Up
Multi Market
Sudden influx of
cash
Entered regulated
industry
High profile Outage
/Privacy Breach
IPO, acquisition

10. A few words on Governance Frameworks
● Service Management ITIL, SIAM, ISO/IEC20000
● Security ISO 27001
● Risk COSO
● Architecture TOGAF
● Process improvement CMMI
● Governing governance COBIT
“The collective memory of all things that have ever
gone wrong in this and every other organisation”

11. Governance areas
Program / Project Governance
Prioritisation, Portfolio Management
Architectural Governance
Data, APIs, Service Design, Review Boards
Change & Release
Quality, Versioning, Change advisory boards,
Config Management Databases
Risk & Security
Reviews boards, Code scanning, Pen testing,
Enterprise Security Services
Business Continuity / DR
Disaster Recovery Exercises
& Requirements
Audit & Compliance
Government regulations, Internal & external
audit activities
Funding Model
Project based or capacity based

12. 2. Implementation can’t support constant change
● Some frameworks are products of their time
● Implementations tend to reinforce silos
(Tragedy of the commons)
● “Governance events” cause big bang rollouts
● Implementations of controls and policies
○ designed for a more traditional delivery
and op model
○ Non-responsive (static or changeable
only by committee)

13. Governance Extremes: Examples
Complete lack of repeatability and
documentation
Overly bureaucratic and wasteful processes
No accountability for Information Security,
Change Management or Operations
Siloed functions that don't work effectively
together
No traceability of changes or decisions made Long wait times for rubber-stamp approvals
that are largely theater
Uncontrollable technology and tool sprawl Policies dictated by people that don't feel the
impact of their decisions
VS
VS
VS
VS

14. Governance Principles
Automate compliance
but enable assurance
Focus on vision,
principles & constraints
From gatekeepers to
facilitators & partners
Provide paved roads:
the pit of success
Evolve the operating
model

15. Automate compliance and enable assurance
● Embed governance & compliance requirements
in operational runtime monitoring of the platform
● Evaluate as part of the delivery pipeline (blocking)
● Enable & promote independent
verification & audit (non-blocking)
● Take a risk based approach to
prevent bottom-up audit

16. Preventing Bottom Up Audit
Audit Lifecycle:
- Business objectives
- Identified Risks
- Control objectives
- Mitigating procedures
- Verify & Adapt
Corporate Folklore

17. Focus on vision, principles & constraints
● Move away from specifying tools, processes and solutions
● Frame needs as visions, principles and constraints
● Degree of autonomy to make implementation choices
(“Docker” is not a principle)
● Target outcomes over specific implementations
● Guardrails
The Leviathan

18. Internal Technology Radar
● Catalyst for architectural conversations
● Visibility across teams
● Discipline around moving between
assess, trial, adopt and hold
● Apply WIP limits
Tech radar used for lightweight governance

19. From gatekeepers to facilitators
Avoid using sparse skill-sets as enforcement
agencies: Operations, Compliance, Risk, Security, ...
Amplify them to increase their effectiveness:
● Expert advisors for teams, facilitating, coaching
and advising
● Articulate principles and constraints - but also
help implement them
Years & years of penetration
tests

20. Change Control
● Peer review is the most effective form of change control
● Pre-approved (ITIL) standard changes
● De-risk changes using Continuous Delivery
● Automate compliance
● Distributed, electronic CABs & subgroups
The perfect CMDB & CABs all
the way down

21. Provide paved roads & the pit of success
● Centralised supporting platforms as a product
● Teams focus on delivering business value while
complying with overall guardrails
● The pit of success - make it easy
to do the right thing
● Customer centricity
● Non-mandatory
If all you have is a hammer

22. Introducing “Goldilocks” governance:
Evolve the operating model
● Define activities and do a RACI - before & after
● Adapt accountabilities & responsibilities
● Start small, experiment
● Exemplar teams
● New acceptance criteria, definitions of done
Big bang rollout

23. Evolve the operating model: RACIs

24. Evolve the operating model

25. Governance Principles
Automate compliance
but enable assurance
Focus on vision,
principles & constraints
From gatekeepers to
facilitators & partners
Provide paved roads:
the pit of success
Evolve the operating
model

26. Common limitations (they’re mostly technical)
● Compliance as code is not really there yet
● No real standards ways of governing cloud infrastructure
● Bespoke, hand crafted implementations & formats

27. Exciting things happening!
● Using the cloud to govern the cloud (prowler, AWS config rules, etc.)
● Kubernetes as a basic “cloud agnostic” infra building block
● Grafeas/Kritis for compliance as code
● Binary authorization as a first class cloud service (like GKE on Google Cloud)

28. Grafeas/Binary Auth

29. Thank you!
Heiko Gerin
hgerin@thoughtworks.com

30. Q&A

31. Audit Alpaca found on reddit
"Tripod Candlestand" is licensed
under CC BY 3.0
"Warm and fluffy" by ILYA Denisenko is
licensed under CC BY-NC 4.0
"Negative - Walla Walla, New South Wales,
1932" is licensed under CC PDM 1.0
"Gatekeepers" by Suzanne Brandt is licensed
under CC BY-NC-ND 4.0
"change" is licensed under CC0 1.0
"Pavement Loop" by Alex Varanese is
licensed under CC BY-NC 4.0
"Smoking Kaiju robot is licensed under CC
BY-NC 3.0

32. SANS secure DevOps Toolchain Poster

33. Cumulative controls
Sensitivity
Criticality
SoR
AnalyticsWebapp
Infra
LowHigh
HighLow

34. Architectural Principles
http://engineering-principles.jl-engineering.net
● Not hard and fast rules but guidelines
● Could also be used in a 'discovery phase'
to select new products or tools
● Probably no more than 10
● Govern them via fitness functions
Cloud Native
Build systems that are native to cloud
environments.
Rationale, Implications (prefer
open tooling, etc …), Examples

35. Evolve the operating model

36. Evolve the operating model